Threat Research

Analysis of Attacks That Install Scanners on Linux SSH Servers – ASEC BLOG

Securonix

Asec analyzes campaigns that target poorly managed Linux SSH servers, detailing how attackers gather target data, scan for SSH on port 22, and then deploy malware, scanners, or SSH brute-force tools to expand access. The analysis highlights common malware (ShellBot, Tsunami, ChinaZ DDoS Bot, XMRig CoinMiner) and an assault chain that includes port scanning, banner grabbing, and SSH dictionary attacks to procure more credentials and devices. #ShellBot #Tsunami #ChinaZDDoSBot #XMRigCoinMiner #PRGOldTeam

Keypoints

  • Attackers target Linux SSH servers by scanning for SSH service or port 22, then use brute-force or dictionary attacks to gain credentials.
  • Once credentials are obtained, attackers install malware (DDoS bots, CoinMiners) or scanners to recruit more vulnerable systems.
  • Common malware families seen include ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig CoinMiner; many campaigns reuse scanners and tooling.
  • Attack tools are organized as scripts (go, gob, rand, ps, ps2, b, prg) that perform scanning, banner grabbing, and SSH dictionary attacks.
  • Campaigns reveal a repeatable flow: scan for SSH, grab banners, enumerate IPs, and attempt SSH login to drop payloads.
  • Past cases indicate these toolchains were associated with PRG old Team and were discussed by JPCERT/CC in 2021.
  • Defenses emphasize strong, changed passwords, patching, firewalls, and using honeypots or TIP intelligence to block malware early.

MITRE Techniques

  • [T1046] Network Service Scanning – IP scanning is performed for this purpose to look for servers with the SSH service, or port 22 activated. ‘IP scanning is performed for this purpose to look for servers with the SSH service, or port 22 activated.’
  • [T1110] Brute Force – SSH dictionary attack to obtain the ID and password. ‘they launch a brute force or dictionary attack to obtain the ID and password.’
  • [T1082] System Information Discovery – Commands to check system info, such as ‘grep -c ^processor /proc/cpuinfo’ and ‘uname -a’.
  • [T1057] Process Discovery – Commands like ‘ps ax’ are used to view running processes on the target.
  • [T1059] Command and Scripting Interpreter – Use of Bash commands and scripts to navigate, download, extract, and execute tools (wget, tar, cd, uname, etc.).
  • [T1105] Ingress Tool Transfer – Download of the scanner/attack toolkit via ‘wget 58.216.207[.]82/scan.tar’ to obtain the payloads.

Indicators of Compromise

  • [IP address] context – 217.156.4.2 (threat actor IP used during SSH brute-force attack) and 58.216.207[.]82 (download source for scan.tar)
  • [MD5] context – db1fd9c0ccc6aea1176d219ff5d7fd01, 6fe6cc7c88cf1a0c20727a03d2577c04, 03b23be96901764867da50dcd48c96dd, edc91faa16aa3e5b3d7303b2a276d23d, 946689ba1b22d457be06d95731fcbcac, 45901e5b336fd0eb79c6decb8e9a69cb
  • [File Name] context – go, gob, rand, ps, ps2, b, prg, bios.txt, scan.tar, ips.lst, banner.log
  • [URL] context – hxxp://58.216.207[.]82/scan.tar

Read more: https://asec.ahnlab.com/en/59972/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint