Hello and welcome to the Tuesday, June 3, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and this episode brought you by the sands.edu graduate certificate program

in industrial control systems security is recorded in Jacksonville, Florida.

Well, in Diaries today, Xavier came across an interesting malware sample that takes

advantage of SSH on Windows.

That's something we have seen for years and years in Linux.

Linux, of course, always had SSH as one of its standard components, typically pre-installed. Now, Windows started

doing this a couple of years ago, and now, pretty much any new Windows system that you are

using has an S-H-Kline, at least pre-installed. Now, the S-clined, of course, does not listen on any port by default.

That's exactly sort of what that malware takes care of.

It does deploy a simple S-H-clined configuration file that will basically instruct the system,

the S-H client,

to connect to a particular command control server

and then forward connections from that command control server

to an internal listening port.

As Xavier points out, this configuration file is actually not 100% syntagely correct.

So it probably doesn't work quite the way it was deployed here.

The particular command control server, yes, it's no longer listening.

I would just want to point out that they're using S.H.

Over Port 443, of course, that's supposed to better blend in with a common network traffic.

However, if you do have any kind of network monitoring system,

that should really raise a flag if you all for a sudden have S-H over port 4-43.

...