Summary :
AhnLab’s ASEC has identified a new DDoS malware strain named cShell targeting poorly managed Linux servers via SSH services. The malware exploits Linux tools to conduct DDoS attacks and maintains persistence through specific installation routines. #DDoS #LinuxSecurity #Malware
Keypoints :
- cShell is a DDoS bot targeting poorly managed Linux servers, utilizing weak SSH credentials.
- The malware exploits Linux tools like screen and hping3 for executing DDoS attacks.
- Initial access is gained through brute force attacks on SSH services, followed by malware installation.
- cShell supports various DDoS commands and maintains persistence through a service file.
MITRE Techniques :
- Initial Access (T1078): Brute force attack on SSH services to gain unauthorized access.
- Persistence (T1547): Installation of cShell and registration with systemctl to maintain persistence.
- Command and Control (T1071): Communication with the C&C server to receive DDoS commands.
- Resource Hijacking (T1496): Utilizing compromised Linux servers for DDoS attacks.
Indicator of Compromise :
- [url] http[:]//51[.]81[.]121[.]129/cARM
- [url] http[:]//51[.]81[.]121[.]129/sshell[.]service
- [url] https[:]//pastebin[.]com/raw/2AhnDGts
- [url] https[:]//pastebin[.]com/raw/7beUg9vK
- [url] https[:]//pastebin[.]com/raw/8kGSNMFr
- [ip address] 195[.]178[.]110[.]6
- [ip address] 45[.]148[.]10[.]176
- [ip address] 45[.]148[.]10[.]203
- [ip address] 45[.]148[.]10[.]46
- [ip address] 51[.]81[.]121[.]129
- [file hash] 29d6ef7365c18d243163a648fa6cd697
- [file hash] cd8bf4ce178ef5ddac77933d03ffb381
AhnLab SEcurity intelligence Center (ASEC) monitors attacks against poorly managed Linux servers using multiple honeypots. Among the prominent honeypots are SSH services using weak credential information, which are targeted by numerous DDoS and CoinMiner threat actors.
ASEC recently identified a new DDoS malware strain targeting Linux servers while monitoring numerous external attacks. The threat actor initially targeted poorly managed SSH services and ultimately installed a DDoS bot named cShell. cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks.
1. Initial Access Process
The threat actor scanned publicly exposed SSH services and attempted to log in using a brute force attack. After successfully logging in, the threat actor executed the following commands to install curl and a malware strain named “cARM”. Depending on the Linux version, installation is done using “apt,” “yum,” “dnf,” “pacman,” “zipper,” or “apk,” and it is characterized by having error messages written in German.
Figure 1. A routine for installing malware after initial access
The malware is installed in the “/etc/de/cARM” path and uses the additionally downloaded configuration file “sshell.service” to register the service with the systemctl command, maintaining persistence.
Figure 2. A service file used to maintain persistence
2. Exploitation Tools (screen and hping3)
Unlike typical DDoS bots, cShell is characterized by exploiting utilities provided by Linux to perform DDoS attacks. In the initial routine, cShell installs screen and hping3 using the following command:
# bash -c apt -y install curl && apt -y install hping3 && apt -y install screen
Linux’s screen is a utility used to run and manage multiple virtual terminal sessions from a single terminal, allowing tasks to continue running even if the terminal is closed. cShell runs hping3 in the background under the name “concurrent” using the following command:
# screen -dms concurrent timeout <Variable> hping3 <hping3 Argument>
| Argument | Description |
|---|---|
| -d | Start session in the background |
| -m | Run given commands (hping3) |
| -s | Specify session names (concurrent) |
| timeout | Command execution time limit (seconds) |
Table 1. screen options used for the attack
Linux’s hping3 is a TCP/IP packet generation and analysis tool primarily used for security testing and network diagnostics. It can generate various packets such as TCP, UDP, and ICMP, and analyze responses to assess network conditions or check for security issues. The tool is similar to ping, but unlike ping which can only send ICMP packets, hping3 can send TCP and UDP packets to support port scanning and DDoS testing.
The following is one of the hping3 commands used by cShell. cShell supports various DDoS commands such as SYN, ACK, and UDP. Packet transmission is handled by hping3 executed through screen, supporting different options for each command.
# hping3 -FXYAP -d <Data Size> -p <Port Number> –flood <Target IP>
| Main category | Option | Description |
|---|---|---|
| Protocol | -2 | UDP protocol |
| Flag | -A | ACK |
| -S | SYN | |
| -P | PSH | |
| -F | FIN | |
| -X | Xmas | |
| -Y | Ymas | |
| Others | -p | Destination port |
| -s | Source port | |
| -d | Data size | |
| -c | Count | |
| –flood | Transmit packets at the maximum possible speed | |
| –faster | Send 10 packets per second |
Table 2. hping3 options used for the attack
3. cShell DDoS Bot
Developed in the Go language, cShell is relatively simple because it uses existing tools like screen and hping3 as discussed above. It includes 6 DDoS commands and an update feature as shown below. It also includes source code information, indicating that it is likely an early version through the name “Test”.
– Source code information: C:/Users/Nick6/OneDrive/Desktop/Content/ForceNet/cShell/Test11/Test.go
Figure 3. List of cShell’s main functions
When cShell is executed, it installs curl, screen, and hping3 using the apt command as mentioned above. It then connects to the C&C URL to send “1” and receives a packet labeled “2” in the idle state.
Figure 4. C&C communications packets
The commands that can be received from the C&C server are as follows with most being DDoS attacks.
| Command | Feature | Hping3 command |
|---|---|---|
| 2 | Wait | N/A |
| UPDATE | Update | N/A |
| syn | SYN Flood | hping3 -S -d <Data Size> -p <Destination Port> –flood <Target IP> |
| ack | ACK Flood | hping3 -A -d <Data Size> -p <Destination Port> –flood <Target IP> |
| psh | PSH Flood | hping3 -P -d <Data Size> -p <Destination Port> –flood <Target IP> |
| udp | UDP Flood | hping3 -2 -d <Data Size> -p <Destination Port> –flood <Target IP> |
| fxyap | DDoS #1 | hping3 -FXYAP -d <Data Size> -p <Destination Port> –flood <Target IP> |
| ovh | DDoS #2 | hping3 -S -p <Destination Port> -s <Source Port> <Target IP> -c 1 hping3 -A -d <Data Size> -p <Destination Port> –faster <Target IP> |
Table 3. List of commands supported by cShell
Note that the “UPDATE” command simply receives the string from the C&C server; but in the case of DDoS commands, it receives 5 strings separated by spaces. Below is the format of the DDoS command.
| Order | Data | Example |
|---|---|---|
| 1 | DDoS command | syn |
| 2 | Target IP address | 192.168.123.132 |
| 3 | Target port number | 80 |
| 4 | Timeout option of the Screen command | 60 |
| 5 | Data site | 100 |
Table 4. DDoS command format
cShell supports 4 additional download URLs besides the hard-coded C&C server addresses. These addresses exploit Pastebin by accessing each Pastebin during the update process to obtain URLs and then download the latest version of cShell using curl.
Figure 5. C&C and download URLs
4. Conclusion
Inadequately managed Linux SSH servers have recently been targeted for the installation of the cShell DDoS bot. If cShell is installed, the Linux server can be utilized as a DDoS bot by receiving commands from the threat actor.
As such, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.
Detection Names
– Trojan/Linux.Cshell.7736270 (2024.12.09.02)
– Trojan/Script.Agent (2024.12.09.02)
Full Research: https://asec.ahnlab.com/en/85165/