OpenSSH Trojanized Campaign
Share this:
Researchers have discovered a sophisticated attack campaign that exploits custom and open-source tools to target Linux-based systems and IoT devices.
The attack campaign involves a C2 that uses a subdomain belonging to a Southeast Asian financial institution. The attackers utilized a patched version of OpenSSH to gain control of compromised devices and install cryptomining malware.
The threat actor employs a backdoor that installs a modified version of OpenSSH, allowing the attackers to hijack SSH credentials, move laterally within networks, and conceal malicious SSH connections.
The attack chain involves threat actors initiated it by brute-forcing credentials on misconfigured internet-facing Linux devices. Once compromised, they downloaded and installed the malicious OpenSSH package, which granted them persistent access and the ability to intercept SSH credentials.
Furthermore, the backdoor deploys open-source rootkits, such as Diamorphine and Reptile, to hide its presence on the compromised systems.
It also established communication with a remote command and control server via an IRC bot called ZiggyStarTux. This enabled the threat actors to issue commands and launch DDoS attacks.
Safety Measures
- Ensure secure configurations for internet-facing devices,
- Maintain up-to-date firmware and patches
- Use secure VPN services for remote access and adopting comprehensive IoT security solutions.
Indicators of Compromise
- asterzeu[@]yahoo[.]com
- dotsysadmin[@]protonmail[.]com
- 185.161.208[.]234
- 139.180.185[.]24
- 199.247.30[.]230
- 149.28.239[.]146
- 209.250.234[.]77
- 70.34.220[.]100
- irc[.]socialfreedom[.]party
- singapore[.]sg[.]socialfreedom[.]party
- amsterdam[.]nl[.]socialfreedom[.]party
- frankfurt[.]de[.]socialfreedom[.]party
- sidney[.]au[.]socialfreedom[.]party
- losangeles[.]us[.]socialfreedom[.]party
- mumbaitravelers[.]org
- sh[.]madagent[.]tm
- ssh[.]madagent[.]tm
- dumpx[.]madagent[.]tm
- reg[.]madagent[.]tm
- sshm[.]madagent[.]tm
- z[.]madagent[.]tm
- ssho[.]madagent[.]tm
- sshr[.]madagent[.]tm
- sshu[.]madagent[.]tm
- user[.]madagent[.]tm
- madagent[.]cc
- cler[.]madagent[.]cc
- dumpx[.]madagent[.]cc
- mh[.]madagent[.]cc
- ns1[.]madagent[.]cc
- ns2[.]madagent[.]cc
- ns3[.]madagent[.]cc
- ns4[.]madagent[.]cc
- reg[.]madagent[.]cc
- ssh[.]madagent[.]cc
- sshm[.]madagent[.]cc
- ssho[.]madagent[.]cc
- sshr[.]madagent[.]cc
- sshu[.]madagent[.]cc
- user[.]madagent[.]cc
- www[.]madagent[.]cc
- rsh[.]sys-stat[.]download
- sh[.]sys-stat[.]download
- sh[.]rawdot[.]net
- ssho[.]rawdot[.]net
- donate[.]xmr[.]rawdot[.]net
- pool[.]rawdot[.]net
- 2018[.]rawdot[.]net
- blog[.]rawdot[.]net
- clients[.]rawdot[.]net
- ftp[.]rawdot[.]net
- psql01[.]rawdot[.]net
- www[.]rawdot[.]net
- sh[.]0xbadc0de[.]stream
- ss[.]0xbadc0de[.]stream
- a26631dcc1aef92a92d2d37476fb1e9becae54541e0411224a441d3afc20b02a
- 6e9b692b401a57db306bd6c95409042aa6ed075088a40a6ceb74f96895116b62
- 5e11731e570fc79ad07da4f137e103e0ebfa45530fabd8fa9a9fece4e497bce0
- 22c2115becd1d0ff9dfe70d14a52ab0354e420f4bfe0df70ca0d55d3c557c6b3
- d335c83c0dd5bc9a078e796016f9a9f845ff89ee434c63c7a2e7b360e8be3e95
- 336928c813f3c0ab9aaad5a9853ed96b3f82e7b2b6d96139a7ebb146337dd248
- 1f6a52ce5ee017f88bd5f9028e3741e69837437cc48444d31d50ef28f1ed03f4
- b72f21077f9f4d85d555cc6c18677e285b61f980ca99d0495d52f0cbbe66517a
- 8e7c6cbbb17ffe5ea98986dd36c3e979bc348626637ff9bfd55cb08414f3494c
- 39b640f62c0046139c41bccd0f98f96165597d50c4823ed88154160c0cae6bd1
- b77f991a9e0533a7bb39480ba7e96c29a1c1c9e2e212497cfbf6221751a196a2
- 1782930bc2d46da541c980c09b13811f504b743e485a2befb0df1e5865a95847
- 7ea1db1581afb977ec6d4abadf98660526205f23c366f7ba6aa04061762b5a7e
- 4b23d2126a6aec79396630dc10bdf279d9dafc71358145ab0b726cdf0a90dedf
- 081ad11e67af3fd98cb34cae89a5d26699f132a7ada62b1409eb85eaa4431437
- 8ff06c7f0c105301397d15b1be3f6fe3ba081bbe042136c5b0fa4478ab59650d
- 28616594b320b492c04429ab2f569d22d56bd9a047903f214d8b0eacab9b9c14
- e22148ae0cb1a5cc7743351909cd0ae99ba6a84e181dded1cfa9fa0ed9e4f0e2
- 6101fcda212f2ee2340e85eaac071ffa95507166ba253d555a69c9ab6c16b148
- 52fb0dcd929d57e32c8383873897963dd671b626d7e31dd98d2b092a9b57be43
- 78701d6cafb3e477a033d63b99d480c2d7647079133ecabdcb54cd7a520e46de
- 2eb5a4766dd7b90674f16eea62ba4e9c33dac8023e1692ed67c917bca448d14f
- c775964fe1207b6a6f9faf818c63874b2bf5612581e3c3b2d9f6eeee969229d8
- 75385bb1548c567c4814ad5c13fde6bf64e47694c244e1c26e903abc4523c667
- bc1e444ab92bb40e41e08846f3e485ffa17ab98563f2ed2129ef1b02c3d5a878
- 8cb1df542bc60eb187066c136ae413540b33dd28c856ee472dd073affb96a84b
- 55448d04183a253c939a6463c8992cbc007be237c80de92ff31e3f6606ebd470
- 9967921339799ed6f510c8a567f8bd69129d75d113f5c63612ceef0d5c4bf019
- 0a565ebae65fb5fbb34801c2948d35a0b7b5762a9ce51bd55a43181f46bc9723
- fdfed7c2bf55d0f2440f623e265ab8b8006987f94d23982688914feffb3c549e
- 32aa3e5fd9b79dcfd9ebe590b6784527cb17217cdeb61a1791bd4a5f721f0099
- 30d456d6dbd492923972d5f3ceb72c0f7e80d1f6391d6f9c0f5e889b6f71be66
- 74f4b030529435a8872c3e10d3341a1988d4fdbba89d9afd876458980f6f7a49
- 3033bb18554ce62f2f96338af682efb647c98d126734bb20426da8ec49ec1cdd
- 58b9622960e1bb189a403da6cd73e6ec2cb446680a18092351e5a9fa1a205cbc
- 0027edb4a3c33f3d0cb5cc6fc85b58a8f7c70b8e57a2d28bed53f11c5f649848
- 7ca66932d9015bf14b89b8650408e39a65c96f59f9273feaede28cabca8a3bbc
- 9564172445e66f0d3cb64c42f2298f14093c342b95b023bcb82408b6f2a66cd3
- 722b1970caa804154d85fb3dba88cf192bf3eedd2fea40c8c49c98130797649d
- 85877eb8f60c903ccb256e776c3e077295cf10eccff8d8ce4400edc699e8021f
- 635b3dfadeab6b3c2574b1689607b776518d42c2b9fdb895e25c04a8ae9dee92
- 3ba302f533fcf065fe3f80b4bbea4653e86a5a8c1c752e4798a64a6be3d06e5d
- b8a360e7094e27857c7daacf624f2d9916e002201caf8a88c5aa3bd37f7bc264
1 thought on “OpenSSH Trojanized Campaign”