Microsoft recently disclosed an ongoing cryptojacking campaign that especially targets Internet-exposed Linux and Internet of Things (IoT) devices. The attack begins with a series of brute-force efforts to acquire illegal access to these computers, which is then followed by the deployment of a trojanized OpenSSH malware package. This malicious software acts as a backdoor, allowing attackers to infiltrate devices and steal SSH passwords for long-term persistence.
The infected systems are manipulated by installing patched OpenSSH packages, which intercept the passwords and keys of SSH sessions as both a client and a server. Furthermore, the attackers enable root login via SSH and conceal their presence by suppressing logging of their SSH sessions, which are identified by a unique password.
A backdoor shell script is also distributed alongside the trojanized OpenSSH code. This script adds two public keys to the authorized_keys file, granting the threat actors persistent SSH access. With this access, they are able to gather system information, install Reptile and Diamorphine open-source LKM rootkits to obfuscate their malicious activities, and manipulate iptables rules and /etc/hosts entries to block traffic to competitors crypto jacking hosts and IPs.
The attackers also take advantage of the hacked systems by removing other miners. They accomplish this by terminating or preventing access to miner processes and files, as well as disabling SSH access from the authorized_keys file that was previously configured by other opponents. Below given some more details about the hack attempt by OpenSSH.
OpenSSH Malware Trojan Attack Flow
The attack also includes the use of ZiggyStarTux, an open-source IRC bot with distributed denial of service (DDoS) capabilities. This bot enables threat actors to run bash commands and increases the persistence of the backdoor virus. The trojan employs a number of strategies, such as copying itself across numerous disk locations and setting up cron jobs for frequent execution. It registers ZiggyStarTux as a systemd service, specifying the service file at /etc/systemd/system/network-check.service.
The attackers use a subdomain belonging to a legitimate Southeast Asian financial organization that is housed on their infrastructure to conceal connection between the ZiggyStarTux bots and the IRC servers.
During Microsoft’s research into the campaign, they discovered that the bots were being told to download and run additional shell scripts. These scripts were used to brute-force live hosts within the compromised device’s subnet and backdoor susceptible systems using the trojanized OpenSSH package.
The attackers’ ultimate goal appears to be the installation of mining malware targeting Linux-based Hiveon OS computers, which are specifically tailored for cryptocurrency mining.
The openssh malware first determines whether the targeted device is a honeypot, which is used to trap and analyze cyber intruders. It accomplishes this by attempting to gain access to the virtual filesystem /proc. If it fails, the backdoor shuts down immediately, avoiding notice and potential countermeasures.
If the malware is able to obtain access to /proc, it will proceed to harvest important device information, such as the operating system version and network configurations. This critical information is then immediately forwarded via email to a hardcoded address or the malicious hacker’s specified email account, allowing unauthorized access and potential misuse.
Microsoft advises that this modified version of OpenSSH is difficult to identify since it closely resembles the appearance and behavior of a legal OpenSSH server. The attack exemplifies the strategies and perseverance used by adversaries aiming to infiltrate and manipulate exposed systems.
As the threat of cryptojacking and targeted assaults on IoT devices evolves, it is critical for users and companies to be attentive, apply security patches promptly, and employ comprehensive security measures to defend themselves.
Also read: You might also find useful our guide on How to Upgrade Linux Kernel in Ubuntu
Conclusion
Finally, the OpenSSH malware has posed a huge threat to Linux systems, jeopardizing security and perhaps allowing unauthorized access. This incident emphasizes the significance of effective security measures, such as regular software updates and stringent access limits.
Vigilance and proactive monitoring are critical in detecting and neutralizing such OpenSSH Malware attacks in order to safeguard Linux systems from unauthorized breaches.
