ASEC reported attacks against poorly managed Linux servers where propagation malware was used to deploy XMRig CoinMiner, with ShellBot, MIG LogCleaner, and XHide also involved. The campaign has been active since at least 2023 and uses Go-based downloaders and malware, Shc scripts, SSH scanning, and persistence mechanisms to sustain infection and mining. #XMRig #ShellBot #MIGLogCleaner #XHide
Keypoints
- ASEC observed attacks targeting poorly managed Linux servers using multiple honeypots.
- The attacks used propagation malware to install XMRig CoinMiner.
- Malware families involved included ShellBot, MIG LogCleaner, and XHide.
- Threat actors built downloaders and propagation malware in Go and used Shc shell scripts for obfuscation.
- The downloader “run” changed the current user’s password, downloaded additional payloads, and executed them.
- The propagation malware “meta” scanned SSH services using credentials from files such as “ranges” and “pass,” then installed the miner and reported results to a remote server.
- The campaign used persistence and stealth features including systemd services, cron jobs, watchdog behavior, aliases, process masquerading, and hidden file paths.
MITRE Techniques
- [T1110.001 ] Password Guessing – Attackers used SSH scanning and login attempts against honeypots, indicating brute-force style credential attacks (‘scanning and login attempts targeting SSH service honeypots’).
- [T1021.004 ] Remote Services: SSH – The propagation malware scanned SSH ports and authenticated to targets over SSH (‘scans SSH ports and executes commands to install malware upon a successful connection’).
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Multiple payloads executed shell commands to download, unpack, launch miners, and modify system state (‘wget download… chmod +x… ./Run’; ‘script modifies users’ .Bashrc files’).
- [T1105 ] Ingress Tool Transfer – Malware downloaded additional payloads from remote infrastructure such as download.Xrpl[.]City (‘it then downloads “pack.Jpg”’; ‘wget download.Xrpl[.]City/mysql’).
- [T1090.002 ] Proxy: External Proxy – The malware used a downloader and propagation chain to relay installation activity to other systems, including reporting results to a remote server (‘It also sends the attack results to “hxxp://youpost[.]In/” via an HTTP POST request’).
- [T1027 ] Obfuscated Files or Information – Shc scripts, hidden paths, aliases, and disguised command behavior were used to conceal execution (‘shell scripts written in Shc’, ‘obfuscate commands’, ‘manipulate the output of the “ls” command execution to hide malware’).
- [T1036 ] Masquerading – The miner and watchdog used deceptive names and paths such as oracle-monitor, .Sys_cache_backup, and kworker/u257:2 to blend in (‘XMRig runs under the name “[kworker/u257:2]”’).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools – The attackers used log-cleaning and output-manipulation tools to reduce visibility (‘MIG Logcleaner’; ‘modifies users’ “.Bashrc” files’).
- [T1547.006 ] Boot or Logon Autostart Execution: Systemd Service – The miner created a systemd service for persistence (‘creates a Systemd Service; the Service file can be found at “/etc/systemd/system/oracle-service.Service”’).
- [T1053.003 ] Scheduled Task/Job: Cron – The malware added entries to cron for persistence and watchdog execution (‘adds it to the cron job’; ‘@reboot /var/tmp/.Sys_cache_’).
- [T1027.005 ] Obfuscated Files or Information: Software Packing – Shc was used to compile/obfuscate shell scripts (‘scripts written in Shc, scripts used to obfuscate commands’).
- [T1055 ] Process Injection/Process Masquerading – XHide altered argv[0] so the miner appeared to run under a benign process name (‘it sets argv[0] … consequently, XMRig runs under the name “[kworker/u257:2]”’).
Indicators of Compromise
- [MD5] malware samples and related payloads – 0d01bd11d1d3e7676613aacb109de55f, 0fde38c0cfa5e5bf8e6ac2a6be0232b7, and 3 more hashes
- [URL] payload hosting and download locations – http[:]//download[.]xrpl[.]city/run, http[:]//download[.]xrpl[.]city/test/pack[.]jpg, and 3 more URLs
- [FQDN] command-and-control and mining-related domains – time[.]justnames[.]in, youpost[.]in
- [IP Address] mining pools, C2, and infrastructure – 146[.]19[.]213[.]82, 192[.]3[.]9[.]34, and 3 more IPs
- [File Names] dropped and executed payloads – pack.Jpg, mysql, meta, run, auto.Jpg
- [Paths] persistence and disguise locations – /etc/ufw/.Dev/oracle-monitor, /dev/shm/.Sys_cache_backup, and /etc/systemd/system/oracle-service.Service
Read more: https://asec.ahnlab.com/en/94484/