AL2023_04 New malware targets Linux machines and installs cryptocurrency miners and IRC bots (12th January 2023) 

Description  

A new Shell Script Compiler (SHC) malware has been spotted targeting Linux machines, infecting these systems with cryptocurrency miners and adding them to an IRC botnet. 

Summary 

The ASEC team had recently discovered on the 4th of January 2023 a malware that was developed using Shell Script Compiler (SHC) to infect Linux machines. The malware gains access to SSH Linux servers by attempting brute force attacks on server’s administrator accounts. If the attack is successful, the SHC and additional malware are installed on the machine. 

The SHC malware is a generic shell script compiler that is responsible for converting Bash shell scripts into ELF (executable and linkable format) files for Linux machines. Bash is a basic shell in Linux operating systems, and commands supported by Bash can be compiled in script format. This allows threat actors to convert malicious bash shell scripts into executable ELF files. This method of converting the bash to ELF files after infiltrating a device is a way of avoiding file detection. The malicious scripts in SHC ELF executables are also encoded using the RC4 algorithm and this also helps in evading detection as well. 

When the SHC malware is executed, it fetches multiple malware payloads. The first and main payload downloaded is the XMRig cryptocurrency miner. It is downloaded as a TAR archive from a remote URL, extracted to ‘/usr/local/games/’ and executed. The XMRig miner is an open-source, cross platform GPU/CPU cryptocurrency miner designed for mining cryptocurrencies such as Monero or Bitcoin. In this case, XMRig is set to mine Monero currency using the compromised server’s available computational resources.  

The second payload downloaded by the SHC malware is a Pearl-based DDoS IRC bot. The malware establishes communication with the designated Internet Relay Chat (IRC) server using configuration data and goes through a username-based verification process. If successful, the compromised device is established as an IRC bot and awaits commands from the IRC server. These commands include DDoS-related actions such as TCP Flood, UDP Flood, and HTTP Flood, port scanning, Nmap scanning, sendmail commands, process killing, log cleaning, and more. 

Indicators of Compromise 

For a list of IOCs including MD5 hashes, the C2 URLs used, and the URLs used by the SHC to download additional malware, follow the URL below: https://asec.ahnlab.com/en/45182/ 

Remediation  

This attack relies on brute force and dictionary attacks in order to infiltrate Linux SSH servers and specifically targets servers where account credentials are poorly managed. It is therefore recommended to enforce stronger passwords on servers that would be hard to guess and have these passwords changed periodically to help prevent these attacks.  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.  

PDF Download: Malware targets Linux machines and installs cryptocurrency miners and IRC bots.pdf

References