New Linux Cryptominining Malware Developed with Shc in the Wild

The malware authenticates through a dictionary attack on Linux SSH servers then installs various other malwares.

On January 4, 2023, Ahn Lab Security Response Center (ASEC) researchers reported the technical details of a new Linux malware written using Shc delivering a cryptocurrency miner. ASEC researchers assess that the campaign is primarily targeting unspecified systems in South Korea.

According to ASEC researchers, the malware authenticates through a dictionary attack on Linux SSH servers then installs various other malwares, including an Shc downloader, XMRig CoinMiner, and DDoS IRC Bot.

Detection Options

ASEC researches provided the following file detections:

  • Downloader/Linux.Agent.13360 (2022.12.21.00)
  • Downloader/Linux.Agent.13256 (2022.12.25.03)
  • Downloader/Linux.Agent.13392 (2022.12.25.03)
  • Shellbot/Perl.Generic.S1118 (2020.02.19.07)
  • Linux/CoinMiner.Gen2 (2019.07.31.08)
  • CoinMiner/Text.Config (2022.12.26.03)
  • Trojan/Shell.Agent.SC185400 (2022.12.26.03)
  • Trojan/Shell.Agent.SC185401 (2022.12.26.03)

IOCs

ASEC researchers provided the following indicators of compromise (IOCs):

Indicator

Type

Notes

c13e7e87e800a970df4d113d60e75ab4

MD5

Shc Downloader (kermine)

1f0e5f4736a567a631946a0d9878fad7

MD5

Shc Downloader (VirusTotal)

6fa237ce385dc9495246bc4498b64c2d

MD5

Shc Downloader (VirusTotal)

7650957bf7d798b284ea01a732ad07a5

MD5

Perl DDoS IRC Bot (botcarternew)

077279a2ae5b1bc89540a1293fa807f1

MD5

Perl DDoS IRC Bot (.ubuntu)

497bec45d865b2a9165699433c64816c

MD5

XMRig (s)

c1e65d481af4e6d4bad74cca4e8737cb

MD5

XMRig (xmrig)

48e5ce77980d52c68a7bbfd091756036

MD5

XMRig (.system3d)

16b7ef9cbc89ccc08f5fcd80e473c169

MD5

XMRig Configuration File (config.json)

a2fd0f3e18259d0bba9ebbf910e925c4

MD5

XMRig Configuration File (config.json)

a2c7c9e3b468e7e02e882066b05c55c3

MD5

Launcher Script (run)

c15ed837bd367fd4f66562b57b8fb57c

MD5

Launcher Script (.b4nd1d0)

64.227.112[.]247:80

IP Address

C2

157.230.116[.]194:80

IP Address

C2

hxxp://172.105.211[.]21/

URL

Downloader

hxxp://172.105.211[.]21/xmrig

URL

Downloader

hxxp://172.105.211[.]21/snunewa.tar

URL

Downloader

hxxp://167.172.103[.]111/

URL

Downloader

hxxp://172.104.170[.]240/

URL

Downloader

hxxp://172.104.170[.]240/snunewa.tar

URL

Downloader

hxxp://wget.hostname[.]help/

URL

Downloader

hxxp://wget.hostname[.]help/driver.zip

URL

Downloader

hxxp://pateu.freevar[.]com/xmrminer2.tgz

URL

Downloader

 

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.