Hackers Using Supershell Malware To Attack Linux SSH Servers

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack leverages Supershell, a cross-platform reverse shell backdoor written in Go, granting attackers remote control of compromised systems. 

Following the initial infection, attackers are suspected to have deployed scanners to identify additional vulnerable targets and then likely launched dictionary attacks on these targets using credentials harvested from the compromised systems.  

The data reveals a list of threat actor IP addresses and their corresponding root credentials, including common passwords like “root/password” and “root/123456789,” which are frequently exploited by attackers to gain unauthorized access to vulnerable systems.

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free 

The presence of these credentials on compromised devices indicates a significant security risk, as they can be used to execute malicious activities, steal sensitive information, and disrupt operations. 

The identification and mitigation of these vulnerabilities are crucial to protecting systems from potential threats.

The threat actor used various methods to download and execute malicious scripts after compromising a system. 

An attacker leveraged wget, curl, tftp, and ftpget commands to download scripts from different sources, including web servers, FTP servers, and even non-standard ports. 

The downloaded scripts were then executed using shell commands (sh, bash), granting the attacker remote access and potentially installing additional malware, and then attackers attempted to remove traces of the attack by deleting the downloaded scripts and other files.  

An attacker initially installed the obfuscated Supershell backdoor on a poorly managed Linux system, which, as identified by its internal strings, behavior, and execution logs, provides the attacker with remote control capabilities. 

While the primary goal seems to be control hijacking, there’s a possibility that the attacker also intends to install a cryptocurrency miner, like XMRig, to exploit the system’s resources for personal gain, which aligns with common attack patterns targeting vulnerable Linux systems.

Threat actors are exploiting poorly managed Linux SSH servers by installing the Supershell backdoor, which enables remote control of infected systems, potentially leading to data theft, system compromise, and other malicious activities. 

According to ASEC, to mitigate this threat, administrators should prioritize strong password hygiene, regular updates, and robust security measures like firewalls. 

Additionally, ensuring that V3 is up-to-date is crucial to prevent malware infections. By implementing these countermeasures, organizations can significantly reduce their vulnerability to Supershell attacks.

The detected malware includes a Cobalt Strike backdoor, a shell agent downloader, and an ElfMiner downloader, which was identified as Backdoor/Linux.CobaltStrike.3753120 was likely deployed for remote access and control. 

The shell agent downloader, Downloader/Shell.Agent.SC203780, was designed to download and execute additional malicious payloads.

The ElfMiner downloader, Downloader/Shell.ElfMiner.S1705, was likely used to download and install cryptocurrency mining malware.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial