A new backdoor named Supershell targets Linux SSH servers. Developed in Go by a Chinese-speaking developer, Supershell provides remote control capabilities to attackers through a reverse shell mechanism.
The threat actor likely deployed a credential scanner on compromised systems, then executed dictionary attacks from various sources to infiltrate accounts using stolen credentials.
The provided table lists the IP addresses of various attackers and the credentials they used in unsuccessful login attempts, where the attackers primarily attempted to use default or easily guessable passwords, such as “root” and “password,” to gain unauthorized access to systems.
The table also reveals the use of common password patterns, including numbers and special characters, which are frequently exploited by attackers.
A threat actor used commands to install Supershell or a shell script downloader from web or FTP servers after a successful attack, which was then used to gain further access and control over the compromised system.
The script downloads and executes suspicious files from a remote server, potentially giving unauthorized access to the system, stealing sensitive data, and also attempts to install a cryptocurrency miner, which is malicious and should not be run.
According to ASEC, the Supershell backdoor malware is disguised through obfuscation, but it can be recognized by its distinctive internal strings, actions, and the textual patterns seen during its operation.
The threat actor initially installed Supershell for control hijacking on poorly managed Linux systems. However, the subsequent installation of XMRig Monero CoinMiners suggests that the ultimate goal is to mine cryptocurrency, even though Supershell could have been used for other malicious activities.
The provided string is a Monero wallet address, which is a unique identifier used to receive and send Monero cryptocurrency, which is likely associated with a threat actor involved in illicit activities.
A backdoor malware is being installed on Linux SSH servers to compromise their security, which allows threat actors to remotely control the infected servers, potentially leading to significant damage or data theft.
Administrators should implement robust security measures, including strong passwords, regular updates, firewall protection, and malware prevention, to safeguard Linux servers from various cyber threats.
The detected malware includes a Cobalt Strike backdoor, a shell agent downloader, and an ElfMiner downloader, where the Cobalt Strike backdoor is a remote administration tool used for malicious activity, while the shell agent and ElfMiner downloaders are likely used to download and install additional malware components.