Compromised Linux SSH servers engage in DDoS attacks, cryptomining

Poorly managed Linux SSH servers are getting compromised by unknown attackers and instructed to engage in DDoS attacks while simultaneously mining cryptocurrency in the background.

The Tsunami DDoS bot

Tsunami, also known as Kaiten, is a type of DDoS bot that is frequently distributed alongside malware strains like Mirai and Gafgyt.

What sets Tsunami apart from other DDoS bots is the fact that it functions as an internet relay chat (IRC) bot, meaning it uses IRC to communicate with the threat actor.

“The source code of Tsunami is publicly available so it is used by a multitude of threat actors. Among its various uses, it is mostly used in attacks against IoT devices. Of course, it is also consistently used to target Linux servers,” researchers with AhnLab’s Security Emergency response Center (ASEC) explained.

Attack on Linux SSH servers

A threat actor is mounting dictionary attacks to log into Linux servers with SSH installed and saddle the server with the Tsunami and ShellBot DDoS bots, the XMRig CoinMiner program, and Log Cleaner – a tool for deleting and modifying logs.

“Among the malware that are installed, the ‘key’ file is a downloader-type Bash script that installs additional malware. In addition to being a downloader, it also performs various preliminary tasks to take control of infected systems, which includes installing a backdoor SSH account,” ASEC researchers noted.

Both Tsunami and ShellBot use the IRC protocol to transmit stolen information to the C2 server and receive instructions from it.

Log Cleaner is likely installed to hide malicious activity and hinder future attempts to investigate the breach. XMRig is installed to mine cryptocurrency.

Attack prevention and clean-up

Preventing this type of attack is not difficult: admins should choose strong, unique passwords; enable multi-factor authentication on their SSH account; and set up firewalls to block malicious access attempts and prevent unauthorized entry into the system.

In the event that a Linux system has been compromised, administrators should leverage the IoCs shared by security researchers to eliminate malware and malicious scripts from the system.

In these specific attacks, the threat actors also create an SSH backdoor account, which serves as a fail-safe measure to retain access to the system in case administrators change the password of the primary admin account. That account should also be removed.

Finally, blocking the malware’s communication traffic to C2 servers is vital, to prevent data exfiltration and delivery of instructions.