Threat Research

Tsunami DDoS Malware Distributed to Linux SSH Servers – ASEC BLOG

Securonix

ASEC reports that Tsunami DDoS Bot, also known as Kaiten, was installed on poorly managed Linux SSH servers along with ShellBot, XMRig CoinMiner, and Log Cleaner. The campaign begins with dictionary or brute-force SSH access, followed by downloading and deploying multiple malware payloads, including DDoS bots and miners, across affected systems. Hashtags: #Tsunami #Kaiten #ShellBot #XMRig #LogCleaner #ddoser

Keypoints

  • A security alert describes Tsunami DDoS Bot being installed on weakly managed Linux SSH servers, alongside ShellBot, XMRig CoinMiner, and Log Cleaner.
  • The initial access method is a dictionary/brute-force attack against externally exposed SSH servers, followed by malware installation.
  • A downloader Bash script named the “key” downloads and launches multiple payloads, including Tsunami, ShellBot, and miners.
  • Tsunami, an IRC-based DDoS bot (variant of Kaiten), communicates via IRC with multiple C2 servers and channel “ddoser.”
  • ShellBot, also IRC-based, uses several IRC servers and can perform port scans, DDoS, and reverse shells.
  • Log Cleaner tools (MIG Logcleaner v2.0 and 0x333shadow) delete or alter Linux log files to impede investigation.

MITRE Techniques

  • [T1133] External Remote Services – The attacker targets externally exposed SSH servers via port scanning and uses known credentials to log in. Quote: “the main attack method involves searching externally exposed SSH servers through port scanning and using the known account credentials to perform dictionary attacks and log in.”
  • [T1110] Brute Force – Dictionary attacks are used to guess SSH credentials prior to login. Quote: “dictionary attacks and log in.”
  • [T1105] Ingress Tool Transfer – Malware is downloaded from external hosts after gaining access. Quote: “download and run various malware.”
  • [T1059.004] Command and Scripting Interpreter: Bash – The downloader key is a Bash script that installs additional malware. Quote: “The key file is a downloader-type Bash script that installs additional malware.”
  • [T1547.001] Boot or Logon Autostart – Tsunami writes its path to /etc/rc.local to persist across reboots. Quote: “writes its own path in the ‘/etc/rc.local’ file, making it so that it runs even after reboots.”
  • [T1036] Masquerading – Tsunami changes its process name to “[kworker/0:0]” to disguise itself. Quote: “change the name of the process that is currently running to ‘[kworker/0:0]’.
  • [T1136] Create Account – The malware installs a backdoor SSH account for ongoing access. Quote: “installing a backdoor SSH account.”
  • [T1068] Privilege Escalation – A setuid/setgid ELF (ping6) is used to gain root privileges. Quote: “The setuid() and setgid() functions are used to set the user ID and group ID as the root account before executing the shell.”

Indicators of Compromise

  • [IP] 124.160.40.48 – Attacker IP used in the dictionary attack table. 124.160.40[.]48
  • [IP] 124.160.40.94 – Attacker IP used in the dictionary attack table. 124.160.40[.]94
  • [Domain] ddoser.org – Download and command hosting domain (multiple payloads). ddoser[.]org
  • [Domain] ircx.us.to – IRC server address used by ShellBot/C2. ircx.us[.]to:20/53
  • [Domain] ircxx.us.to – IRC server address used by Tsunami. ircxx.us[.]to:53
  • [Domain] irc.undernet.org – IRC server for ShellBot. irc.undernet[.]org:6667
  • [MD5] 6187ec1eee4b0fb381dd27f30dd352c9 – Downloader Bash script (key)
  • [MD5] 822b6f619e642cc76881ae90fb1f8e8e – Tsunami (a)
  • [MD5] c5142b41947f5d1853785020d9350de4 – ShellBot (bot)
  • [MD5] 2cd8157ba0171ca5d8b50499f4440d96 – ShellBot (logo)
  • [MD5] 32eb33cdfa763b012cd8bcad97d560f0 – MIG Logcleaner v2.0 (cls)
  • [MD5] 98b8cd5ccd6f7177007976aeb675ec38 – 0x333shadow Log Cleaner (clean)
  • [MD5] e2f08f163d81f79c1f94bd34b22d3191 – Privilege Escalation Malware (ping6)
  • [MD5] 725ac5754b123923490c79191fdf4f76 – Bash launcher (go)
  • [MD5] ad04aab3e732ce5220db0b0fc9bc8a19 – Bash launcher (televizor)
  • [MD5] 421ffee8a223210b2c8f2384ee6a88b4 – Bash launcher (telecomanda)
  • [MD5] 0014403121eeaebaeede796e4b6e5dbe – XMRig CoinMiner (cnrig)
  • [MD5] 125951260a0cb473ce9b7acc406e83e1 – XMRig configuration file (config.json)
  • [URL] ddoser.org/key – Downloader Bash script
  • [URL] ddoser.org/logo – ShellBot
  • [URL] ddoser.org/a – Tsunami
  • [URL] ddoser.org/top – Compressed XMRig CoinMiner file
  • [URL] ddoser.org/siwen/cls – MIG Logcleaner v2.0
  • [URL] ddoser.org/siwen/clean – 0x333shadow Log Cleaner
  • [URL] ddoser.org/siwen/ping6 – Privilege escalation malware

Read more: https://asec.ahnlab.com/en/54647/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint