Microsoft researchers uncovered a campaign targeting internet-facing Linux-based systems and IoT devices that uses a patched OpenSSH to take control of devices and deploy cryptomining malware, backdoors, and rootkits. The operation leverages a hijacked OpenSSH, an IRC-based botnet, and a network of C2 infrastructure to persist, move laterally, and mine resources while evading detection. #OpenSSH #ZiggyStarTux #Diamorphine #Reptile #HiveonOS #IoT #Linux #asterzeu #cardingforum.cx #madagent
Keypoints
- The attackers begin by brute-forcing credentials on misconfigured internet-facing Linux devices.
- They disable shell history and retrieve a compromised OpenSSH archive (openssh-8.0p1.tgz) containing malicious files alongside benign OpenSSH sources.
- A backdoor downloads, compiles, and installs two open-source rootkits (Diamorphine and Reptile) to hide activity and connect to a C2 domain on port 4444.
- The backdoor adds SSH keys to authorized_keys for persistence and removes logs (Apache, nginx, httpd, system logs) using logtamper.
- It blocks competing miners by manipulating /etc/hosts and iptables to suppress other miners and crypto-competition.
- The botnet component (ZiggyStarTux) persists via cron jobs and a systemd service, issues commands from an IRC channel, and fetches further mining payloads for Hiveon OS.
MITRE Techniques
- [T1021.004] SSH – Remote Services – The backdoor hijacks SSH credentials, moves laterally within the network, and conceals malicious SSH connections. Quote: “hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections.”
- [T1098.004] SSH Authorized Keys – Persistence – It appends two public keys to the authorized_keys configuration files of all users on the system. Quote: “appends two public keys to the authorized_keys configuration files of all users on the system.”
- [T1562.001] Impair Defenses – Defenses Evasion via Logging – It removes records from logs and uses logtamper to clear utmp/wtmp to hide activity. Quote: “removes records from Apache, nginx, httpd, and system logs that contain the IP and username…”
- [T1036] Masquerading – The patched OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server, increasing detection difficulty. Quote: “The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server…”
- [T1053.003] Scheduled Task: Cron – Persistence via cron jobs to invoke ZiggyStarTux at intervals. Quote: “cron jobs to invoke it at regular intervals.”
- [T1059.003] Unix Shell – Command Execution – The backdoor uses shell scripts (inst.sh, vars.sh) and a shell script compiled with shc to perform malicious actions. Quote: “The backdoor is a shell script compiled using an open-source project called Shell Script Compiler (shc), and enables the threat actors to perform subsequent malicious activities…”
- [T1095] Non-Application Layer Protocol – C2 over IRC – ZiggyStarTux bots connect to an IRC server and join a hidden channel to receive commands. Quote: “ZiggyStarTux bots connect to the IRC server and join a hidden password-protected channel named ‘##..##’.”
- [T1041] Exfiltration Over C2 Channel – Data exfiltration via email and C2 channels – The backdoor exfiltrates device info and credentials via email. Quote: “exfiltrates information about the device… over email to the hardcoded address…”
Indicators of Compromise
- [Email address] Exfiltration points – [email protected], [email protected], and 1 more address
- [IP address] Command-and-control – 185.161.208.234, 139.180.185.24, and 2 more IPs
- [Domain] C2/IRC domains – irc.socialfreedom.party, singapore.socialfreedom.party, and 2 more domains
- [Domain] Additional C2 domains – madagent.tm, madagent.cc, and 2 more domains
- [File hash] Malicious components – a26631dcc1aef92a92d2d37476fb1e9becae54541e0411224a441d3afc20b02a and 6e9b692b401a57db306bd6c95409042aa6ed075088a40a6ceb74f96895116b62, and 2 more hashes
- [File] ZiggyStarTux/malicious OpenSSH artifacts – inst.sh, vars.sh, and 2 more items (e.g., hive-start.tgz, lssh.tgz)