New Linux Cryptominining Malware Developed with Shc in the Wild

The malware authenticates through a dictionary attack on Linux SSH servers then installs various other malwares.

Posted on January 5, 2023
Lee Clark, RH-ISAC Cyber Threat Intel Analyst & Writer

On January 4, 2023, Ahn Lab Security Response Center (ASEC) researchers reported the technical details of a new Linux malware written using Shc delivering a cryptocurrency miner. ASEC researchers assess that the campaign is primarily targeting unspecified systems in South Korea.

According to ASEC researchers, the malware authenticates through a dictionary attack on Linux SSH servers then installs various other malwares, including an Shc downloader, XMRig CoinMiner, and DDoS IRC Bot.

Detection Options

ASEC researches provided the following file detections:

Downloader/Linux.Agent.13360 (2022.12.21.00)
Downloader/Linux.Agent.13256 (2022.12.25.03)
Downloader/Linux.Agent.13392 (2022.12.25.03)
Shellbot/Perl.Generic.S1118 (2020.02.19.07)
Linux/CoinMiner.Gen2 (2019.07.31.08)
CoinMiner/Text.Config (2022.12.26.03)
Trojan/Shell.Agent.SC185400 (2022.12.26.03)
Trojan/Shell.Agent.SC185401 (2022.12.26.03)

IOCs

ASEC researchers provided the following indicators of compromise (IOCs):

Indicator	Type	Notes
c13e7e87e800a970df4d113d60e75ab4	MD5	Shc Downloader (kermine)
1f0e5f4736a567a631946a0d9878fad7	MD5	Shc Downloader (VirusTotal)
6fa237ce385dc9495246bc4498b64c2d	MD5	Shc Downloader (VirusTotal)
7650957bf7d798b284ea01a732ad07a5	MD5	Perl DDoS IRC Bot (botcarternew)
077279a2ae5b1bc89540a1293fa807f1	MD5	Perl DDoS IRC Bot (.ubuntu)
497bec45d865b2a9165699433c64816c	MD5	XMRig (s)
c1e65d481af4e6d4bad74cca4e8737cb	MD5	XMRig (xmrig)
48e5ce77980d52c68a7bbfd091756036	MD5	XMRig (.system3d)
16b7ef9cbc89ccc08f5fcd80e473c169	MD5	XMRig Configuration File (config.json)
a2fd0f3e18259d0bba9ebbf910e925c4	MD5	XMRig Configuration File (config.json)
a2c7c9e3b468e7e02e882066b05c55c3	MD5	Launcher Script (run)
c15ed837bd367fd4f66562b57b8fb57c	MD5	Launcher Script (.b4nd1d0)
64.227.112[.]247:80	IP Address	C2
157.230.116[.]194:80	IP Address	C2
hxxp://172.105.211[.]21/	URL	Downloader
hxxp://172.105.211[.]21/xmrig	URL	Downloader
hxxp://172.105.211[.]21/snunewa.tar	URL	Downloader
hxxp://167.172.103[.]111/	URL	Downloader
hxxp://172.104.170[.]240/	URL	Downloader
hxxp://172.104.170[.]240/snunewa.tar	URL	Downloader
hxxp://wget.hostname[.]help/	URL	Downloader
hxxp://wget.hostname[.]help/driver.zip	URL	Downloader
hxxp://pateu.freevar[.]com/xmrminer2.tgz	URL	Downloader

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

Alleged Chinese Threat Actors Developing Fortinet Zero-Day Exploit for New “BOLDMOVE” Malware Campaign Targeting European and African Organizations

Context On January 19, 2023, Mandiant security researchers published the technical details of malware campaign preparations they’ve reportedly observed since October 2022. Two key points

APT37 Leverages Internet Explorer Zero-Day to Target South Korean Users

Context APT37 is a known, sophisticated North Korean state-backed actor that has historically leveraged Internet Explorer zero-days to target North Korean defectors, government officials, journalists,

Sophisticated Campaign Targeting Cryptocurrency Firms

On December 6, 2022, Microsoft researchers reported technical details of a campaign targeting cryptocurrency organizations globally using what they describe as complex tactics. Community Impact