Internet-facing Linux-based systems and Internet of Things (IoT) devices are being targeted in a recent attack that uses a patched version of OpenSSH to take over the devices and install cryptomining malware. 

Cryptomining involves the solving of complex mathematical problems to verify the payments carried out in cryptocurrency transactions, and creating new cryptocurrency tokens that are added to the blockchain. The process is competitive, as well as incredibly computing-power-intensive. Although cryptomining can be profitable, it does need a high investment first of both computing power, time and electricity. Because of this, cyber criminals find it more profitable to perform cryptojacking attacks, where cryptomining malware is installed on victim computers and cloud environments in order to hijack the system and use the processing power for cryptomining purposes. Cryptojacking has become a criminal industry recently, with attack tools, infrastructure, and other services being offered by cyber criminals for sale and as malware-as-a-service. A 2021 study by Google’s Cybersecurity Action Team found 86% of the compromised Cloud instances they detected were due to unauthorised cryptomining being performed. Researchers at Palo Alto Network’s Unit 42 have also found that cryptojacking is the most commonly seen attack against unsecured Kubernetes clusters.  

But cloud systems are not the only targets for cryptojackers, as Microsoft have recently discovered an attack that uses custom and open-source tools to target internet-facing Linux and IoT devices. This attack uses an OpenSSH trojan to install the cryptomining malware. This attack begins when the threat actors attempt to brute force credentials on internet-facing Linux devices that have not been correctly configured. This will lead to the threat actors successfully compromising a target, where they then disable shell history. A compromised OpenSSH archive named openssh-8.0p1.tgz is retrieved from a remote server, which contains OpenSSH source code as well as malicious files that are utilised in later stages of the attack including the shell script inst.sh, backdoor binaries for various architectures, and archive with the shell script vars.sh, which contains embedded files for the backdoor operation. Once this payload is installed, the shell script inst.sh runs a binary that matches the architecture of the device. This is an open-source backdoor which provides access for the attackers to deploy additional malware and tools onto the compromised device without needing to brute force credentials again. Two public keys are appended to the authorized_keys configuration files for all users to maintain this persistent SSH access.  

After the backdoor is running, the shell script tests the environment using access to /proc as evidence the device is not a honeypot. If the device is suspected to be a honeypot it exits, otherwise device information is gathered such as operating system, network configuration, and other accessible data including the contents of /etc/passwd and /etc/shadow. This information is then exfiltrated via email to a hardcoded email address included within the script. The backdoor then downloads, compiles, and installs two root kits called Diamorphine and Reptile. The Reptile rootkit is configured to communicate with a command and control (C2) server that the threat actors control, previously belonging to a Southeast Asian financial institution. This connection is established on port 4444. The child processes, files, and content are then hidden by this rootkit. The Diamorphine rootkit is also thought to be used to hide processes.  

As well as hiding processes, the backdoor performs further obfuscation by removing records from system logs, nginx, httpd, and Apache that contain incriminating information specified in the script, such as the IP or username. Another open-source tool is then used, called logtamper, to clear utmp and wtmp logs to remove further information about system events as well as user sign-in session data. Other competition for cryptomining is then cleared from the device by the backdoor, by adding iptables rules to stop and prevent communication with hosts and IPs and configuring /etc/hosts to resolve hosts to the localhost address. Cryptomining processes are identified by their names and then terminated, or have their access blocked, which is also true for any access established in authorized_keys through SHH configuration. This process to remove competition is important for the threat actors to monopolise the resources of the devices they compromise. 

A Linux functionality called patch is then exploited by the backdoor to apply the patch file ss.patch, one of the files embedded in vars.sh, to the OpenSSH source code. This alternate version of OpenSSH is then installed on the device, which allows for the threat actor to gain persistent access to the device and the SSH credentials handled by the device. In the applied patches are hooks which are installed to intercept passwords and keys for SSH connections, that are then stored in an encrypted file on the disk. The patches also enable a root login over SSH that can be used to further conceal the attack by suppressing the logging of specific SSH sessions performed by the threat actor, identified by a special password. Patches could also be used to provide access to other devices for threat actors to take over end compromise. The use of this alternate version of OpenSSH to apply these malicious patches can make detection harder, as it mimics the behaviour and appearance of a legitimate OpenSSH server. 

Another payload embedded in vars.sh is a modified version of ZiggyStarTux, an open-source internet relay chat (IRC) bot using Kaiten-based malware. The purpose of this payload is to establish a botnet of compromised devices that can be used to execute bash commands sent from the C2 server, and performing distributed denial of service (DDoS) capabilities. To establish ZiggyStarTux persistence, the backdoor first copies the ZiggyStarTux binary to multiple disk locations, then sets up cron jobs run at regular intervals to invoke it. The backdoor then runs a bash script that configures the service file etc/systemd/system/network-check.service and registers ZiggyStarTux as a systemd service.  

Researchers at Microsoft analysed ZiggyStarTux and found that logging-related strings had been stripped from the binary by the threat actors. An additional function was also found, which writes the process IDs for the bots to /var/run/sys_checker.pid. This allows the backdoor to read the /var/run/sys_checker.pid file and to hide the process IDs using the Diamorphine and Reptile rootkits. ZiggyStarTux bots communicate with the C2 via the IRC server, and they connect to this by joining a hidden password protected channel called ##..##. Bash commands are sent from this server that contain instructions for the bots to download and run two shell scripts, lscan and zaz. This first of these scripts, lscan, retrieves an archive of scripts called ssh.tgz which scans the IPs in the subnet for SSH access using a list of passwords. Each connection attempt is recorded by the script in a log file. Zaz then fetches the OpenSSH package with the backdoor from the server using the exfiltration email address for instillation. This script also retrieves the hive-start.tgz archive, containing the cryptomining malware designed for a Linux-based open source system Hiveon OS which is made for cryptomining. 

The best defence against these sorts of attacks is to protect and harden your internet-facing devices so that the threat actors are not able to obtain access in the first place. Keeping software up to date also helps with this, as well as setting up secure configurations for devices in the first place, including changing default usernames and passwords. Using least-privileged access for all accounts, restricting remote access, and using a secure VPN to connect to internet-facing and IoT devices can also improve the security of your network. Users who are unsure if they have been compromised can use the indicators of compromise found by Microsoft and included in their blog post to determine the security of their systems. 

Many users and administrators can forget the access that using IoT devices provides to your network, and the processing power they have themselves. This can cause IoT devices to remain unsecured and unpatched for a lot longer than any other devices on your network. However, these devices can be used by criminals to access other areas of your network, or to perform intensive processes on your dime. IoT devices should therefore be protected by antivirus, and other security detection and response systems, including integration into your SIEM systems, to help harden them against attacks and by installing them in isolated network segments without access to your core network.