Full Report
AhnLab ASEC identified an ongoing Linux-targeted cryptomining campaign that compromises internet-exposed SSH servers using brute-force attacks against weak credentials. Once access is obtained, attackers deploy a multi-stage malware toolkit consisting of Go-based downloaders a...
Analysis Summary
# Tool/Technique: Linux-Targeted Cryptomining Campaign
## Overview
This is an ongoing multi-stage campaign identified by AhnLab ASEC targeting internet-exposed Linux SSH servers. The primary objective is resource hijacking via cryptocurrency mining, supported by a toolkit designed for persistence, process hiding, and lateral movement.
## Technical Details
- **Type**: Malware Campaign / Toolkit
- **Platform**: Linux
- **Capabilities**: Brute-force attacks, multi-stage downloading, cryptomining, IRC-based DDoS/backdoor control, process hiding, and log cleaning.
- **First Seen**: Reported active since at least 2023.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1110.001 - Brute Force: Password Guessing (SSH)
- **TA0003 - Persistence**
- T1053.003 - Scheduled Task/Job: Cron
- T1543.002 - Create or Modify System Process: Systemd Service
- **TA0005 - Evasion**
- T1070.002 - Indicator Removal: Clear Linux System Logs
- T1140 - Deception: XHide (Process Spoofing)
- **TA0007 - Discovery**
- T1046 - Network Service Scanning
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Go downloaders)
- T1203.001 - Remote Services: IRC (ShellBot)
- **TA0040 - Impact**
- T1496 - Resource Hijacking (Cryptojacking)
## Functionality
### Core Capabilities
- **Brute-Forcing & Propagation**: Uses automated scanners to identify and compromise additional Linux servers with weak SSH credentials.
- **Multi-stage Loading**: Employs Go-based downloaders to fetch and execute secondary payloads.
- **Cryptomining**: Deploys customized XMRig miners to utilize the victim machine's CPU for Monero (XMR) mining.
### Advanced Features
- **Process Hiding (XHide)**: Uses XHide (a common process spoofer) to change the displayed name of the malicious process in `ps` or `top` outputs, disguising it as a benign system process.
- **Backdoor/DDoS (ShellBot)**: Deploys ShellBot (also known as PerlBot), which connects to an IRC server to receive commands, enabling DDoS attacks or further shell access.
- **Anti-Forensics**: Includes log-clearing utilities to delete history files and system logs, hindering incident response.
## Indicators of Compromise
- **File Names**:
- `xmrig`
- `shellbot` / `perlbot`
- `xhide`
- `go_downloader`
- **Network Indicators**:
- C2/IRC Servers: [h]xxp[:]//[C2_Server_IP]
- Mining Pools: Typically common XMR pools (defanged in actual reports).
- **Behavioral Indicators**:
- High CPU usage on the `xmrig` process or spoofed system processes.
- Unexpected outbound SSH traffic to various external IPs (scanning).
- Modification of `/etc/systemd/system/` or `crontab` for persistence.
## Associated Threat Actors
- **Groups**: Currently categorized as [❓Unknown] (Unattributed financially motivated actors).
## Detection Methods
- **Signature-based**: Detection of XMRig binaries, ShellBot Perl scripts, and XHide source/binaries via YARA or antivirus.
- **Behavioral detection**:
- Monitoring for unauthorized modifications to `systemd` or `cron`.
- Alerting on SSH brute-force attempts (excessive failed logins).
- Detecting the use of command-line tools to clear logs (e.g., `history -c`, `rm /var/log/auth.log`).
## Mitigation Strategies
- **Hardening**:
- Enforce strong, complex passwords for SSH accounts.
- Implement Key-Based Authentication and disable password-based login.
- Use `Fail2Ban` or similar tools to block IPs with multiple failed login attempts.
- **Network Control**:
- Limit SSH access (Port 22) to specific trusted IP ranges via Firewall/Security Groups.
- Change the default SSH port to minimize automated scanning noise.
## Related Tools/Techniques
- **XMRig**: Open-source Monero miner widely used by threat actors.
- **ShellBot/PerlBot**: A long-standing Perl-based IRC botnet malware.
- **XHide**: A classic tool used to spoof the process name on Unix-like systems.