Security News > 2023 > August > Amazon's AWS SSM agent can be used as post-exploitation RAT malware
Abusing AWS SSM Agent as a RAT. AWS Systems Manager is an Amazon-signed binary and comprehensive endpoint management system used by administrators for configuration, patching, and monitoring AWS ecosystems comprising EC2 instances, on-premise servers, or virtual machines.
Mitiga's discovery is that the SSM agent can be configured to run in "Hybrid" mode even from within the limits of an EC2 instance, allowing access to assets and servers from attacker-controlled AWS accounts.
Bash commands allow the SSM agent to communicate and execute commands using AWS accounts not associated with the compromised EC2 environment.
"We found a unique way to abuse the SSM service, allowing it to function seamlessly as a fully integrated trojan infrastructure, making the agent in the endpoint to communicate with different AWS account than the original AWS account," explains Mitiga.
"By executing commands from a separate, maliciously owned AWS account, the actions carried out by the SSM agent will remain hidden within the original AWS account, making the process of detecting the malicious activity cumbersome."
Abusing the SSM agent allows attackers to breach AWS accounts to execute commands remotely without being detected, as the traffic looks like regular activity generated by the agents.
News URL
Related news
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Malicious PyPi package hides RAT malware, targets Discord devs since 2022 (source)
- Ransomware gangs increasingly use Skitnet post-exploitation malware (source)
- AWS Default IAM Roles Found to Enable Lateral Movement and Cross-Service Exploitation (source)
- Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims (source)
- Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads (source)