OpenSSH Trojanized Campaign

Researchers have discovered a sophisticated attack campaign that exploits custom and open-source tools to target Linux-based systems and IoT devices.

The attack campaign involves a C2 that uses a subdomain belonging to a Southeast Asian financial institution. The attackers utilized a patched version of OpenSSH to gain control of compromised devices and install cryptomining malware.

The threat actor employs a backdoor that installs a modified version of OpenSSH, allowing the attackers to hijack SSH credentials, move laterally within networks, and conceal malicious SSH connections.

The attack chain involves threat actors initiated it by brute-forcing credentials on misconfigured internet-facing Linux devices. Once compromised, they downloaded and installed the malicious OpenSSH package, which granted them persistent access and the ability to intercept SSH credentials.

Furthermore, the backdoor deploys open-source rootkits, such as Diamorphine and Reptile, to hide its presence on the compromised systems.

It also established communication with a remote command and control server via an IRC bot called ZiggyStarTux. This enabled the threat actors to issue commands and launch DDoS attacks.

Safety Measures

• Ensure secure configurations for internet-facing devices,
• Maintain up-to-date firmware and patches
• Use secure VPN services for remote access and adopting comprehensive IoT security solutions.

Indicators of Compromise

• asterzeu[@]yahoo[.]com
• dotsysadmin[@]protonmail[.]com
• 185.161.208[.]234
• 139.180.185[.]24
• 199.247.30[.]230
• 149.28.239[.]146
• 209.250.234[.]77
• 70.34.220[.]100
• irc[.]socialfreedom[.]party
• singapore[.]sg[.]socialfreedom[.]party
• amsterdam[.]nl[.]socialfreedom[.]party
• frankfurt[.]de[.]socialfreedom[.]party
• sidney[.]au[.]socialfreedom[.]party
• losangeles[.]us[.]socialfreedom[.]party
• mumbaitravelers[.]org
• sh[.]madagent[.]tm
• ssh[.]madagent[.]tm
• dumpx[.]madagent[.]tm
• reg[.]madagent[.]tm
• sshm[.]madagent[.]tm
• z[.]madagent[.]tm
• ssho[.]madagent[.]tm
• sshr[.]madagent[.]tm
• sshu[.]madagent[.]tm
• user[.]madagent[.]tm
• madagent[.]cc
• cler[.]madagent[.]cc
• dumpx[.]madagent[.]cc
• mh[.]madagent[.]cc
• ns1[.]madagent[.]cc
• ns2[.]madagent[.]cc
• ns3[.]madagent[.]cc
• ns4[.]madagent[.]cc
• reg[.]madagent[.]cc
• ssh[.]madagent[.]cc
• sshm[.]madagent[.]cc
• ssho[.]madagent[.]cc
• sshr[.]madagent[.]cc
• sshu[.]madagent[.]cc
• user[.]madagent[.]cc
• www[.]madagent[.]cc
• rsh[.]sys-stat[.]download
• sh[.]sys-stat[.]download
• sh[.]rawdot[.]net
• ssho[.]rawdot[.]net
• donate[.]xmr[.]rawdot[.]net
• pool[.]rawdot[.]net
• 2018[.]rawdot[.]net
• blog[.]rawdot[.]net
• clients[.]rawdot[.]net
• ftp[.]rawdot[.]net
• psql01[.]rawdot[.]net
• www[.]rawdot[.]net
• sh[.]0xbadc0de[.]stream
• ss[.]0xbadc0de[.]stream
• a26631dcc1aef92a92d2d37476fb1e9becae54541e0411224a441d3afc20b02a
• 6e9b692b401a57db306bd6c95409042aa6ed075088a40a6ceb74f96895116b62
• 5e11731e570fc79ad07da4f137e103e0ebfa45530fabd8fa9a9fece4e497bce0
• 22c2115becd1d0ff9dfe70d14a52ab0354e420f4bfe0df70ca0d55d3c557c6b3
• d335c83c0dd5bc9a078e796016f9a9f845ff89ee434c63c7a2e7b360e8be3e95
• 336928c813f3c0ab9aaad5a9853ed96b3f82e7b2b6d96139a7ebb146337dd248
• 1f6a52ce5ee017f88bd5f9028e3741e69837437cc48444d31d50ef28f1ed03f4
• b72f21077f9f4d85d555cc6c18677e285b61f980ca99d0495d52f0cbbe66517a
• 8e7c6cbbb17ffe5ea98986dd36c3e979bc348626637ff9bfd55cb08414f3494c
• 39b640f62c0046139c41bccd0f98f96165597d50c4823ed88154160c0cae6bd1
• b77f991a9e0533a7bb39480ba7e96c29a1c1c9e2e212497cfbf6221751a196a2
• 1782930bc2d46da541c980c09b13811f504b743e485a2befb0df1e5865a95847
• 7ea1db1581afb977ec6d4abadf98660526205f23c366f7ba6aa04061762b5a7e
• 4b23d2126a6aec79396630dc10bdf279d9dafc71358145ab0b726cdf0a90dedf
• 081ad11e67af3fd98cb34cae89a5d26699f132a7ada62b1409eb85eaa4431437
• 8ff06c7f0c105301397d15b1be3f6fe3ba081bbe042136c5b0fa4478ab59650d
• 28616594b320b492c04429ab2f569d22d56bd9a047903f214d8b0eacab9b9c14
• e22148ae0cb1a5cc7743351909cd0ae99ba6a84e181dded1cfa9fa0ed9e4f0e2
• 6101fcda212f2ee2340e85eaac071ffa95507166ba253d555a69c9ab6c16b148
• 52fb0dcd929d57e32c8383873897963dd671b626d7e31dd98d2b092a9b57be43
• 78701d6cafb3e477a033d63b99d480c2d7647079133ecabdcb54cd7a520e46de
• 2eb5a4766dd7b90674f16eea62ba4e9c33dac8023e1692ed67c917bca448d14f
• c775964fe1207b6a6f9faf818c63874b2bf5612581e3c3b2d9f6eeee969229d8
• 75385bb1548c567c4814ad5c13fde6bf64e47694c244e1c26e903abc4523c667
• bc1e444ab92bb40e41e08846f3e485ffa17ab98563f2ed2129ef1b02c3d5a878
• 8cb1df542bc60eb187066c136ae413540b33dd28c856ee472dd073affb96a84b
• 55448d04183a253c939a6463c8992cbc007be237c80de92ff31e3f6606ebd470
• 9967921339799ed6f510c8a567f8bd69129d75d113f5c63612ceef0d5c4bf019
• 0a565ebae65fb5fbb34801c2948d35a0b7b5762a9ce51bd55a43181f46bc9723
• fdfed7c2bf55d0f2440f623e265ab8b8006987f94d23982688914feffb3c549e
• 32aa3e5fd9b79dcfd9ebe590b6784527cb17217cdeb61a1791bd4a5f721f0099
• 30d456d6dbd492923972d5f3ceb72c0f7e80d1f6391d6f9c0f5e889b6f71be66
• 74f4b030529435a8872c3e10d3341a1988d4fdbba89d9afd876458980f6f7a49
• 3033bb18554ce62f2f96338af682efb647c98d126734bb20426da8ec49ec1cdd
• 58b9622960e1bb189a403da6cd73e6ec2cb446680a18092351e5a9fa1a205cbc
• 0027edb4a3c33f3d0cb5cc6fc85b58a8f7c70b8e57a2d28bed53f11c5f649848
• 7ca66932d9015bf14b89b8650408e39a65c96f59f9273feaede28cabca8a3bbc
• 9564172445e66f0d3cb64c42f2298f14093c342b95b023bcb82408b6f2a66cd3
• 722b1970caa804154d85fb3dba88cf192bf3eedd2fea40c8c49c98130797649d
• 85877eb8f60c903ccb256e776c3e077295cf10eccff8d8ce4400edc699e8021f
• 635b3dfadeab6b3c2574b1689607b776518d42c2b9fdb895e25c04a8ae9dee92
• 3ba302f533fcf065fe3f80b4bbea4653e86a5a8c1c752e4798a64a6be3d06e5d
• b8a360e7094e27857c7daacf624f2d9916e002201caf8a88c5aa3bd37f7bc264