8.Locks HexConnections CodeGlobe

Threat actors have been observed using Amazon Web Services (AWS) 's System Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines.

According to a new security report published by Mitiga today, the post-exploitation technique allows attackers to control the agent using a separate, maliciously owned AWS account, potentially enabling them to conduct various malicious activities.

AWS Systems Manager is a powerful tool designed to automate operational tasks and manage AWS resources. The SSM agent is a component that facilitates communication between the Systems Manager service and EC2 (Elastic Compute Cloud) instances or on-premises servers. 

In its report, Mitiga researchers Ariel Szarf and Or Aspir said that the popularity and trust associated with the SSM agent had led attackers to misuse it for their benefit.

Since Amazon signs the SSM agent binary, it often bypasses traditional antivirus and endpoint detection systems, making it harder to detect malicious activities.