Christmas "Gift" Delivered Through SSH

Tags

External References

• https://isc.sans.edu/
• https://otx.alienvault.com/

Description

A malicious file named "christmas_slab.pdf.lnk" was discovered, utilizing Windows' built-in SSH support to deliver malware. The LNK file executes ssh.exe to transfer and run a PE file from a remote server. The attack leverages the SSH/SCP protocol, taking advantage of its widespread availability on modern Windows systems. The malicious payload is downloaded from an IP address belonging to Apple's range, raising suspicions. The LNK file's command line arguments reveal the attacker's intent to bypass host key checking and execute the downloaded malware. This technique demonstrates how threat actors are adapting to use legitimate system tools for malicious purposes.

Date