Microsoft has reported a surge in cryptojacking attacks targeting Internet-exposed Linux and Internet of Things (IoT) devices. The attackers employ brute-force techniques, gaining access to systems and deploying a trojanized OpenSSH package. This malicious software facilitates backdooring of compromised devices, allowing the theft of SSH credentials for persistent access.
The patches installed by the attackers intercept passwords and keys of SSH connections, enable root login over SSH, and conceal the intruder’s presence by suppressing logging. The backdoor script, deployed alongside the trojanized OpenSSH binary, adds public keys for persistent SSH access, enabling threat actors to harvest system information and install rootkits to hide malicious activity.
The attack also involves eliminating other miners by manipulating iptables rules and /etc/hosts entries. The campaign utilizes the ZiggyStarTux open-source IRC bot with DDoS capabilities, enabling the execution of bash commands. The malware ensures persistence by duplicating binaries across disk locations, creating cron jobs, and registering ZiggyStarTux as a systemd service. Communication traffic between bots and IRC servers is camouflaged using a subdomain from a legitimate Southeast Asian financial institution.
The attackers instruct bots to download and execute additional shell scripts to brute-force live hosts in the device’s subnet and backdoor vulnerable systems. The end goal appears to be the installation of mining malware targeting Linux-based Hiveon OS systems. Microsoft emphasizes the challenge of detecting this attack due to the modified OpenSSH mimicking a legitimate server’s appearance and behavior. This campaign underscores the techniques and persistence of adversaries seeking to infiltrate and control exposed devices, demonstrating the evolving nature of cyber threats.
Reference:
