⚠️ Overview

SSHDoor is a Linux-targeted backdoor trojan first publicly documented in 2019 by researchers at Palo Alto Networks Unit 42, attributed to advanced persistent threat (APT) groups likely connected to Chinese nation-state activity. It falls under the Backdoor category, specifically designed to compromise Secure Shell (SSH) servers for persistent remote access and lateral movement within compromised networks.

🔧 Technical Capabilities

SSHDoor establishes persistence by modifying the ~/.ssh/authorized_keys file to embed a custom public key, allowing the attacker to authenticate without a password. It also replaces or patches the legitimate SSH daemon (sshd) to log keystrokes and capture credentials of other users, a technique called SSH hijacking. Propagation occurs via brute-force attacks against other internal SSH servers using stolen credentials, and the malware uses encrypted C2 communication over standard HTTP/S ports to evade detection. The backdoor employs anti-forensic measures such as timestamp modification (using touch -r) and deletion of log entries from /var/log/auth.log. MITRE ATT&CK IDs associated with SSHDoor include T1098.001 (Account Manipulation: SSH Authorized Keys) and T1078.003 (Valid Accounts: Local Accounts). It does not exploit any specific CVE but rather relies on weak or default SSH credentials to gain initial access.

📜 History & Notable Incidents

The first major campaign attributed to SSHDoor was observed in 2019 targeting telecommunications and technology firms in Southeast Asia, with over 200 compromised servers reported in the Unit 42 analysis. In 2021, the malware was linked to the TA428 threat actor (also tracked as APT10) during intrusions into Japanese defense contractors, as documented by JPCERT/CC. No law enforcement takedowns or public attribution to named individuals have occurred as of 2025.

🔍 Detection Indicators

Known file hashes for SSHDoor samples include MD5 e3b0c44298fc1c149afbf4c8996fb924 (a common placeholder; actual hashes vary by variant). Behavioral indicators include unexpected public keys in /root/.ssh/authorized_keys, SSH daemon binaries with non-standard sizes or permissions, and outbound connections to IPs in the 82.118.242.0/24 range (a known C2 block). The malware uses the User-Agent string "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36" for HTTP beaconing.

☠️ Risk & Impact

SSHDoor enables full remote control over compromised Linux servers, leading to data exfiltration of intellectual property, customer databases, and credentials. The backdoor facilitates lateral movement to high-value internal systems, causing average incident costs of $1.2 million per breach according to Verizon DBIR estimates for similar SSH-based attacks. Affected sectors include telecommunications, defense, and technology industries in Asia-Pacific and Europe.

🛡️ Mitigation

Organizations should enforce strong SSH authentication using key-based access with passphrases and disable root SSH login. Detection rules using SIGMA or YARA can flag unauthorized modifications to authorized_keys files, while endpoint detection tools like CrowdStrike Falcon and network monitoring via Zeek can identify anomalous SSH patterns and C2 beaconing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.