On compromised systems, a new Linux malware developed using the shell script compiler (shc) has been observed deploying a cryptocurrency miner.
According to a report published today by the AhnLab Security Emergency Response Center (ASEC), it is presumed that after successful authentication via a dictionary attack on poorly managed Linux SSH servers, the malware was installed on the target system.
shc enables the direct conversion of shell scripts to binaries, protecting against unauthorized source code modifications. It is similar to the Windows BAT2EXE utility, which converts any batch file to an executable.
A successful compromise of the SSH server, as described by the South Korean cybersecurity firm, results in the deployment of an shc downloader malware and a Perl-based DDoS IRC Bot.
The shc downloader then fetches the XMRig miner software to mine cryptocurrency, and the IRC bot can establish connections with a remote server to retrieve commands for launching distributed denial-of-service (DDoS) attacks.
This bot supports DDoS attacks such as TCP flood, UDP flood, and HTTP flood, as well as command execution, reverse shell, port scanning, and log deletion, according to ASEC researchers.
The fact that all shc downloader artifacts were uploaded to VirusTotal from South Korea suggests that the campaign is primarily aimed at Linux SSH servers with inadequate security in South Korea.
It is recommended that users practice good password hygiene and periodically change their passwords to prevent brute-force and dictionary attacks. It is also recommended to maintain updated operating systems.