Tsunami Botnet Found Targeting Unsecured Linux SSH Servers

Attack flow

• After successfully logging in, the attackers execute a command that runs a Bash script to download and run various malware. 
• The Bash script performs various preliminary tasks to take control of infected systems and install a backdoor SSH account.

Other malware used in the campaign

• ShellBot used in this attack utilizes the IRC protocol, similar to Tsunami, that supports port scanning, basic DDoS attacks, and reverse shells.
• Log Cleaner enables the deletion or modification of specific logs in Linux, Unix, and BSD server environments. This helps attackers to stealthily launch attacks without being detected by anti-virus systems.
• There’s a “ping6” file which is essentially an ELF malware that can be utilized to gain access to a shell with root privileges.
• In addition to the DDoS bots, the XMRig CoinMiner is also installed alongside to mine cryptocurrency on the compromised systems.

Use of Tsunami botnet amplifies

• Tsunami, also known as Kaiten, is used by a multitude of threat actors as the source code of the botnet is publicly available. The 8220 Gang is one such group that was recently found using the botnet, among other tools in its campaign. Moreover, the ASEC researchers claim that it has been consistently used alongside Mirai and Gafgyt when targeting vulnerable IoT devices.

More attacks on SSH servers

• Of late, Romanian threat group Diicot was found deploying a custom, Golang-based 64-bit SSH brute-forcing tool called ‘aliases’ to gain initial access to machines. 
• However, the campaign’s main payload was Cayosin, a variant of the Mirai botnet, purposed to exploit Linux-based embedded devices for illegal cryptomining activities.

Conclusion