New Linux Cryptominining Malware Developed with Shc in the Wild

The malware authenticates through a dictionary attack on Linux SSH servers then installs various other malwares.

Posted on January 5, 2023
Lee Clark, RH-ISAC Cyber Threat Intel Analyst & Writer

On January 4, 2023, Ahn Lab Security Response Center (ASEC) researchers reported the technical details of a new Linux malware written using Shc delivering a cryptocurrency miner. ASEC researchers assess that the campaign is primarily targeting unspecified systems in South Korea.

According to ASEC researchers, the malware authenticates through a dictionary attack on Linux SSH servers then installs various other malwares, including an Shc downloader, XMRig CoinMiner, and DDoS IRC Bot.

Detection Options

ASEC researches provided the following file detections:

Downloader/Linux.Agent.13360 (2022.12.21.00)
Downloader/Linux.Agent.13256 (2022.12.25.03)
Downloader/Linux.Agent.13392 (2022.12.25.03)
Shellbot/Perl.Generic.S1118 (2020.02.19.07)
Linux/CoinMiner.Gen2 (2019.07.31.08)
CoinMiner/Text.Config (2022.12.26.03)
Trojan/Shell.Agent.SC185400 (2022.12.26.03)
Trojan/Shell.Agent.SC185401 (2022.12.26.03)

IOCs

ASEC researchers provided the following indicators of compromise (IOCs):

Indicator	Type	Notes
c13e7e87e800a970df4d113d60e75ab4	MD5	Shc Downloader (kermine)
1f0e5f4736a567a631946a0d9878fad7	MD5	Shc Downloader (VirusTotal)
6fa237ce385dc9495246bc4498b64c2d	MD5	Shc Downloader (VirusTotal)
7650957bf7d798b284ea01a732ad07a5	MD5	Perl DDoS IRC Bot (botcarternew)
077279a2ae5b1bc89540a1293fa807f1	MD5	Perl DDoS IRC Bot (.ubuntu)
497bec45d865b2a9165699433c64816c	MD5	XMRig (s)
c1e65d481af4e6d4bad74cca4e8737cb	MD5	XMRig (xmrig)
48e5ce77980d52c68a7bbfd091756036	MD5	XMRig (.system3d)
16b7ef9cbc89ccc08f5fcd80e473c169	MD5	XMRig Configuration File (config.json)
a2fd0f3e18259d0bba9ebbf910e925c4	MD5	XMRig Configuration File (config.json)
a2c7c9e3b468e7e02e882066b05c55c3	MD5	Launcher Script (run)
c15ed837bd367fd4f66562b57b8fb57c	MD5	Launcher Script (.b4nd1d0)
64.227.112[.]247:80	IP Address	C2
157.230.116[.]194:80	IP Address	C2
hxxp://172.105.211[.]21/	URL	Downloader
hxxp://172.105.211[.]21/xmrig	URL	Downloader
hxxp://172.105.211[.]21/snunewa.tar	URL	Downloader
hxxp://167.172.103[.]111/	URL	Downloader
hxxp://172.104.170[.]240/	URL	Downloader
hxxp://172.104.170[.]240/snunewa.tar	URL	Downloader
hxxp://wget.hostname[.]help/	URL	Downloader
hxxp://wget.hostname[.]help/driver.zip	URL	Downloader
hxxp://pateu.freevar[.]com/xmrminer2.tgz	URL	Downloader

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

Sainsbury’s Rewards Program Targeted by Malicious Actor for Monetary Gain

Executive Summary Users of the UK grocery/retail chain Sainsbury’s Nectar loyalty program are being warned about a surge in points theft, with one customer recently reporting the

Yes24 Ransomware Outage Causes Multiple Concert Cancelations and Business Impact in South Korea

Summary Yes24, a major South Korean ticketing platform and online book retailer, has been heavily impacted by a ransomware attack, causing a four-day service outage

Cybercriminals Leveraging Call Center Social Engineering Target Salesforce Data to Extort Retail and Hospitality Organizations

Summary The cybercriminal group known UNC6040 is conducting sophisticated attacks by socially engineering employees into installing maliciously modified versions of Salesforce’s Data Loader tool, facilitating