Hackers Using Supershell Malware To Attack Linux SSH Servers


Supershell is a command-and-control (C2) remote control platform that operates through web services.

It allows users to establish a reverse SSH tunnel, enabling a fully interactive shell session. Recently, ASEC researchers discovered that hackers have been actively using Supershell malware to attack Linux SSH servers.

EHA

Supershell Malware Attack Linux SSH Servers

Researchers uncovered that the attack has been targeted at poorly managed Linux SSH servers that are unsecured in which threat actors installed the Supershell backdoor.

Supershell is a versatile malware that supports all the major platforms (Windows, Linux, and Android) and it’s developed by a Chinese-speaking threat actor using the Go programming language.

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free

Its primary function is a reverse shell that enables attackers to remotely control the systems that are infected.

The attack likely proceeded in stages, where it compromised multiple systems and installed a scanner, then attempted dictionary attacks from various IP addresses to gain unauthorized access.

Upon successful intrusion, the attacker executed specific commands to either directly install “Supershell” or deploy a “shell script” which acts as a “downloader.”

Commands identified in the attack case (Source – ASEC)

The malware was distributed via both “web servers” and “FTP” servers which helps enhance its reach and not only that even it also complicates the detection.

This sophisticated approach illustrates the evolving tactics of cyber threats that combine multi-platform malware, strategic distribution methods, and exploitation of common vulnerabilities in SSH server configurations.

ASEC said that the Supershell backdoor can be identified via its internal ‘strings,’ ‘behavior,’ and ‘execution process’ since it’s a type of malware targeting vulnerable Linux systems.

It’s often installed alongside other malicious software like ‘XMRig’ or ‘DDoS bots’ like “ShellBot” and “Tsunami.”

The primary function of Supershell is control hijacking, allowing threat actors to remotely command the Linux SSH servers that are compromised.

Though the initial installation focuses on establishing this backdoor, but the actual goal of it is to mine cryptocurrency.

Recommendations

Here below we have mentioned all the recommendations:-

  • Use complex passwords.
  • Regularly changed passwords.
  • Apply the latest security patches.
  • Employ firewalls to restrict unauthorized access.
  • Keep security software updated to block malware infections.

IoCs

MD5

4ee4f1e7456bb2b3d13e93797b9efbd3
5ab6e938028e6e9766aa7574928eb062
e06a1ba2f45ba46b892bef017113af09

URL

http[:]//45[.]15[.]143[.]197/sensi[.]sh
http[:]//45[.]15[.]143[.]197/ssh1
http[:]//45[.]15[.]143[.]197/x64[.]bin
http[:]//45[.]15[.]143[.]197[:]10086/supershell/compile/download/ssh
http[:]//45[.]15[.]143[.]197[:]44581/ssh1

IP

107[.]189[.]8[.]15
179[.]61[.]253[.]67
2[.]58[.]84[.]90
209[.]141[.]60[.]249
45[.]15[.]143[.]197

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial



Source link