Threat Research

Shc Linux Malware Installing CoinMiner – ASEC BLOG

Securonix

An ASEC analysis reveals a Linux malware chain built with Shc that installs a XMRig CoinMiner and a Perl-based DDoS IRC Bot after compromising SSH services. The campaign uses RC4-based encoding, a Shc downloader, and a run script to fetch payloads and configure mining and bot operations. Hashtags: #Shc #XMRig

Keypoints

  • The threat actors perform dictionary attacks on SSH servers after a scanning process to gain access and install malware.
  • Shc (Shell Script Compiler) converts Bash shell scripts into ELF executables and is used to disguise payloads; threat actors may convert to ELF to evade detection.
  • A Shc downloader decodes a Bash script, downloads payloads from external sources, and executes them (notably the XMRig CoinMiner).
  • The XMRig CoinMiner is delivered with a config.json containing mining pool data, and the run script adjusts configuration before launching XMRig.
  • A DDoS IRC Bot (Perl-based) is installed alongside the miner, using the IRC protocol for C2 and capable of DDoS, command execution, reverse shell, port scanning, and log deletion.
  • Malware variants also include SSH Scanner and other IRC Bot families; campaigns have been observed targeting Korea and appear to spread via downloadable payloads from multiple URLs.
  • Defensive guidance includes strong, rotated passwords, restricted external access, patching, firewall use, and keeping security tools and the V3 platform up to date.

MITRE Techniques

  • [T1110] Brute Force – The threat actors attempt dictionary attacks on SSH servers after a scanning process. “The threat actors attempt dictionary attacks on SSH servers after a scanning process.”
  • [T1046] Network Service Scanning – Attackers identify SSH services through scanning to facilitate credential access. “scanning process” appears in the analysis as part of identifying targets.
  • [T1105] Ingress Tool Transfer – The malware downloads and runs files from external sources, including XMRig CoinMiner. “downloads and runs files from external sources” and “The Shc downloader downloads and runs files from external sources.”
  • [T1027] Obfuscated/Encoded Files and Information – Shc data section contains the original Bash shell script encoded with the Alleged RC4 algorithm. “encoded with the Alleged RC4 algorithm.”
  • [T1059.004] Unix Shell – Shc converts Bash shell scripts into executable ELF binaries, demonstrating Unix shell scripting usage. “Shc is an abbreviation for Shell Script Compiler and is responsible for converting Bash shell scripts into an ELF.”
  • [T1036] Masquerading – To evade detection, actors convert Bash scripts to ELF before distribution, mirroring Windows methods to bypass security products. “to evade file detection as they do in Windows environments.”
  • [T1496] Resource Hijacking – The XMRig CoinMiner is installed to mine cryptocurrency. “XMRig CoinMiner” and related configuration are used for mining.
  • [T1095] Non-Application Layer Protocol – The DDoS Perl IRC Bot uses the IRC protocol for C2 communications with the C&C server. “IRC protocol in communications with the C&C server.”

Indicators of Compromise

  • [MD5] context – c13e7e87e800a970df4d113d60e75ab4: Shc Downloader (kermine), 1f0e5f4736a567a631946a0d9878fad7 : Shc Downloader (VirusTotal) and 9 more hashes
  • [C2 URL] – 64.227.112[.]247:80 – Perl DDoS IRC Bot, 157.230.116[.]194:80 – Perl DDoS IRC Bot
  • [Download URL] – hxxp://172.105.211[.]21/, hxxp://172.105.211[.]21/xmrig and 7 more URLs

Read more: https://asec.ahnlab.com/en/45182/