Jump to content
  • New SHC-compiled Linux malware installs cryptominers, DDoS bots

    alf9872000

    • 400 views
    • 3 minutes
     Share


    • 400 views
    • 3 minutes

    A new Linux malware downloader created using SHC (Shell Script Compiler) has been spotted in the wild, infecting systems with Monero cryptocurrency miners and DDoS IRC bots.

     

    According to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks generally focused on Linux systems in the same country.

     

    The analysts say the attacks likely rely on brute-forcing weak administrator account credentials over SSH on Linux servers.

    Stealthy loading

    SHC is a "generic shell script compiler" for Linux, able to convert Bash shell scripts into ELF (Linux and Unix executables) files.

     

    Malicious Bash shell scripts used by threat actors typically contain system commands, which can be detected by security software installed on a Linux device.

     

    As scripts in SHC ELF executables are encoded using the RC4 algorithm, the malicious commands are not as easily seen by the security software, potentially allowing the malware to evade detection.

     

    decoded-script.png

    Part of a decoded Bash shell script
    Source: ASEC

     

    Dropping numerous payloads

     

    When the SHC malware downloader is executed, it will fetch multiple other malware payloads and install them on the device.

     

    One of the payloads is an XMRig miner that is downloaded as a TAR archive from a remote URL and extracted to "/usr/local/games/" and executed.

     

    The archive also contains the "run" script and the miner's configuration file, which points to the configured mining pool.

     

    tar-files.png

    Contents of the TAR archive
    Source: ASEC

     

    XMRig is a widely abused open-source CPU cryptocurrency miner usually set to mine Monero using the compromised server's available computational resources.

     

    Bundling the configuration with the miner helps minimize communications with the C2 and keeps the crypto mining going in case the threat actor's server goes offline.

     

    The second payload retrieved, dropped, and loaded by the SHC malware downloader is a Pearl-based DDoS IRC bot.

     

    The malware connects to the designated IRC server using configuration data and goes through a username-based verification process.

     

    If successful, the malware awaits commands from the IRC server, including DDoS-related actions such as TCP Flood, UDP Flood, and HTTP Flood, port scanning, Nmap scanning, sendmail commands, process killing, log cleaning, and more.

     

    irc-commands.png

    Commands sent by the IRC server
    Source: ASEC

     

    ASEC warns that attacks like these are typically caused by using weak passwords on exposed Linux servers.

     

    "Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks," advises ASEC.

     

    "Administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers."

     

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...