ASEC uncovered a campaign deploying the Supershell backdoor on poorly managed Linux SSH servers, enabling attackers to remotely control infected hosts. The Go-based malware is installed via dictionary attacks and multi-source downloads, with potential CoinMiners like XMRig used for cryptocurrency mining. #Supershell #LinuxSSH #Go #XMRig #Monero #CoinMiner
Keypoints
- Supershell is a backdoor malware that allows remote control of infected systems.
- It is developed in the Go programming language and supports multiple platforms.
- The malware was installed on inadequately managed Linux SSH servers.
- The threat actor used dictionary attacks to gain access to systems.
- Commands were executed to download and install Supershell from various sources.
- There is a potential link to cryptocurrency mining, as Supershell may be used to install CoinMiners.
- Recommendations for administrators include using strong passwords, regular updates, and security programs.
MITRE Techniques
- [T1219] Remote Access Software – Supershell acts as a reverse shell, allowing remote control of infected systems. ‘Supershell acts as a reverse shell, allowing remote control of infected systems.’
- [T1003] Credential Dumping – Threat actors used dictionary attacks to attempt to log in to systems with weak passwords. ‘Threat actors used dictionary attacks to attempt to log in to systems with weak passwords.’
- [T1059] Command and Scripting Interpreter – Commands were executed to download and install Supershell using shell commands. ‘Commands were executed to download and install Supershell using shell commands.’
- [T1001] Data Obfuscation – The malware is obfuscated but can be identified through internal strings and behavior. ‘The malware is obfuscated but can be identified through internal strings and behavior.’
- [T1041] Exfiltration Over Command and Control Channel – Supershell allows the threat actor to control the infected system and potentially exfiltrate data. ‘Supershell allows the threat actor to control the infected system and potentially exfiltrate data.’
Indicators of Compromise
- [MD5] Hashes associated with the downloaded payloads – 4ee4f1e7456bb2b3d13e93797b9efbd3, 5ab6e938028e6e9766aa7574928eb062, e06a1ba2f45ba46b892bef017113af09
- [URL] Download and script URLs – http[:]//45[.]15[.]143[.]197/sensi[.]sh, http[:]//45[.]15[.]143[.]197/ssh1, http[:]//45[.]15[.]143[.]197/x64[.]bin, http[:]//45[.]15[.]143[.]197[:]10086/supershell/compile/download/ssh, http[:]//45[.]15[.]143[.]197[:]44581/ssh1
- [IP] Attack-source IPs during login attempts – 107[.]189[.]8[.]15, 179[.]61[.]253[.]67, 2[.]58[.]84[.]90, 209[.]141[.]60[.]249, 45[.]15[.]143[.]197
- [Monero Wallet Address] Monero wallet address used for mining payments – 871SNx3baWof8utKVRqJ6u5oGkXHPBv9GKMeQ99J8FxU23eKGgGMr3de7WhfwydWjCSeUGdZf5VC4J3PcPPCY1yoSFCG4xx
Read more: https://asec.ahnlab.com/en/83232/