This new Linux malware floods machines with cryptocurrency mining tools and DDoS bots
Cybersecurity researchers have discovered a new malware downloader for Linux targeting poorly protected Linux servers with cryptocurrency miners and DDoS IRC bots.
ASEC researchers detected the attack after submitting the Shell Script Compiler (SHC) tool used to create the download tool to VirusTotal. Apparently Korean users were the ones who uploaded the SHC, and it’s Korean users who are being targeted as well.
Further analysis showed that cybercriminals target poorly protected Linux servers by brute forcely breaking into administrator accounts via SSH.
Monero mining
Once they get in, they will install a cryptocurrency miner or DDoS IRC bot. The miner being implemented is XMRig, probably the most popular cryptocurrency miner among hackers. It uses the computing power of the victim’s endpoints (opens in a new tab) generate Monero, a privacy-oriented cryptocurrency whose transactions are seemingly untraceable and users allegedly unidentifiable.
In the case of a DDoS IRC bot, cybercriminals can use it to run commands such as TCP Flood, UDP Flood or HTTP Flood. They can run port scans, Nmap scans, kill various processes, clear logs, and more.
“For this reason, administrators should use hard-to-guess passwords for their accounts and change them periodically to protect the Linux server from brute-force and dictionary attacks, and update to the latest patch to prevent exploits,” ASEC said in its report .
“Administrators should also use security programs such as firewalls for externally accessible servers to restrict attacker access.”
Linux systems are constantly bombarded with malicious deployments, most commonly ransomware and cryptojacking.
A February 2022 VMware report stated that the continued success of Linux services in the digital infrastructure and cloud industries, along with the fact that most anti-malware and cybersecurity solutions focus on protecting Windows devices, puts Linux on thin ice.
Through: Beeping Computer (opens in a new tab)
