By Augusto Remillano II
One of our honeypots detected a threat that propagates by scanning for open ports and brute forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based IRC backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open source tool used to fake the name of a process.
According to our analysis, we found the attacker issuing commands to the vulnerable machine that will download and install the backdoor and miner. The backdoor called Shellbot, and is capable of scanning for open ports, downloading files, executing UDP floods, and remotely executing shell commands. Infecting devices with two payloads may prove to be more profitable since malicious actors can monetize both the shellbot and the miner. Our telemetry has been detecting sporadic detections of this malware attempting to infect systems in Japan, Myanmar, Brazil, Denmark, China, and Turkey since March.
Routine
The malware scans for open ports and weak credentials to infiltrate and then sends a command that will download the Perl-based Internet Relay Chat (IRC) Shellbot with file name “sshd2” (detected by Trend Micro as Backdoor.Perl.SHELLBOT.D) and “findz” (detected by Trend Micro as Trojan.SH.MINESTARTER.A) — which will infect the system with the miner by downloading and extracting “so3” (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEJQ).
Figure 1. Code snippet of the sshd2 Shellbot ..
Support the originator by clicking the read the rest link below.
