SHC-compiled Linux malware now installs DDoS bots and cryptominers

SHC (Shell Script Compiler), a new Linux malware downloading tool, has been spotted. It infects systems with Monero cryptocurrency miner and DDoS IRC robots.

discovered that the SHC loader had been uploaded to VirusTotal from Korean users. Attacks are usually directed at Linux systems within the same country.

Analysts believe the attackers are likely to use weak administrator credentials, rather than SSH on Linux servers.

Loading with care

SHC, which is a generic shell script compiler for Linux, can convert Bash scripts to ELF files (Linux or Unix executables).

Threat actors often use malicious Bash shell commands to create malicious scripts. These system commands can be detected using security software on Linux devices.

The RC4 algorithm encodes malicious commands in executables of SHC ELF. Security software is not able to see them as well, which could allow the malware to evade detection.

Part of a decoded Bash shell script

Source: ASEC

Multiple payloads dropped

Once the SHC malware downloadinger has been executed, it will retrieve multiple malware payloads from the Internet and then install them onto the device.

An XMRig miner is one of the payloads. It is downloaded from a remote URL as a TAR archive and then extracted to “/usr/local/games/”. Then it is executed.

Also included in the archive is the “run” script as well as the miner’s file configuration, which point to the specified mining pool.

Contents of the TAR archive

Source: ASEC

XMRig, a open source CPU cryptocurrency miner is usually used to mine Monero from the compromised server’s computational resources.

The configuration can be bundled with the miner to reduce communications with C2 and keep crypto mining running in the event that the threat actor stops sending it.

A Pearl-based DDoS IRC Bot is the second payload that was retrieved, dropped and loaded by SHC malware downloadinger.

After connecting to the IRC server, malware uses configuration data. Then it goes through a username-based authentication process.

The malware will wait for commands from IRC servers if it is successful. This includes DDoS actions like TCP Flood and UDP Flood and HTTP Flood.

Commands sent by the IRC server

Source: ASEC

ASEC cautions against attacks such as these that are often caused by weak passwords being used on Linux servers.

ASEC advises administrators to use difficult-to-guess passwords for their accounts. They should also change these passwords periodically to safeguard the Linux server against dictionary attacks and brute force attacks. Also, update to the most recent patch to avoid vulnerability attacks.

Administrators should use firewalls to protect servers that are accessible from the outside. This will help prevent attackers accessing these servers.