A Linux backdoor capable of stealing login credentials from secure shell connections has been found on the network of a large unnamed internet hosting provider.
Symantec researchers detected the Fokirtor trojan in June which exposed login credentials.
Breached passwords were hashed and salted but Fokirtor could have provided access to the company's encryption key which secured its internal communications.
“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” researchers wrote in a blog post.
They said the trojan injected itself into the organisation's SSH process to extract encrypted commands.
Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.
Symantec Security Response researcher Satnam Narang said the attackers needed the "sophisticated” trojan to conceal their access to the target's network.
“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote.
“Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."