A new Linux malware downloader that was created using SHC (Shell Script Compiler) is infecting systems in the wild with open-source crypto mining software. It installs various malware, including the SHC downloader, SMRig CoinMiner and a Perl-based DDoS IRC bot.
ASEC researchers say the attacks probably rely on brute-forcing weak administrator account credentials over SSH on Linux servers. SSH, a network protocol also known as Secure Shell or Secure Socket Shell, allows system administrators and other users to securely access a computer over an unsecured network.
Impact
According to the researchers, the SHC loader was uploaded to VirusTotal by Korean users, and attacks have focused on Linux systems within Korea. However, XMRig is a widely abused open-source CPU cryptocurrency miner that uses a compromised server’s available computational resources to mine Monero and other currencies.
DXC perspective
To protect Linux servers from brute force and dictionary attacks like this one, administrators need to choose passwords that are difficult to guess and change them periodically. Regularly upgrading software and securing your infrastructure with advanced threat protection tools is also essential. Here are our recommendations for mitigating this SHC attack:
- Use strong admin passwords and rotate them regularly
- Implement proper security controls for external facing servers
- Monitor for abnormal user behavior
- Install and regularly update antivirus software on all hosts and enable real time detection
- Install updates/patch operating systems, software and firmware as soon as updates/patches are released
Threat hunting tips
We recommend monitoring for C2 traffic and disabling ports not required for operation.
IOCs
MD5:
c13e7e87e800a970df4d113d60e75ab4: Shc Downloader (kermine)
1f0e5f4736a567a631946a0d9878fad7 : Shc Downloader (VirusTotal)
6fa237ce385dc9495246bc4498b64c2d : Shc Downloader (VirusTotal)
7650957bf7d798b284ea01a732ad07a5 : Perl DDoS IRC Bot (botcarternew)
077279a2ae5b1bc89540a1293fa807f1 : Perl DDoS IRC Bot (.ubuntu)
497bec45d865b2a9165699433c64816c : XMRig (s)
c1e65d481af4e6d4bad74cca4e8737cb : XMRig (xmrig)
48e5ce77980d52c68a7bbfd091756036 : XMRig (.system3d)
16b7ef9cbc89ccc08f5fcd80e473c169 : XMRig Configuration File (config.json)
a2fd0f3e18259d0bba9ebbf910e925c4 : XMRig Configuration File (config.json)
a2c7c9e3b468e7e02e882066b05c55c3 : Launcher Script (run)
c15ed837bd367fd4f66562b57b8fb57c ” Launcher Script (.b4nd1d0)
C2 URL:
64.227.112[.]247:80 – Perl DDoS IRC Bot
157.230.116[.]194:80 – Perl DDoS IRC Bot
Download URL:
hxxp://172.105.211[.]21/
hxxp://172.105.211[.]21/xmrig
hxxp://172.105.211[.]21/snunewa.tar
hxxp://167.172.103[.]111/
hxxp://172.104.170[.]240/
hxxp://172.104.170[.]240/snunewa.tar
hxxp://wget.hostname[.]help/
hxxp://wget.hostname[.]help/driver.zip
hxxp://pateu.freevar[.]com/xmrminer2.tgz