Shc Linux Malware Installing CoinMiner

The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.


1. Shc (Shell Script Compiler)

Shc is an abbreviation for Shell Script Compiler and is responsible for converting Bash shell scripts into an ELF (Executable and Linkable Format).

Figure 1. Overview of General Shell Script Compiler

Bash is a basic shell offered in the Linux operating system, and commands supported by the Bash shell can be compiled in script format. This means that the commands to be executed by users can be written as scripts, and because of this, syntaxes such as conditional and looping statements are provided. The Bash shell can be compared to the Command Prompt in Windows, with the Bash shell script files corresponding to Windows batch scripts.

Additionally, just like how Linux has Shc that converts Bash shell scripts into executable ELF file formats, Windows has the bat2exe utility that converts batch scripts into executable EXE file formats. In Windows environments, threat actors use bat2exe to convert malicious batch scripts to executables before distributing them in order to bypass file detection of security software such as anti-malware products. It is likely that the reason threat actors do not distribute the bash shell scripts as is but rather convert them to ELF before distributing them is to evade file detection as they do in Windows environments.

The Shc data section contains the original Bash shell script encoded with the Alleged RC4 algorithm. When it is executed afterward, the same ARC4 algorithm is used to decode the original script, and the decoded script commands are executed.

Figure 2. Decoding routine using the ARC4 algorithm


2. Shc Downloader

The following is a decoded Bash shell script of Shc malware reported by a client company that suffered an infiltration attack. It downloads and runs files from external sources, and based on the fact that XMRig CoinMiner is downloaded and installed from the currently available address, it is assumed to be a CoinMiner downloader..

Figure 3. A portion of the decoded Bash shell script’s routine

Additionally, this malware has the characteristic of infecting systems alongside DDoS IRC Bot malware developed with Perl, and this point will be discussed in more detail further on. These DDoS IRC Bots have been continuously installed during the past years on Linux servers with inappropriate account information and still continued to this day. The threat actors attempt dictionary attacks on SSH servers after a scanning process, and if this process is successful, various malware such as Perl IRC Bot is installed on the target system. Other malware include XMRig, SSH Scanner and various IRC Bot malware.

Analysis of the reported malware revealed that a “run” file for execution didn’t exist and instead required multiple arguments, which limits our analysis with this sample only.

Argument #Feature
1The download URL and the name of the file to be downloaded
2Version (The “universal” string by default)
3The name of the PID file to be created
4The Socks5 host name
5The path where the installation process will occur (“/Usr/local/games/” by default)
6Additional download URLs
7Additional commands
Table 1. Arguments needed for execution

While the ASEC analysis team was tracking related malware, the team found a similar form of Shc Downloader Malware uploaded on VirusTotal. Assuming that such types of malware were all uploaded to VirusTotal from Korea, it seems that attacks generally target systems in Korea.

The malware found on VirusTotal has a much simpler structure in comparison to the type covered above, requiring no additional arguments and having a complete URL as the download address.

Figure 4. Bash shell script extracted from the similar file


3. XMRig CoinMiner

The Shc downloader malware is responsible for downloading a compressed file from an external source to the path, “/usr/local/games/” and executing the “run” file. The compressed file currently available for download includes not only the XMRig CoinMiner malware but also a config.json with the mining pool URL and the “run” script.

Figure 5. Downloaded compressed file
Figure 6. config.json file

As the config.json file containing the configuration data exists in the same path, the configuration does not need to be transmitted when XMRig is executed. However, examining the “run” script shown below reveals that it transmits slightly different configuration data to config.json before executing XMRig.

Figure 7. The “run” script that executes XMRig


4. DDoS IRC Bot

Aside from installing a CoinMiner on the infected system, the threat actor installs an IRC bot that can perform a DDoS attack by receiving commands. This DDoS IRC Bot has the characteristic of being developed with Perl, and as the name suggests, it uses the IRC protocol in communications with the C&C server.

Both malware strains are similar in form, and while one of them currently cannot connect to the C&C server (IRC server), the other can. Even if a connection can be established, entering the channel is unavailable, and this is presumed to be because the password has been changed from “ddosit” to another value. Additionally, a URL is included in the message that is displayed after channel entry is denied. A compressed file can be downloaded from this URL, and this file contains XMRig from above.

Figure 8. The process of connecting to the IRC server and attempting to enter the channel

Next is the configuration data which includes the IRC server address, port number, “#xmr” (IRC channel name to enter), and the password “@” required for entry into the channel. For reference, DDoS IRC Bot performs additional tasks to verify the threat actor; the username of the user that entered the channel must be one of the four usernames shown below and the host address must be “qwerty”.

Figure 9. Configuration data of DDoS Perl IRC Bot

If the above conditions are met, it deems the user to be the threat actor and performs the received commands. This bot supports not only DDoS attacks such as TCP Flood, UDP Flood, and HTTP Flood but various other features including command execution, reverse shell, port scanning, and log deletion. The following is a screenshot taken not by the actual threat actor’s command but during a test process. It shows the process of DDoS IRC Bot sending the list of commands to the #xmr channel when the “!u @commands” command is entered to bring up the list of available commands.

Figure 10. Following commands transmitted from the IRC server


Conclusion

Typical attacks that target Linux SSH servers include brute force attacks and dictionary attacks on systems where account credentials are poorly managed. Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks.

Administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Finally, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Downloader/Linux.Agent.13360 (2022.12.21.00)
– Downloader/Linux.Agent.13256 (2022.12.25.03)
– Downloader/Linux.Agent.13392 (2022.12.25.03)
– Shellbot/Perl.Generic.S1118 (2020.02.19.07)
– Linux/CoinMiner.Gen2 (2019.07.31.08)
– CoinMiner/Text.Config (2022.12.26.03)
– Trojan/Shell.Agent.SC185400 (2022.12.26.03)
– Trojan/Shell.Agent.SC185401 (2022.12.26.03)

IOC
MD5

– c13e7e87e800a970df4d113d60e75ab4: Shc Downloader (kermine)
– 1f0e5f4736a567a631946a0d9878fad7 : Shc Downloader (VirusTotal)
– 6fa237ce385dc9495246bc4498b64c2d : Shc Downloader (VirusTotal)
– 7650957bf7d798b284ea01a732ad07a5 : Perl DDoS IRC Bot (botcarternew)
– 077279a2ae5b1bc89540a1293fa807f1 : Perl DDoS IRC Bot (.ubuntu)
– 497bec45d865b2a9165699433c64816c : XMRig (s)
– c1e65d481af4e6d4bad74cca4e8737cb : XMRig (xmrig)
– 48e5ce77980d52c68a7bbfd091756036 : XMRig (.system3d)
– 16b7ef9cbc89ccc08f5fcd80e473c169 : XMRig Configuration File (config.json)
– a2fd0f3e18259d0bba9ebbf910e925c4 : XMRig Configuration File (config.json)
– a2c7c9e3b468e7e02e882066b05c55c3 : Launcher Script (run)
– c15ed837bd367fd4f66562b57b8fb57c ” Launcher Script (.b4nd1d0)

C&C URL
– 64.227.112[.]247:80 – Perl DDoS IRC Bot
– 157.230.116[.]194:80 – Perl DDoS IRC Bot

Download URL
– hxxp://172.105.211[.]21/
– hxxp://172.105.211[.]21/xmrig
– hxxp://172.105.211[.]21/snunewa.tar
– hxxp://167.172.103[.]111/
– hxxp://172.104.170[.]240/
– hxxp://172.104.170[.]240/snunewa.tar
– hxxp://wget.hostname[.]help/
– hxxp://wget.hostname[.]help/driver.zip
– hxxp://pateu.freevar[.]com/xmrminer2.tgz

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,,,

0 0 votes
Article Rating
guest

85 Comments
Inline Feedbacks
View all comments
trackback

[…] malware have been put in on the goal system,” AhnLab Safety Emergency Response Heart (ASEC) stated in a report printed as we […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

trackback

[…] to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

trackback

[…] keeping with ASEC researchers, who found the assault, the SHC loader was uploaded to VirusTotal by Korean customers, with […]

trackback

[…] 参考記事(外部リンク):Shc Linux Malware Installing CoinMinerasec.ahnlab.com/en/45182/ […]

trackback

[…] to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

trackback

[…] malware were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

trackback

[…] line with ASEC researchers, who found the assault, the SHC loader was uploaded to VirusTotal by Korean customers, with […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published today.shc allows shell scripts to be converted directly into binaries, […]

trackback

[…] ASEC señala que estos tipos de ataques a menudo son el resultado de la utilización de contraseñas débiles en servidores Linux expuestos. Por lo tanto, ASEC aconseja que los administradores de servidores utilicen contraseñas seguras y las cambien regularmente para proteger sus servidores Linux de ataques de fuerza bruta, así como mantener sus servidores actualizados con las últimas parches de seguridad para evitar ataques a través de vulnerabilidades conocidas. […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published today.shc allows shell scripts to be converted directly into binaries, […]

trackback

[…] January 4, 2023, Ahn Lab Security Response Center (ASEC) researchers reported the technical details of a new Linux malware written using Shc delivering a cryptocurrency miner. ASEC researchers assess […]

trackback

[…] step with ASEC Ahnlab, the newly discovered downloader is a decoded Bash shell script of the Shc malware […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

Lulu
Lulu
4 months ago

RC4 is a cipher, not an encoding algorithm. So technically it’s decryption not decoding.

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published today.shc allows shell scripts to be converted directly into binaries, […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published today.shc allows shell scripts to be converted directly into binaries, […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published today.shc allows shell scripts to be converted directly into binaries, […]

trackback

[…] Shc Linux Malware Installing CoinMiner Coinminers installed by Linux Malware […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published today.shc allows shell scripts to be converted directly into binaries, […]

trackback

[…] were installed on the target system,” AhnLab Security Emergency Response Center (ASEC) said in a report published […]

trackback

[…] malware have been put in on the goal system,” AhnLab Safety Emergency Response Middle (ASEC) said in a report printed in the present […]

trackback

[…] peneliti ASECyang menemukan serangan tersebut, loader SHC diunggah ke VirusTotal oleh pengguna Korea, dengan […]

trackback

[…] was heavily used by XCSSET malware and has been seen more recently obfuscating Linux payloads. It’s great advantage from an attacker’s point of view is it makes it extremely simple to write […]

trackback

[…] was heavily used by XCSSET malware and has been seen more recently obfuscating Linux payloads. It’s great advantage from an attacker’s point of view is it makes it extremely simple to write […]

trackback

[…] asec […]

trackback

[…] keeping with ASEC researchers, who found the assault, the SHC loader was uploaded to VirusTotal by Korean customers, with […]

trackback

[…] Shc Linux Malware Installing CoinMiner […]

trackback

[…] Shc Linux Malware Installing CoinMiner […]

trackback

[…] PerlBot)—a Perl-based DDoS bot malware previously seen in attacks along with CoinMiner—targets poorly managed Linux SSH servers in a new […]

trackback

[…] to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks […]