- Linux machines that are poorly protected with weak passwords are being targeted by various malware.
- It is recommended that admins use difficult-to-guess passwords to protect their Linux machines and change them often.
- The malware is seen brute-forcing its way into administrator accounts after it infects the computer.
The ASEC analysis team recently discovered a Linux malware that installs Shc downloader, XMRig cryptocurrency miner, and DDoS IRC Bot to poorly defended Linux machines. Linux systems are being attacked with malware all the time. This includes ransomware and cryptojacking, which are types of attacks where hackers try to steal your information or use your computer to mine cryptocurrency.
Various malware installed
A new Linux malware downloader has been created using Shc (Shell Script Compiler), a tool that makes creating malware easier and more efficient. This downloader can infect systems with a simple command, making it a serious threat.
Shc Downloader
The following is a decoded Bash shell script of Shc malware reported by a client company of ASEC that suffered an infiltration attack. It downloads and runs files from external sources, and based on the fact that the XMRig miner is downloaded and installed from the currently available address, it is assumed to be a cryptocurrency-miner downloader.
XMRig cryptominer
The Shc downloader downloads a compressed file from an external source to the path, “/usr/local/games” and executes the “run” file. The compressed file also includes XMRig CoinMiner as well as a config.json with the mining pool URL and the “run” script.
DDoS IRC Bot
Aside from installing a CoinMiner on the infected system, the threat actor installs an IRC bot that can perform a DDoS attack by receiving commands. This DDoS IRC Bot has the characteristic of being developed with Perl, and as the name suggests, it uses the IRC protocol in communications with the C&C server.
How to protect yourself against attacks
ASEC clarifies that these types of attacks usually happen on poorly protected Linux machines. Having a strong password might sound simple but it helps users avoid malware such as this. ASEC says:
« Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks, »