HQ/EMEAFind out how we can help your business
Threat actors have pushed Shc-based Linux malware to install XMRig miner. Researchers have found that the hackers used the Shell Script Compiler to launch dictionary attacks against flawed Linux SSH servers to deploy several malware strains on a targeted system.
Moreover, the researchers discovered the Perl-developed DDoS IRC Bot and Shc downloader among the identified malware strains.
According to investigations, the newly discovered downloader is a decoded Bash shell script of the Shc malware downloader. The payload was posted to VirusTotal from Korea, implying that hackers initiated this campaign against Linux systems in Korea.
The Shc-based Linux malware is the launcher of the XMRig miner (coinminer) on a targeted system.
Once executed, the Shc-based Linux malware distributes the XMRig miner on a system mixed with the IRC Bot to add and prolong the effects of the attack.
Hackers commonly utilise the IRC Bot to orchestrate Distributed Denial-of-Service attacks on targeted systems. Furthermore, it supports various DDoS campaigns such as UDP Flood, HTTP Flood, and TCP Flood.
The bot could also execute various features such as reverse shell, port scanning, and command execution.
Researchers explained that the Shc malware downloader and the IRC bot are identical, except that the Shc could not connect to the IRC server.
The analyst stated that this is not the first wave of attacks against Linux devices since several Linux malware incidents have been reported in the past months. Last month, researchers stumbled across a widespread Linux cryptomining attack that utilised the CHAOS Remote Access Trojan (RAT).
In addition, a Linux malware called Shikitega executed a layered attack chain to deploy the Monero cryptocurrency miner and enabled the actors to take over the infected system.
In another incident, more than 200 npm and PyPI packages were leveraged by threat actors to spread cryptocurrency minders on compromised Linux devices.
Cybersecurity experts claimed that the mismanaged account credentials are the typical targets of the threat actors to target Linux systems since they could use a dictionary and brute force attacks efficiently. Therefore, admins should use strong passwords and change them constantly to avoid such attacks.
