On January 4, 2023, Ahn Lab Security Response Center (ASEC) researchers reported the technical details of a new Linux malware written using Shc delivering a cryptocurrency miner. ASEC researchers assess that the campaign is primarily targeting unspecified systems in South Korea.
According to ASEC researchers, the malware authenticates through a dictionary attack on Linux SSH servers then installs various other malwares, including an Shc downloader, XMRig CoinMiner, and DDoS IRC Bot.
Detection Options
ASEC researches provided the following file detections:
- Downloader/Linux.Agent.13360 (2022.12.21.00)
- Downloader/Linux.Agent.13256 (2022.12.25.03)
- Downloader/Linux.Agent.13392 (2022.12.25.03)
- Shellbot/Perl.Generic.S1118 (2020.02.19.07)
- Linux/CoinMiner.Gen2 (2019.07.31.08)
- CoinMiner/Text.Config (2022.12.26.03)
- Trojan/Shell.Agent.SC185400 (2022.12.26.03)
- Trojan/Shell.Agent.SC185401 (2022.12.26.03)
IOCs
ASEC researchers provided the following indicators of compromise (IOCs):
Indicator |
Type |
Notes |
c13e7e87e800a970df4d113d60e75ab4 |
MD5 |
Shc Downloader (kermine) |
1f0e5f4736a567a631946a0d9878fad7 |
MD5 |
Shc Downloader (VirusTotal) |
6fa237ce385dc9495246bc4498b64c2d |
MD5 |
Shc Downloader (VirusTotal) |
7650957bf7d798b284ea01a732ad07a5 |
MD5 |
Perl DDoS IRC Bot (botcarternew) |
077279a2ae5b1bc89540a1293fa807f1 |
MD5 |
Perl DDoS IRC Bot (.ubuntu) |
497bec45d865b2a9165699433c64816c |
MD5 |
XMRig (s) |
c1e65d481af4e6d4bad74cca4e8737cb |
MD5 |
XMRig (xmrig) |
48e5ce77980d52c68a7bbfd091756036 |
MD5 |
XMRig (.system3d) |
16b7ef9cbc89ccc08f5fcd80e473c169 |
MD5 |
XMRig Configuration File (config.json) |
a2fd0f3e18259d0bba9ebbf910e925c4 |
MD5 |
XMRig Configuration File (config.json) |
a2c7c9e3b468e7e02e882066b05c55c3 |
MD5 |
Launcher Script (run) |
c15ed837bd367fd4f66562b57b8fb57c |
MD5 |
Launcher Script (.b4nd1d0) |
64.227.112[.]247:80 |
IP Address |
C2 |
157.230.116[.]194:80 |
IP Address |
C2 |
hxxp://172.105.211[.]21/ |
URL |
Downloader |
hxxp://172.105.211[.]21/xmrig |
URL |
Downloader |
hxxp://172.105.211[.]21/snunewa.tar |
URL |
Downloader |
hxxp://167.172.103[.]111/ |
URL |
Downloader |
hxxp://172.104.170[.]240/ |
URL |
Downloader |
hxxp://172.104.170[.]240/snunewa.tar |
URL |
Downloader |
hxxp://wget.hostname[.]help/ |
URL |
Downloader |
hxxp://wget.hostname[.]help/driver.zip |
URL |
Downloader |
hxxp://pateu.freevar[.]com/xmrminer2.tgz |
URL |
Downloader |