SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to escalate privileges and move laterally across networks.
These tools exemplify the evolving sophistication of credential theft techniques in cybersecurity.
SSH-Stealer focuses on capturing SSH login details, including passwords and private keys, through smart keylogging.
Unlike traditional keyloggers, it employs advanced filtering to selectively record sensitive input, such as credentials entered during SSH sessions.
Stolen data is stored in an Alternate Data Stream (ADS) within the desktop.ini
file on the victim’s desktop, a method that hides the data from casual inspection. Attackers retrieve the credentials using a simple command:
textmore < "C:\Users\<Username>\Desktop\desktop.ini:log"
To erase traces, the tool provides a PowerShell command to delete the ADS stream.
RunAs-Stealer leverages three primary methods to steal credentials:
CreateProcessWithLogonW
to capture credentials during process creation.runas.exe
executions.The tool runs persistently in the background and requires manual termination via Task Manager. Credentials are similarly stored in desktop.ini
ADS.
Both tools highlight attackers’ reliance on living-off-the-land tactics, such as abusing legitimate utilities like runas.exe
, and evasive storage methods like ADS.
SSH-Stealer’s ability to target private keys mirrors tactics seen in SSH-Snake, a self-modifying worm that spreads via compromised SSH credentials.
To mitigate these threats:
runas.exe
activity or unexpected ADS modifications.These tools underscore the critical need for robust credential hygiene and proactive detection of stealthy attack patterns.
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…
Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…
Linux offers powerful command-line tools for system administrators to view and manage user accounts. Knowing…