Hackers Targeting Linux and IoT Devices for CryptominingAttackers Deploy Trojanized OpenSSH Version for Device Takeover, Microsoft Says
Microsoft discovered hackers targeting internet-facing Linux systems and IoT devices to steal IT resources for cryptocurrency mining operations.
The campaign begins by brute-forcing target systems and devices and then uses a backdoor to deploy multiple open-source tools such as rootkits and an IRC bot to compromise device resources, said Microsoft's Threat Intelligence team in a blog post.
Immediately after the initial compromise, a Trojanized OpenSSH package installs a backdoor that helps maintain persistence. The attackers further leverage this backdoor to install a patched version of OpenSSH, which allows them to hijack SSH credentials, move laterally within the network and conceal the malicious connections on the compromised device.
A number of open-source rootkits such as Diamorphine and Reptile found on GitHub also are deployed as additional payloads to exfiltrate data and obfuscate the malicious activity in the victim's environment by deleting records and system logs.
The backdoor also monopolizes its own crypto miner on the infected system's resources by eliminating competing cryptomining processes that may be already running on it. "It identifies miner processes and files by their names and either terminates them or blocks access to them and removes SSH access configured in
authorized_keys by other adversaries.
Attackers also deploy a modified version of ZiggyStarTux, an IRC-based DDoS client that's capable of executing bash commands issued from the command-and-control server. This IRC bot is based on another botnet malware called Kaiten.
ZiggyStarTux is registered as a system service, configuring the service file at
/etc/systemd/system/network-check.service. The communication between the ZiggyStarTux bots and the attackers' command-and-control server is done through IRC servers that use a subdomain belonging to a legitimate Southeast Asian financial institution hosted on the attacker's infrastructure.
These bots also are instructed to download and execute additional scripts to brute-force every host in the hacked device's subnet and backdoor and any vulnerable systems using the Trojanized OpenSSH package.
The bots' purpose is to maintain persistence and deploy mining malware crafted for Hiveon OS systems, which are Linux-based open-source operating systems designed for cryptomining.
Microsoft attributed the campaign to a user named "asterzeu" on the
cardingforum.cx hacking forum. The user offered multiple tools for sale on the platform, including an SSH backdoor, Microsoft said.
Microsoft's disclosure comes two days after a report on a similar campaign was published by the AhnLab Security Emergency Response Center. The attack campaign consists of the Tsunami - another name for Kaiten - DDoS bot being installed on inadequately managed Linux SSH servers, the report said. As observed in Microsoft's analysis, Tsunami also installed various other malware and cryptominer and obfuscation tools, such as ShellBot, XMRig CoinMiner and Log Cleaner.
Links between the two campaigns and reports could not be established as Microsoft and ASEC did not immediately respond to Information Security Media Group's requests for information.
"The complexity and scope of this attack are indicative of the efforts attackers make to evade detection," Microsoft said. "The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server and may thus pose a greater challenge for detection than other malicious files. This type of attack demonstrates the techniques and persistence of adversaries who seek to infiltrate and control exposed devices."