Executive Summary

• SGI sensors detected a malicious file, identified as a modified SSH authorized_keys file, originating from a host in China.
• Successful exploitation could allow unauthorized remote access to compromised systems via SSH.
• The likely objective is to establish persistent access for data exfiltration or further lateral movement within the network.
• Business risk is moderate, depending on the value of data and systems accessible via SSH.
• Expect attackers to refine their techniques to evade detection; proactively review SSH key management.

Observed Activity (SGI Sensors)

On October 18, 2025, SGI sensors detected a connection from 115.190.77.XXX (AS137718, Beijing) containing a suspicious payload. Analysis revealed the payload to be an HTML file masquerading as an SSH authorized_keys file. The file hash has a low reputation on VirusTotal, indicating a potential threat. This activity suggests an attempt to inject unauthorized SSH keys onto systems within the monitored network.

Malware/Technique Overview

The detected malware family, named ‘20251018-013502-4d2c58facdb9-1-redir__home_uos__ssh_authorized_keys’, is designed to modify or replace the authorized_keys file on a target system. Attackers often achieve initial access via compromised credentials or vulnerable applications. By injecting their own SSH keys, they can bypass normal authentication mechanisms and gain persistent, unauthorized access to the system.

This technique is commonly used for lateral movement and establishing long-term control over compromised environments. Targets typically include servers and workstations with valuable data or access to critical infrastructure.

• T1190 – Exploit Public-Facing Application
• T1078.002 – Valid Accounts: Domain Accounts
• T1078.003 – Valid Accounts: Local Accounts
• T1556.002 – Modify Authentication Process: SSH Keys
• T1059.004 – Command and Scripting Interpreter: Unix Shell
• T1021.004 – Remote Services: SSH
• T1047 – Windows Management Instrumentation
• T1087.001 – Account Discovery: Local Account

VirusTotal Snapshot

VirusTotal analysis indicates 29 out of 59 vendors flagged the file as malicious. 30 vendors did not detect it. No vendors marked the file as harmless. Some of the aliases include variations of ‘authorized_keys’ and timestamps suggesting a recurring campaign. The low reputation score (-34) further supports the malicious nature of the file.

• VirusTotal Sample

Indicators of Compromise (IoCs)

Retention Recommendation: Monitor these IoCs for at least 90 days.

Detection & Hunting

Splunk SPL

index=* sourcetype=network_traffic dest_port=22 
| search payload="ssh-rsa" OR payload="ssh-dss" 
| where src_ip="115.190.77.XXX" 
| stats count by src_ip, dest_ip, user

Elastic/Kibana KQL

network.port:22 AND (message:*ssh-rsa* OR message:*ssh-dss*) AND source.ip:"115.190.77.XXX"

Guidance: Validate any positive hits by examining the full network traffic capture. False positives may occur with legitimate SSH key exchanges; correlate with other suspicious activity.

Containment, Eradication & Recovery

1. Isolate affected systems from the network to prevent further spread.
2. Block the identified malicious IP address (115.190.77.XXX) at the firewall.
3. Scan all systems for unauthorized modifications to authorized_keys files, focusing on non-standard or unknown keys.
4. Reimage any systems where unauthorized key injection is confirmed.
5. Reset credentials for all accounts that had SSH access to the compromised system.

Communicate the incident and required actions to both IT staff and leadership. Preserve all relevant logs and network traffic for forensic analysis.

Hardening & Preventive Controls

1. Multi-Factor Authentication (MFA) for SSH (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH connections.
2. Endpoint Detection and Response (EDR) Tuning (NIST CSF DE.CM-1, CIS Control 10): Tune EDR solutions to detect unauthorized modifications to system files, including authorized_keys.
3. Network Segmentation (NIST CSF PR.AC-5, CIS Control 14): Implement network segmentation to limit the blast radius of potential compromises.
4. Principle of Least Privilege (NIST CSF PR.AC-3, CIS Control 5): Grant users only the minimum necessary privileges for their roles.
5. Patch Management SLAs (NIST CSF PR.IP-1, CIS Control 7): Establish and enforce SLAs for patching critical systems, especially those exposed to the internet.
6. Disable Password Authentication for SSH: Rely solely on SSH keys for authentication, and disable password authentication to prevent brute-force attacks.
7. Regularly Audit SSH Keys: Conduct regular audits of authorized SSH keys to identify and remove any unauthorized or stale keys.

Business Impact & Risk Outlook

A successful SSH key injection attack can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory compliance may also be affected if sensitive data is compromised. We anticipate attackers will continue to target SSH services due to their widespread use for remote access and system administration. Expect to see more sophisticated methods for evading detection, such as obfuscated payloads and compromised legitimate accounts.

Appendix

Redacted Payload Snippet:

<html><body><pre>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...[redacted]... user@example.com</pre></body></html>

Assumptions & Data Gaps:

• We assume that the identified file is indeed malicious and part of an active attack campaign.
• The sensor name and network port were not provided in the original data.

References:

• VirusTotal Sample

Protect your organization from emerging threats with SGI’s comprehensive security solutions. Request an Incident Readiness Review today to assess your defenses. Ensure continuous protection with our 24/7 Monitoring with Sentry365™. For strategic guidance and expert support, consider our vCISO Advisory services.