Summary:
A researcher recently discovered cryptojacking campaign involves the hijacking of Internet-exposed Linux and Internet of Things (IoT) devices through brute-force attacks. Once access is gained, the attackers deploy a trojanized OpenSSH package, which allows them to backdoor the compromised devices and steal SSH credentials for persistence. The patches applied by the attackers intercept SSH passwords and keys, enable root login over SSH, and suppress logging of the threat actors' SSH sessions. A backdoor shell script is deployed alongside the trojanized OpenSSH binary, adding public keys for persistent SSH access and facilitating the installation of rootkits to hide malicious activity. The attackers also target other mining competitors by blocking their traffic and removing their SSH access.
Execution Flow
The attack involves the deployment of the ZiggyStarTux open-source IRC bot, which not only enables DDoS capabilities but also allows the operators to execute bash commands. To ensure persistence, the backdoor malware duplicates itself across multiple disk locations and creates cron jobs for periodic execution. It registers ZiggyStarTux as a systemd service and camouflages C2 communication traffic by using a subdomain from a legitimate Southeast Asian financial institution hosted on the attacker's infrastructure. The campaign involves brute-forcing live hosts in the compromised device's subnet and backdooring vulnerable systems with the trojanized OpenSSH package. The ultimate goal appears to be the installation of mining malware on Linux-based Hiveon OS systems designed for cryptomining.
The modified OpenSSH package, which mimics the appearance and behavior of a legitimate server, makes detection more difficult. The attack demonstrates the techniques and persistence of adversaries seeking to infiltrate and control exposed devices. The use of brute-force attacks, trojanized software, and rootkits underscores the need for robust security measures to protect Internet-exposed Linux and IoT devices from such threats.
The hackers are targeting Internet-exposed Linux and IoT devices through brute-force attacks. The attackers deploy trojanized OpenSSH packages to backdoor compromised devices, steal SSH credentials, and maintain persistence. They utilize rootkits, eliminate other miners, and execute DDoS attacks. The modified OpenSSH presents a challenge for detection, highlighting the persistence and techniques used by adversaries to infiltrate and control exposed devices.
Threat Profile:
| Tactic | Technique Id | Technique |
| Execution | T1053 | Scheduled Task/Job |
| Persistence | T1098 | Account Manipulation |
| T1574 | Hijack Execution Flow | |
| Credential Access | T1110 | Brute Force |
| T1557 | Adversary-in-the-Middle | |
| T1040 | Network Sniffing | |
| T1027 | Obfuscated Files or Information | |
| T1014 | Rootkit | |
| Discovery | T1046 | Network Service Discovery |
| Command and Control | T1001 | Data Obfuscation |
| T1071 | Application Layer Protocol | |
| T1105 | Ingress Tool Transfer | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
References:
The following reports contain further technical details: