Cybercrime , Fraud Management & Cybercrime

Attackers Subvert Linux SSH Servers to Mine Cryptocurrency

Wave of Attacks Utilizes ShellBot, Tsunami, ChinaZ DDoS Bot, XMRig CoinMiner
Attackers Subvert Linux SSH Servers to Mine Cryptocurrency
A threat actor is targeting misconfigured Linux servers. (Image: Shutterstock)

Hackers are targeting Linux Secure Shell servers to install tools for port scanning and dictionary attacks to compromise other vulnerable servers, forming a network for cryptocurrency mining and distributed denial-of-service attacks.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Researchers at AhnLab Security Emergency Response Center analyzed attack campaigns in which hackers performed IP scanning to look for servers with the SSH service or port 22 activated, after which they launch a brute force or dictionary attack to obtain the ID and password.

"Besides DDoS bots and CoinMiners, threat actors can also install malware that performs such scanning and brute force or dictionary attacks in infected systems, which allows them to take advantage of more vulnerable systems. Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web," the researchers said.

AhnLab researchers identified common malware installed in attacks on Linux SSH servers with poor management, including ShellBot, Tsunami, ChinaZ DDoS Bot and XMRig CoinMiner.

Attack Analysis

Before installing malware, threat actors attempt to log into Linux servers with activated SSH service using an ID and password. After logon, they install malware.

In one recent case, the threat actor opted to install additional scanners instead of malware, likely to identify more vulnerable systems.

After login, the threat actor's first step has been to determine the number of CPU cores on the compromised server. The hacker also obtains account credentials, allowing them to log in again using those credentials and to downloaded a compressed file, which includes a port scanner and an SSH dictionary attack tool.

During analysis of malware used in the attack campaign, the researchers found that the hackers had executed a Bash script named go with the argument 212. The go script is responsible for launching the port scanner, banner grabber and SSH dictionary attack tool, in that order.

"When the port scanner is launched, the IP band and port number to scan for must be given as arguments. The port number is set to 22 (SSH) and the transmitted IP band value is used for the IP A class band," the researchers said.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.