Microsoft says Internet-exposed Linux and Internet of Things (IoT) devices are being hijacked in brute-force attacks as part of a recently observed cryptojacking campaign.
After gaining access to a system, the attackers deploy a trojanized OpenSSH package that helps them backdoor the compromised devices and steal SSH credentials to maintain persistence.
“The patches install hooks that intercept the passwords and keys of the device’s SSH connections, whether as a client or a server,” Microsoft said.
“Moreover, the patches enable root login over SSH and conceal the intruder’s presence by suppressing the logging of the threat actors’ SSH sessions, which are distinguished by a special password.”
The backdoor shell script deployed at the same time as the trojanized OpenSSH binary will add two public keys to the authorized_keys file for persistent SSH access.
It further allows the threat actors to harvest system information and install Reptile and Diamorphine open-source LKM rootkits to hide malicious activity on the hacked systems.
The threat actors also use the backdoor to eliminate other miners by adding new iptables rules and entries to /etc/hosts to drop traffic to hosts and IPs used by the operation’s cryptojacking competitors.
“It also identifies miner processes and files by their names and either terminates them or blocks access to them, and removes SSH access configured in authorized_keys by other adversaries,” Microsoft said.
A version of the ZiggyStarTux open-source IRC bot also deployed in the attack comes with distributed denial of service (DDoS) capabilities and allows the operators to execute bash commands.
The backdoor malware utilizes multiple techniques to ensure its persistence on compromised systems, duplicating the binary across several disk locations and creating cron jobs to execute it periodically.
Additionally, it registers ZiggyStarTux as a systemd service, configuring the service file at /etc/systemd/system/network-check.service.
The C2 communication traffic between the ZiggyStarTux bots and the IRC servers is camouflaged using a subdomain belonging to a legitimate Southeast Asian financial institution hosted on the attacker’s infrastructure.
While investigating the campaign, Microsoft saw the bots being instructed to download and execute additional shell scripts to brute-force every live host in the hacked device’s subnet and backdoor any vulnerable systems using the trojanized OpenSSH package.
After moving move laterally within the victim’s network, the attackers’ end goal seems to be the installation of mining malware targeting Linux-based Hiveon OS systems designed for cryptomining.
“The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server and may thus pose a greater challenge for detection than other malicious files,” Microsoft said.
“The patched OpenSSH could also enable the threat actors to access and compromise additional devices. This type of attack demonstrates the techniques and persistence of adversaries who seek to infiltrate and control exposed devices.”