Close Menu
Most Read

Junior Hacker Maintains Access Using Tailscale and OpenSSH

Staff WriterBy No Comments2 Mins Read1 Views

Quick Takeaways

  1. Attackers can establish persistent, covert access by installing OpenSSH and Tailscale, bypassing traditional command-and-control server takedowns.
  2. Malware runs mainly in memory, using legitimate tools like PowerShell and RustDesk for stealthy, resilient access to target systems.
  3. Even after C2 shutdown, attackers can re-enter via pre-installed SSH/Tailscale, emphasizing the need for comprehensive detection beyond just disabling C2 servers.

Threat, Techniques, and Targets

A junior hacker targeted a small French automotive business. He used simple methods but created a strong way back into the system. He installed tools such as OpenSSH and Tailscale on a victim’s computer. These tools allowed him to connect over a private, encrypted network. This connection bypassed the main command-and-control (C2) server, which went offline. He also left open SSH keys and a step-by-step plan for himself in public storage.

The attacker used several tactics. He ran malware in memory, avoiding local disk storage. This included a script that delayed sandbox detection, a PowerShell loader, and a .NET loader to run malicious software. He used a scheduled task with high privileges to run at user login. He injected shellcode into Explorer.exe. He also set up an alternative communication method using RustDesk. His main goal was to collect sensitive information like banking and email credentials. The targets were small business systems storing personal and financial data.

Impact, Security, and Guidance

The attacker’s method allowed him to stay hidden even if the main server was taken offline. When the C2 returned, his access reconnected automatically. This meant stopping the main server did not stop his access. His activities could continue undetected for many days, making data theft easier.

This incident shows that simply taking a C2 offline is not enough. Attackers can use backup channels like Tailscale or SSH keys. They may also leave persistent tools and scheduled tasks that reopen access. Organizations should be aware that legitimate tools like OpenSSH and Tailscale can be used maliciously. Detection should focus on unusual installations, network connections, and scheduled tasks.

For remediation, it is recommended to get guidance from security vendors or authorities. They can assist in removing persistent access methods and better defending systems against similar threats.

Continue Your Tech Journey

Learn how the Internet of Things (IoT) is transforming everyday life.

Explore past and present digital transformations on the Internet Archive.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.