A Linux malware developed in Shell Script Compiler (Shc) is installing coinminer. It was found that attackers have been launching dictionary attacks against vulnerable Linux SSH servers to deploy various malware on target systems. Among these were an Shc downloader and a Perl-developed DDoS IRC Bot.
About the Shc downloader
According to ASEC Ahnlab, the newly found downloader is a decoded Bash shell script of the Shc malware downloader.
- The malware was uploaded to VirusTotal from Korea, indicating that these attacks were launched against Linux systems in Korea.
- Once executed, the Shc downloader deploys XMRig miner on the targeted systems, alongside the IRC Bot to further the attack process.
- The IRC Bot is used to perform DDoS attacks on systems. It supports a variety of DDoS attacks such as TCP Flood, UDP Flood, and HTTP Flood, along with various other features such as command execution, reverse shell, and port scanning.
- Researchers highlight that both the Shc malware downloader and the IRC bot are similar in form, except that the former cannot connect to the IRC server.
Previous attack trends
This is not the first time that a stealthy Linux malware is being used to drop miners; there have been several such incidents reported in the past.
- In December, Trend Micro researchers came across widespread Linux cryptocurrency mining attacks that incorporated an advanced RAT named CHAOS.
- Furthermore, a Linux malware dubbed Shikitega was found executing a multistage infection chain to drop Monero cryptominer and give threat actors complete control of an infected system.
- In another episode, over 200 npm and PyPI malicious packages were used to drop cryptominers on infected Linux machines.
Keynotes
Typical attacks targeting Linux systems include brute force attacks and dictionary attacks since, as per some experts, account credentials are not appropriately managed. Therefore, administrators should use passwords that are difficult to guess and even consider changing them periodically.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-590077644.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_594754214.jpg)
