The ASEC analysis team recently discovered that a Linux malware developed with shell script compiler (shc) that threat actors used to install a CoinMiner.
The experts believe attackers initially compromised targeted devices through a dictionary attack on poorly protected Linux SSH servers, then they installed multiple malware on the target system, including the Shc downloader, XMRig CoinMiner, and a Perl-based DDoS IRC Bot.
The Shell Script Compiler is used to convert Bash shell scripts into an ELF (Executable and Linkable Format).
The shc downloader subsequently proceeds to fetch the XMRig miner software to mine cryptocurrency, with the IRC bot capable of establishing connections with a remote server to fetch commands for mounting distributed denial-of-service (DDoS) attacks.
The Shc downloader malware downloads a compressed file from an external source to “/usr/local/games/” and executes the “run” file. The compressed file contains the XMRig CoinMiner malware along with a config.json with the mining pool URL and the “run” script.