New shc-based Linux Malware Targeting Systems with Cryptocurrency Miner

VTA-00430 – New shc-based Linux Malware Targeting Systems with Cryptocurrency Miner


A new Linux malware developed using the shell script compiler (shc) has been observed deploying a cryptocurrency miner on compromised systems. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system.

Among those installed were the shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl. shc allows shell scripts to be converted directly into binaries, offering protections against unauthorized source code modifications. It’s analogous to the BAT2EXE in Windows that’s used to convert any batch file to an executable. By using shc to generate ELF files, the idea is to protect the malicious shell commands from being inspected and potentially bypass detection by security software as the executables are encoded using the RC4 algorithm.

The shc downloader subsequently proceeds to fetch the XMRig miner software to mine cryptocurrency, with the IRC bot, it is capable to establishing connections with a remote server to fetch commands for mounting distributed denial-of-service (DDoS) attacks.

Severity:
High

Attack Surfaces:
Endpoint OS, Server OS

Tactics:
Execution, Impact

Techniques:
Command and Scripting Interpreter, Network Denial of Service, Resource Hijacking

Active Defense Tactics:
Detect

Active Defense Techniques:
Baseline, Security Controls, Software Manipulation

Indicator of Compromise:
https://otx.alienvault.com/pulse/63b719e17935d42d3c86f635

SuperPRO’s Threat Countermeasures Procedures: 
1) Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC above to create a custom rule to block the respective File Hashes and Hostname, if necessary.
2) Antimalware tool should be deployed and regularly updated.
3) IDS/IPS should be configured properly.
4) Follow the best practices of password policy when configure password (Use alphanumeric, symbols, etc).
5) Limit management port of linux server to only trusted/management segment only.

Contributed by:  Aman

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>