Compromised SSH Keys via Web-Delivered Malware
Executive Summary
- SGI detected a low-severity malware sample originating from IP address 203.57.39.187 (ASN: AS58519, China).
- The malware is designed to modify SSH authorized_keys, potentially granting unauthorized access to compromised systems.
- The likely objective is to establish persistent remote access for malicious activities.
- The business risk level is moderate, depending on the criticality of affected systems and data.
Organizations should immediately investigate systems communicating with the identified IP and implement measures to secure SSH access.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-11-02T09:57:21.235Z | 203.57.39.XXX | AS58519 | CN | tcp/ | Yes | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 |
On November 2, 2025, at 09:57:21 UTC, an SGI sensor detected a suspicious network connection from 203.57.39.187 (China). The connection involved a payload containing HTML code designed to redirect to an SSH authorized_keys file. The observed behavior suggests an attempt to inject malicious SSH keys into the target system, enabling unauthorized remote access.
Malware/Technique Overview
The identified malware family, “20251102-073958-9469209de1c9-1-redir__home_maintain__ssh_authorized_keys,” appears to be designed for credential access by modifying the .ssh/authorized_keys file on Unix-like systems. The initial access vector is likely a compromised web server or application that allows the attacker to inject malicious HTML content. The typical targets are servers and workstations with SSH enabled, potentially granting broad access within the compromised network.
- T1190 – Exploit Public-Facing Application
- T1078.003 – Valid Accounts: Local Accounts
- T1555.004 – Credentials from Password Stores: SSH Keys
- T1059.004 – Command and Scripting Interpreter: Unix Shell
- T1105 – Ingress Tool Transfer
VirusTotal Snapshot
VirusTotal analysis indicates a malicious score of 29/62, with 33 vendors not detecting the sample. Notable aliases include variants targeting different usernames, such as root, plex, jenkins, etc., suggesting a wide-ranging campaign. The file type is identified as HTML.
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| ip | 203.57.39.XXX | medium | 2025-11-02T09:57:21.235Z | AS58519 Cloud Computing Corporation |
| hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | high | 2025-11-02T09:57:21.235Z | SHA256 from VirusTotal |
It is recommended to monitor these IoCs for at least 30 days.
Detection & Hunting
The following queries can be used to detect similar activity within your environment:
Splunk SPL
index=* src_ip=203.57.39.0/24 | table _time, src_ip, dest_ip, dest_portElastic/Kibana KQL
source.ip : 203.57.39.0/24Wazuh/OSSEC Rule Idea
5700
203.57.39.0/24
Malicious IP detected
Validate any positive hits by examining network connections and reviewing potentially affected systems for unauthorized SSH keys. False positives may arise from legitimate connections to the identified IP range; investigate further.
Containment, Eradication & Recovery
- Isolate potentially infected systems from the network to prevent further spread.
- Block communication with the identified malicious IP address (203.57.39.187) at the firewall.
- Scan all systems for the presence of the malicious file hash (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) and unauthorized modifications to
.ssh/authorized_keysfiles. - Reimage any severely compromised systems.
- Reset SSH keys and passwords for all potentially affected accounts.
Establish clear communication channels between IT, security, and leadership teams. Preserve system logs and forensic data for further investigation.
Hardening & Preventive Controls
- Implement Multi-Factor Authentication (MFA) for all SSH logins (NIST CSF PR.AC-1, CIS Control 6).
- Tune Endpoint Detection and Response (EDR) systems to detect anomalous file modifications and network connections (NIST CSF DE.CM-1, CIS Control 10).
- Segment the network to limit the impact of potential breaches (NIST CSF PR.AC-4, CIS Control 14).
- Enforce the principle of least privilege to restrict unnecessary access (NIST CSF PR.AC-3, CIS Control 5).
- Establish and enforce patch SLAs to address known vulnerabilities promptly (NIST CSF ID.AM-2, CIS Control 7).
- Disable SSH Password Authentication and rely on key-based authentication.
- Regularly audit authorized_keys files for unauthorized entries.
Business Impact & Risk Outlook
Compromised SSH keys can lead to unauthorized access to critical systems, resulting in data breaches, service disruptions, and reputational damage. Legal and compliance risks may arise from breaches involving sensitive data. Over the next 3-6 months, we anticipate an increase in similar attacks targeting SSH and other remote access protocols, especially as organizations continue to rely on remote work and cloud infrastructure.
Appendix
Redacted payload snippet:
<html>
<head><meta http-equiv="refresh" content="0; URL='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... user@host'"></head>
<body></body>
</html>Assumptions & Data Gaps: The specific entry point and targeted systems remain unknown. The exact content of the injected SSH key is redacted.
References:
Protect your organization from evolving threats with Sentry Global Intelligence & Consulting Group. Request an Incident Readiness Review to assess your security posture and improve your defenses. Ensure continuous protection with 24/7 Monitoring with Sentry365™, or gain strategic guidance with our vCISO Advisory services.