Tsunami DDoS Malware Distributed to Linux SSH Servers
Jun 12 2023
AhnLab Security
https://asec.ahnlab.com/en/54647/
| Notes |
|---|
| AhnLab Security |
| AhnLab Security Emergency response Center (ASEC) |
| Tsunami DDoS Bot, Kaiten |
| DDoS |
| SSH |
| Linux malware |
| ShellBot https://asec.ahnlab.com/en/49769/ |
| XMRig |
| coinminer |
| Log Cleaner |
| DDoS bots |
| ChinaZ DDoS Bot https://asec.ahnlab.com/en/50316/ |
| SHC malware https://asec.ahnlab.com/en/45182/ |
| KONO DIO DA campaign https://asec.ahnlab.com/en/54647/ |
| IRC bot |
| Mirai |
| Gafgyt |
| IoT |
| IRC |
| Docker |
| dictionary attack |
| – list of creds used: admin:qwe123Q#, … dell:123 |
| one-liner that checks if host has gpu then wget and run IRC bot |
| overwrites false, nologin, with bash |
| ping6 suid shell privesc persistence |
| attacker adds SSH key |
| timestomping |
| – list of domains |
| – attackers public key |
| Ziggy StarTux |
| ddoser – v0.69 |
| rc.local persistence |
| changes process name to “[kworker/0:0]” |
| – list of c2 commands and capabilities |
| SSHBot is written in Perl |
| 0x333shadow Log Cleaner |
| MIG Logcleaner v2.0 |
| utmp, wtmp, lastlog |
| finger |
| Solaris malware |
| ping6 – setuid, setgid, execl privesc |
| XMRig – televizor cnrig |
| mining pool |
| Monero |