Security News > 2023 > August > Amazon's AWS SSM agent can be used as post-exploitation RAT malware
Abusing AWS SSM Agent as a RAT. AWS Systems Manager is an Amazon-signed binary and comprehensive endpoint management system used by administrators for configuration, patching, and monitoring AWS ecosystems comprising EC2 instances, on-premise servers, or virtual machines.
Mitiga's discovery is that the SSM agent can be configured to run in "Hybrid" mode even from within the limits of an EC2 instance, allowing access to assets and servers from attacker-controlled AWS accounts.
Bash commands allow the SSM agent to communicate and execute commands using AWS accounts not associated with the compromised EC2 environment.
"We found a unique way to abuse the SSM service, allowing it to function seamlessly as a fully integrated trojan infrastructure, making the agent in the endpoint to communicate with different AWS account than the original AWS account," explains Mitiga.
"By executing commands from a separate, maliciously owned AWS account, the actions carried out by the SSM agent will remain hidden within the original AWS account, making the process of detecting the malicious activity cumbersome."
Abusing the SSM agent allows attackers to breach AWS accounts to execute commands remotely without being detected, as the traffic looks like regular activity generated by the agents.