By Augusto Remillano II
One of our honeypots detected a threat that propagates by scanning for open ports and brute forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based IRC backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open source tool used to fake the name of a process.
According to our analysis, we found the attacker issuing commands to the vulnerable machine that will download and install the backdoor and miner. The backdoor called Shellbot, and is capable of scanning for open ports, downloading files, executing UDP floods, and remotely executing shell commands. Infecting devices with two payloads may prove to be more profitable since malicious actors can monetize both the shellbot and the miner. Our telemetry has been detecting sporadic detections of this malware attempting to infect systems in Japan, Myanmar, Brazil, Denmark, China, and Turkey since March.
Routine
The malware scans for open ports and weak credentials to infiltrate and then sends a command that will download the Perl-based Internet Relay Chat (IRC) Shellbot with file name “sshd2” (detected by Trend Micro as Backdoor.Perl.SHELLBOT.D) and “findz” (detected by Trend Micro as Trojan.SH.MINESTARTER.A) — which will infect the system with the miner by downloading and extracting “so3” (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEJQ).
Figure 1. Code snippet of the sshd2 Shellbot
Figure 2. Infection chain of findz
After decompressing the archived “so3” file, we found that it contained the following scripts:
Figure 3. Dropped “upd” file executing “r”
Figure 4. XHide upon execution without any parameters.
Conclusion
The use of a Perl-based IRC bot is not new; Outlaw has used it for several attacks, and the code to build the bot for malicious purposes is available online. The same goes for the use Xhide, a relatively old tool.
Despite these techniques and tools having been known and available for some time, the mix of these routines can still be effective if the targeted systems have weak and/or default usernames and passwords that can be brute forced. While the high CPU usage of the miner can be easily spotted through monitoring, the attacker may still have access to the infected system after the malicious miner has been removed because of the backdoor.
Furthermore, by dropping both Shellbot and miner, the attackers have maximized their possible sources of income once potential buyers deem its usability either on its own or by further combining it with other techniques and malware. With the shellbot as a botnet-for-hire and the miner as passive income generator, attackers may expect a larger income from their campaigns.
Organizations and users can consider adopting security solutions that defend against malicious bot-related activities through a cross-generational blend of threat defense techniques. Trend Micro
Trend Micro solutions
Customers of the Trend Micro
Indicators of Compromise (IoCs)
Filename | SHA256 | Detection |
a | 448e81b2149596966b574de5b588bcb30ab1f8dc858439d024f0c2fc7bcb55be | Trojan.SH.MINESTARTER.A |
findz | 52ee7ab09f9a78318ac21bf920df81c3036508f0c3bab46538510c880fb43d7d | |
r | c81e470cb3bf320ac1c235bf9799f33e20b6761f15bb9254e6655f8f284adcec | |
e | 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161 | HackTool.Linux.XHide.GA |
f | 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf | |
kthreadd | 20f188aaea79a104d945908db570f07e586f2a074431c3bcd2492346837f1001 | Coinminer.Linux.MALXMR.UWEJR |
systemd | 60bbffaf1a359224a26717b44f6050b3f983c716a294af7d8d5f707c72074ee6 | Coinminer.Linux.MALXMR.UWEJQ |
so3 | 0fd59d93f53d926a432c47a03374238a010e71a381d8af4d2fcacdabd1d26bbc | |
sshd2 | ea72c36916f53509d42755dfbcb7a5bbdb5616a6ebde122ae242eaea2bb47454 | Backdoor.Perl.SHELLBOT.D |
URLs
hxxp://128[.]199[.]202[.]28/uploads/findz Disease vector
hxxp://128[.]199[.]202[.]28/uploads/sshd2 Disease vector
hxxp://138[.]68[.]52[.]55/uploads/findz Disease vector
hxxp://138[.]68[.]52[.]55/uploads/so3 Malware accomplice, coin miners
hxxp://138[.]68[.]52[.]55/uploads/sshd2 Insecure IoT connections, disease vector
The post Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year old XHide appeared first on .
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was… Read More
For nearly a dozen years, residents of South Carolina have been kept in the dark… Read More
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings… Read More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach… Read More
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead.… Read More
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead… Read More