As part of a cryptojacking campaign that was recently observed, Microsoft claims that Linux and Internet of Things (IoT) devices that are exposed to the Internet are being hijacked in brute-force attacks.
The attackers use a trojanized OpenSSH package to gain access to a system, enabling them to backdoor the compromised devices and steal SSH credentials to maintain persistence.
According to Microsoft’s statement, “the patches install hooks that intercept the passwords and keys of the device’s SSH connections, whether as a client or a server.”
“In addition, the patches suppress the logging of the threat actors’ SSH sessions, which are distinguished by a special password, and conceal the intruder’s presence by enabling root login over SSH.”
Two public keys for persistent SSH access will be added to the authorized_keys file by the backdoor shell script that is installed concurrently with the trojanized OpenSSH binary.
In addition, it makes it possible for the threat actors to obtain system information and install the open-source LKM rootkits Reptile and Diamorphine in order to conceal malicious activity on the compromised systems.
The threat actors also make use of the backdoor to get rid of other miners by adding new iptables rules and entries that stop traffic from going to hosts and IPs used by the operation’s competitors who do cryptojacking.
Microsoft stated, “It also identifies miner processes and files by their names and either terminates them or blocks access to them, and removes SSH access configured in authorized_keys by other adversaries.” Both of these actions are carried out in response to the threat.
A version of the open-source IRC bot ZiggyStarTux that was also used in the attack has the ability to cause a distributed denial of service (DDoS) and lets users run bash commands.
The backdoor malware replicates the binary across multiple disk locations and creates cron jobs to periodically execute it in order to ensure its persistence on compromised systems.
In addition, it configures the service file at and registers ZiggyStarTux as a systemd service at /etc/systemd/system/network-check.service.
Using a subdomain belonging to a legitimate Southeast Asian financial institution and hosted on the attacker’s infrastructure, the C2 communication traffic between the ZiggyStarTux bots and the IRC servers is disguised.
Microsoft discovered during its investigation of the campaign that the bots were being instructed to download and execute additional shell scripts in order to brute-force each live host in the subnet of the hacked device and use the trojanized OpenSSH package to backdoor any vulnerable systems.
The attackers appear to be aiming to install mining malware on cryptomining-specific Linux-based Hiveon OS systems after moving laterally within the victim’s network.
According to Microsoft, “The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server” and “may pose a greater challenge for detection than other malicious files.”
“The threat actors may also be able to access and compromise additional devices with the patched OpenSSH. This kind of attack demonstrates adversaries’ methods and tenacity in their quest to control exposed devices.”
