ASEC researchers uncovered a new campaign distributing Tsunami botnet on inadequately managed Linux SSH servers. The botnet is being distributed alongside other malware such as ShellBot, XMRig miner, and Log Cleaner to carry out DDoS and cryptomining attacks.
Attack flow
The threat actors use dictionary attacks to log into poorly managed SSH servers.
After successfully logging in, the attackers execute a command that runs a Bash script to download and run various malware.
The Bash script performs various preliminary tasks to take control of infected systems and install a backdoor SSH account.
Other malware used in the campaign
ShellBot used in this attack utilizes the IRC protocol, similar to Tsunami, that supports port scanning, basic DDoS attacks, and reverse shells.
Log Cleaner enables the deletion or modification of specific logs in Linux, Unix, and BSD server environments. This helps attackers to stealthily launch attacks without being detected by anti-virus systems.
There’s a “ping6” file which is essentially an ELF malware that can be utilized to gain access to a shell with root privileges.
In addition to the DDoS bots, the XMRig CoinMiner is also installed alongside to mine cryptocurrency on the compromised systems.
Use of Tsunami botnet amplifies
Tsunami, also known as Kaiten, is used by a multitude of threat actors as the source code of the botnet is publicly available. The 8220 Gang is one such group that was recently found using the botnet, among other tools in its campaign. Moreover, the ASEC researchers claim that it has been consistently used alongside Mirai and Gafgyt when targeting vulnerable IoT devices.
More attacks on SSH servers
Of late, Romanian threat group Diicot was found deploying a custom, Golang-based 64-bit SSH brute-forcing tool called ‘aliases’ to gain initial access to machines.
However, the campaign’s main payload was Cayosin, a variant of the Mirai botnet, purposed to exploit Linux-based embedded devices for illegal cryptomining activities.
Conclusion
Attacks against poorly managed Linux SSH servers have been occurring persistently. Therefore, administrators are recommended to use passwords that are difficult to guess and change them periodically to prevent falling victim to brute force and dictionary attacks. The use of security programs such as firewalls for servers accessible from the outside should be implemented to restrict access to attackers.