A malicious program developed using shc, the shell script compiler, has been found deploying a cryptocurrency miner to victimized systems. The AhnLab Security Emergency Response Center (ASEC) revealed in today’s report that it is assumed this malware accessed the targets by utilizing a dictionary attack on improperly managed Linux SSH servers.
The Secure Shell (SSH) Compiler, or SHC, is a utility comparable to BAT2EXE for Windows. It enables the transformation of shell scripts into binaries, ensuring any unauthorized adjustments to source code are avoided. As identified by South Korean cyber security specialists, in cases of successful infiltration of an SSH server, a malware downloader accompanied by a DDoS IRC Bot written in Perl can be deployed.
Subsequently, the SHC downloader acquires XMRig miner software to generate cryptocurrency. Furthermore, its IRC bot is equipped with the ability to communicate with a distant server and gain instructions for executing distributed denial-of-service (DDoS) attacks.
ASEC researchers stated that this bot not only can carry out DDoS attacks such as TCP flood, UDP flood, and HTTP flood, but it also possesses other features including command execution, reverse shell, port scanning, and log deletion. The campaign is predominantly targeting poorly protected Linux SSH servers in South Korea because all the sch downloader artifacts have been sent from there to VirusTotal. To stay secure from brute-force attempts and dictionary attacks, users must abide by good password hygiene habits and regularly rotate their passwords. Moreover, keeping the operating systems updated is highly suggested.