Cshell Ddos Bot Attack Case Targeting Linux Ssh Server (screen And Hping3)
Category

Summary :

AhnLab’s ASEC has identified a new DDoS malware strain named cShell targeting poorly managed Linux servers via SSH services. The malware exploits Linux tools to conduct DDoS attacks and maintains persistence through specific installation routines. #DDoS #LinuxSecurity #Malware

Keypoints :

  • cShell is a DDoS bot targeting poorly managed Linux servers, utilizing weak SSH credentials.
  • The malware exploits Linux tools like screen and hping3 for executing DDoS attacks.
  • Initial access is gained through brute force attacks on SSH services, followed by malware installation.
  • cShell supports various DDoS commands and maintains persistence through a service file.

MITRE Techniques :

  • Initial Access (T1078): Brute force attack on SSH services to gain unauthorized access.
  • Persistence (T1547): Installation of cShell and registration with systemctl to maintain persistence.
  • Command and Control (T1071): Communication with the C&C server to receive DDoS commands.
  • Resource Hijacking (T1496): Utilizing compromised Linux servers for DDoS attacks.

Indicator of Compromise :

  • [url] http[:]//51[.]81[.]121[.]129/cARM
  • [url] http[:]//51[.]81[.]121[.]129/sshell[.]service
  • [url] https[:]//pastebin[.]com/raw/2AhnDGts
  • [url] https[:]//pastebin[.]com/raw/7beUg9vK
  • [url] https[:]//pastebin[.]com/raw/8kGSNMFr
  • [ip address] 195[.]178[.]110[.]6
  • [ip address] 45[.]148[.]10[.]176
  • [ip address] 45[.]148[.]10[.]203
  • [ip address] 45[.]148[.]10[.]46
  • [ip address] 51[.]81[.]121[.]129
  • [file hash] 29d6ef7365c18d243163a648fa6cd697
  • [file hash] cd8bf4ce178ef5ddac77933d03ffb381

AhnLab SEcurity intelligence Center (ASEC) monitors attacks against poorly managed Linux servers using multiple honeypots. Among the prominent honeypots are SSH services using weak credential information, which are targeted by numerous DDoS and CoinMiner threat actors.

ASEC recently identified a new DDoS malware strain targeting Linux servers while monitoring numerous external attacks. The threat actor initially targeted poorly managed SSH services and ultimately installed a DDoS bot named cShell. cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks.

1. Initial Access Process

The threat actor scanned publicly exposed SSH services and attempted to log in using a brute force attack. After successfully logging in, the threat actor executed the following commands to install curl and a malware strain named “cARM”. Depending on the Linux version, installation is done using “apt,” “yum,” “dnf,” “pacman,” “zipper,” or “apk,” and it is characterized by having error messages written in German.

Figure 1. A routine for installing malware after initial access

The malware is installed in the “/etc/de/cARM” path and uses the additionally downloaded configuration file “sshell.service” to register the service with the systemctl command, maintaining persistence.

Figure 2. A service file used to maintain persistence

2. Exploitation Tools (screen and hping3)

Unlike typical DDoS bots, cShell is characterized by exploiting utilities provided by Linux to perform DDoS attacks. In the initial routine, cShell installs screen and hping3 using the following command:

# bash -c apt -y install curl && apt -y install hping3 && apt -y install screen

Linux’s screen is a utility used to run and manage multiple virtual terminal sessions from a single terminal, allowing tasks to continue running even if the terminal is closed. cShell runs hping3 in the background under the name “concurrent” using the following command:

# screen -dms concurrent timeout <Variable> hping3 <hping3 Argument>

Argument Description
-d Start session in the background
-m Run given commands (hping3)
-s Specify session names (concurrent)
timeout Command execution time limit (seconds)

Table 1. screen options used for the attack

Linux’s hping3 is a TCP/IP packet generation and analysis tool primarily used for security testing and network diagnostics. It can generate various packets such as TCP, UDP, and ICMP, and analyze responses to assess network conditions or check for security issues. The tool is similar to ping, but unlike ping which can only send ICMP packets, hping3 can send TCP and UDP packets to support port scanning and DDoS testing.

The following is one of the hping3 commands used by cShell. cShell supports various DDoS commands such as SYN, ACK, and UDP. Packet transmission is handled by hping3 executed through screen, supporting different options for each command.

# hping3 -FXYAP -d <Data Size> -p <Port Number> –flood <Target IP>

Main category Option Description
Protocol -2 UDP protocol
Flag -A ACK
  -S SYN
  -P PSH
  -F FIN
  -X Xmas
  -Y Ymas
Others -p Destination port
  -s Source port
  -d Data size
  -c Count
  –flood Transmit packets at the maximum possible speed
  –faster Send 10 packets per second

Table 2. hping3 options used for the attack

3. cShell DDoS Bot

Developed in the Go language, cShell is relatively simple because it uses existing tools like screen and hping3 as discussed above. It includes 6 DDoS commands and an update feature as shown below. It also includes source code information, indicating that it is likely an early version through the name “Test”.

– Source code information: C:/Users/Nick6/OneDrive/Desktop/Content/ForceNet/cShell/Test11/Test.go

Figure 3. List of cShell’s main functions

When cShell is executed, it installs curl, screen, and hping3 using the apt command as mentioned above. It then connects to the C&C URL to send “1” and receives a packet labeled “2” in the idle state.

Figure 4. C&C communications packets

The commands that can be received from the C&C server are as follows with most being DDoS attacks. 

Command Feature Hping3 command
2 Wait N/A
UPDATE Update N/A
syn SYN Flood hping3 -S -d <Data Size> -p <Destination Port> –flood <Target IP>
ack ACK Flood hping3 -A -d <Data Size> -p <Destination Port> –flood <Target IP>
psh PSH Flood hping3 -P -d <Data Size> -p <Destination Port> –flood <Target IP>
udp UDP Flood hping3 -2 -d <Data Size> -p <Destination Port> –flood <Target IP>
fxyap DDoS #1 hping3 -FXYAP -d <Data Size> -p <Destination Port> –flood <Target IP>
ovh DDoS #2 hping3 -S -p <Destination Port> -s <Source Port> <Target IP> -c 1
hping3 -A -d <Data Size> -p <Destination Port> –faster <Target IP>

Table 3. List of commands supported by cShell

Note that the “UPDATE” command simply receives the string from the C&C server; but in the case of DDoS commands, it receives 5 strings separated by spaces. Below is the format of the DDoS command.

Order Data Example
1 DDoS command syn
2 Target IP address 192.168.123.132
3 Target port number 80
4 Timeout option of the Screen command 60
5 Data site 100

Table 4. DDoS command format

cShell supports 4 additional download URLs besides the hard-coded C&C server addresses. These addresses exploit Pastebin by accessing each Pastebin during the update process to obtain URLs and then download the latest version of cShell using curl.

Figure 5. C&C and download URLs

4. Conclusion

Inadequately managed Linux SSH servers have recently been targeted for the installation of the cShell DDoS bot. If cShell is installed, the Linux server can be utilized as a DDoS bot by receiving commands from the threat actor.

As such, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.

Detection Names
– Trojan/Linux.Cshell.7736270 (2024.12.09.02)
– Trojan/Script.Agent (2024.12.09.02)

MD5
29d6ef7365c18d243163a648fa6cd697
cd8bf4ce178ef5ddac77933d03ffb381
URL
http[:]//51[.]81[.]121[.]129/cARM
http[:]//51[.]81[.]121[.]129/sshell[.]service
https[:]//pastebin[.]com/raw/2AhnDGts
https[:]//pastebin[.]com/raw/7beUg9vK
https[:]//pastebin[.]com/raw/8kGSNMFr
IP
195[.]178[.]110[.]6
45[.]148[.]10[.]176
45[.]148[.]10[.]203
45[.]148[.]10[.]46
51[.]81[.]121[.]129

Full Research: https://asec.ahnlab.com/en/85165/