SHC (Shell Script Compiler) was used to build a new Linux malware downloader that infects computers with DDoS IRC bots and Monero cryptocurrency miners. According to ASEC researchers who detected the attack, the SHC loader was posted to VirusTotal by Korean users, with cyberattacks often concentrating on Linux systems in the same nation.
The analysts state that the cyberattacks probably use SSH on Linux systems to brute force weak administrator account credentials. Bash shell scripts may be transformed into ELF (Linux and Unix executables) files using SHC, a “generic shell script compiler” for Linux. Security software installed on a Linux device can recognize system commands present in malicious Bash shell scripts used by threat actors.
The RC4 method used in SHC ELF executable scripts makes malicious commands more difficult for security tools to identify, perhaps enabling malware to avoid detection. The SHC malware downloader will download several other malware payloads and install them on the target device when it is run. One of the payloads is an XMRig miner extracted to “/usr/local/games/” and run. It is obtained as a TAR archive from a remote URL.
The “run” script and the miner’s configuration file, which refers to the set mining pool, are both included in the download. The hijacked server’s available computing capabilities are commonly employed to mine Monero with the help of XMRig, an open-source CPU miner frequently exploited. Combining the setup with the miner keeps crypto mining active even if the threat actor’s server goes unavailable and reduces communication with the C2.
A Pearl-based DDoS IRC bot is the second payload that the SHC malware downloader retrieved, dropped, and loaded. The malware establishes a connection to the specified IRC server and performs username-based authentication using the configuration information.
If the attack is successful, the malware is ready to respond to orders from the IRC server, including port scanning, Nmap scanning, sendmail commands, process killing, log cleaning, and DDoS-related operations like TCP Flood, UDP Flood, and HTTP Flood. According to ASEC, cyberattacks like this are frequently brought on by vulnerable Linux systems employing weak passwords.
“Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks,” advises ASEC. “Administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers.”
