More SSH Fun!
Dec. 24, 2024, 1:17 p.m.
Tags
External References
Description
A Windows batch file has been discovered that abuses the ssh.exe tool in modern Windows versions to create a backdoor. The script adds a registry entry for persistence and uses SSH to set up a reverse tunnel, allowing remote access. It also downloads and executes a malicious file using a Dev Tunnels URL, a Microsoft feature similar to ngrok. The script disables host key verification and enables local command execution through SSH. While the specific malicious payload (Ghost.exe) is no longer available, it is suspected to be a Remote Access Trojan (RAT). This technique demonstrates the creative misuse of legitimate tools for malicious purposes.
Date
Published: Dec. 24, 2024, 12:50 p.m.
Created: Dec. 24, 2024, 12:50 p.m.
Modified: Dec. 24, 2024, 1:17 p.m.
Indicators
3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c
vdch79w0-8000.inc1.devtunnels.ms
Attack Patterns
T1021.004
T1059.003
T1572
T1571
T1547.001
T1105