Hacking Tools

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to escalate privileges and move laterally across networks.

These tools exemplify the evolving sophistication of credential theft techniques in cybersecurity.

SSH-Stealer: Smart Keylogging For SSH Credentials

SSH-Stealer focuses on capturing SSH login details, including passwords and private keys, through smart keylogging.

Unlike traditional keyloggers, it employs advanced filtering to selectively record sensitive input, such as credentials entered during SSH sessions.

Stolen data is stored in an Alternate Data Stream (ADS) within the desktop.ini file on the victim’s desktop, a method that hides the data from casual inspection. Attackers retrieve the credentials using a simple command:

textmore < "C:\Users\<Username>\Desktop\desktop.ini:log"

To erase traces, the tool provides a PowerShell command to delete the ADS stream.

RunAs-Stealer: Multi-Technique Credential Theft

RunAs-Stealer leverages three primary methods to steal credentials:

  1. Hooking CreateProcessWithLogonW: Intercepts the Windows API function CreateProcessWithLogonW to capture credentials during process creation.
  2. Smart Keylogging: Similar to SSH-Stealer, it logs keystrokes but emphasizes capturing credentials used in privileged operations, such as runas.exe executions.
  3. Remote Debugging: Exploits debugging tools to inject code into processes and extract credentials.

The tool runs persistently in the background and requires manual termination via Task Manager. Credentials are similarly stored in desktop.ini ADS.

Both tools highlight attackers’ reliance on living-off-the-land tactics, such as abusing legitimate utilities like runas.exe, and evasive storage methods like ADS.

SSH-Stealer’s ability to target private keys mirrors tactics seen in SSH-Snake, a self-modifying worm that spreads via compromised SSH credentials.

To mitigate these threats:

  • Monitor for unusual runas.exe activity or unexpected ADS modifications.
  • Restrict SSH key usage and enforce multi-factor authentication.
  • Deploy integrity-checking tools to detect backdoored SSH binaries, as seen in historical cases like Linux/SSHDoor.A.

These tools underscore the critical need for robust credential hygiene and proactive detection of stealthy attack patterns.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

4 hours ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

1 day ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

1 day ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

1 day ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

1 day ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

2 days ago