Thursday, December 5, 2024
HomeCyber AttackHackers Attack Linux SSH Servers with Tsunami DDoS Malware

Hackers Attack Linux SSH Servers with Tsunami DDoS Malware

Published on

SIEM as a Service

An attack campaign has been recently uncovered by AhnLab ASEC, where poorly controlled Linux SSH servers are targeted and infiltrated with the Tsunami DDoS Bot.

In addition to Tsunami, the threat actor installed several other types of malware, including:-

  • ShellBot
  • XMRig CoinMiner
  • Log Cleaner

Most attacks on poorly managed Linux SSH servers involve DDoS bots or CoinMiners being installed.

- Advertisement - SIEM as a Service

Tsunami DDoS Malware

Tsunami is a variant of Kaiten (aka Ziggy), a DDoS bot, and it is often distributed alongside Mirai and Gafgyt to attack vulnerable IoT devices.

Although they are all DDoS bots, Tsunami is unique because it functions as an IRC bot and communicates with the threat actor through IRC.

Tsunami’s source code is openly accessible, leading to widespread use by many threat actors.

It is primarily utilized for targeting IoT devices in attacks. Furthermore, it is regularly employed to target Linux servers without fail.

Tsunami DDoS Malware

Attack Against Linux SSH Servers

SSH service is commonly installed in Linux servers, making them vulnerable to attacks due to poor management.

It also enables remote login and system control for administrators, requiring them to log in with their registered user account.

Using basic login information (username and password) in a Linux system can let a malicious person get into the system by forcefully guessing or using a pre-made list of common passwords.

When poorly managed Linux SSH servers are targeted, attackers search for exposed servers by scanning specific ports.

They then try known account credentials to perform dictionary attacks and gain unauthorized access.

Here below we have mentioned the addresses that were attacked along with their IDs and passwords:-

Attack Against Linux SSH Servers

Once logged in, the attacker runs a command to download and launch different types of malware. One of the installed malware is a Bash script called the “key” file, which acts as a downloader and installs more malware.

Apart from downloading malware, the “key” file also carries out several initial tasks to gain control over infected systems, such as setting up a secret SSH account as a backdoor, Researchers said.

Here below we have mentioned all the malware that is installed via the executed command and downloader Bash script:-

  • Downloader Bash (Download URL: ddoser[.]org/key)
  • ShellBot DDoS Bot (Download URL: ddoser[.]org/logo)
  • ShellBot DDoS Bot (Download URL: ddoser[.]org/siwen/bot)
  • Tsunami DDoS Bot (Download URL: ddoser[.]org/siwen/a)
  • MIG Logcleaner v2.0 (Download URL: ddoser[.]org/siwen/cls)
  • 0x333shadow Log Cleaner (Download URL: ddoser[.]org/siwen/clean)
  • Privilege escalation malware (Download URL: ddoser[.]org/siwen/ping6)
  • XMRig CoinMiner (compressed file) (Download URL: ddoser[.]org/top)

ShellBot is a DDoS bot that is Perl-based which utilizes the IRC protocol for communication, can set up a reverse shell, and supports:-

Tsunami stays active even after restarting by saving itself in “/etc/rc.local” and disguising itself with common system process names.

Here below we have mentioned all the remote control commands that Tsunami supports:-

  • Shell command execution
  • Reverse shells
  • Collecting system information
  • Updating itself
  • Downloading additional payloads from an external source

In order to remove any traces of unauthorized access on compromised computers, MIG Logcleaner v2.0 and Shadow Log Cleaner are utilized, thus delaying the prompt detection of the infection by victims

In these attacks, the malware used by the threat actors is an “ELF” file and gives the threat actor elevated privileges.

Mitigations

Here below we have mentioned all the mitigations offered by the security analysts:-

  • Linux users should use strong passwords or SSH keys to protect against attacks.
  • Make sure to disable root login via SSH.
  • Take the necessary steps to restrict access to the server by allowing only a specific range of IP addresses.
  • Ensure that you alter the default SSH port to a less common number to evade automated bots and infection scripts.

Looking For an All-in-One Multi-OS Patch Management Platform – .

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...