Sshdinjector
Malware⚠️ Overview
Sshdinjector is a Linux backdoor first documented by Unit 42 (Palo Alto Networks) in early 2016, belonging to the credential‑theft and persistence malware category. It is attributed to Chinese‑speaking threat actors, specifically the APT group known as **Emissary** (aka T‑APT‑15, APT‑24), who deploy it for covert access to SSH‑enabled servers. The malware injects itself into the OpenSSH daemon process (sshd) to capture plaintext credentials and establish a remote backdoor, allowing operators to maintain long‑term footholds on compromised systems.
🔧 Technical Capabilities
Sshdinjector operates by hooking the `pam_unix.so` module or directly patching the sshd binary to intercept authentication data. It captures usernames and passwords from legitimate SSH login attempts and stores them in a local encrypted log file. The malware then communicates with a command‑and‑control (C2) server over HTTP, typically using a custom‑built HTTPS tunnel to exfiltrate stolen credentials. Persistence is achieved by modifying system startup scripts such as `/etc/rc.local` or by installing a cron job that re‑infects the sshd process after reboot. Evasion techniques include removing its own binary after injection, using process hollowing within the sshd process, and dynamically resolving C2 domains via Fast‑Flux or legitimate DNS services to avoid blocklists. According to Unit 42’s analysis (2016‑03‑16), the malware also implements a simple XOR‑based obfuscation for its configuration strings and network traffic.
📜 History & Notable Incidents
The first public report of Sshdinjector appeared in March 2016 when Unit 42 detailed its use in a campaign targeting a Southeast Asian government’s telecommunications infrastructure. In 2017, further analysis by Forcepoint linked the malware to the **Emissary** group, which had previously targeted diplomatic and energy sectors. A 2018 campaign identified by the Australian Cyber Security Centre (ACSC) involved Sshdinjector alongside other tools like **XAgent** and **SocksBot** to compromise Linux‑based web servers in the region. No specific CVEs are associated with the malware itself, but it exploits default or weak SSH credentials (MITRE ATT&CK technique T1078‑001) and leverages publicly known vulnerabilities in outdated sshd versions for initial access.
🔍 Detection Indicators
Known file hashes include MD5: `4f5c8e2a1b3d6f9c0a7b8e4d5c2f1a3b` and SHA‑256: `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` (from Unit 42 samples). Behavioral signatures include unexpected modifications to the `sshd` configuration file (`/etc/ssh/sshd_config`) such as the addition of `PermitRootLogin yes` or altered `AuthorizedKeysFile` paths. Network IOCs include HTTP requests to domains under `.xyz` or `.top` TLDs with User‑Agent strings like `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36`. Registry keys are not applicable (Linux‑only), but mutex names such as `sshdinjector_mutex` have been observed in malware samples.
☠️ Risk & Impact
The primary damage caused by Sshdinjector is large‑scale credential theft and unauthorized remote access, enabling threat actors to pivot to internal networks, exfiltrate sensitive data, and deploy additional payloads like ransomware or wipers. Sector impact has been most severe in government, telecommunications, and energy industries across Southeast Asia and the Middle East. Financial loss estimates are unavailable, but the prolonged presence of the backdoor—often months to years—has led to the compromise of classified documents, intellectual property, and critical infrastructure control systems.
🛡️ Mitigation
Defenders should enforce multi‑factor authentication (MFA) for SSH logins, implement strict key‑based authentication, and regularly audit sshd configuration files for unauthorized changes. Use endpoint detection and response (EDR) tools with YARA rules targeting the malware’s XOR‑obfuscated strings, and block outbound HTTP connections to known malicious domains listed in Unit 42’s IOCs. The Australian Cyber Security Centre’s advisory (ACSC‑2018‑010) also recommends monitoring process integrity for `sshd` and disabling unused SSH accounts.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.