The AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of DDoS malware, named cShell, targeting poorly managed Linux SSH servers (screen and hping3).
The malware exploits weak SSH credentials and leverages Linux tools to execute sophisticated DDoS attacks. This development highlights the growing threat posed by malicious actors exploiting poorly secured systems.
Initial Access and Infection Process
ASEC’s monitoring of honeypots revealed that attackers are scanning publicly exposed SSH services and employing brute force techniques to gain access.
Once inside, they use commands to install tools like curl and a malware strain called cARM.
Depending on the Linux distribution, installation is carried out using package managers such as apt, yum, or apk. Notably, error messages during this process are written in German, suggesting a possible origin or operational clue.
The malware installs itself in the /etc/de/cARM
directory and uses a configuration file named sshell.service
to register as a persistent service via the systemctl
command. This ensures the malware remains active even after system reboots.
Exploitation of Linux Tools
Unlike traditional DDoS bots, cShell relies on existing Linux utilities screen and hping3 to execute its attacks:
- Screen: A utility for managing multiple terminal sessions, allowing tasks to run in the background even if the terminal is closed. cShell uses it to execute commands under the session name “concurrent.”
- Hping3: A packet generation and analysis tool used for network diagnostics. cShell exploits its ability to send TCP, UDP, and ICMP packets for various DDoS attack types.
The malware installs these tools using commands like:
# bash -c apt -y install curl && apt -y install hping3 && apt -y install screen
It then executes hping3 commands through screen sessions to launch attacks such as SYN floods, ACK floods, and UDP floods. These attacks overwhelm targeted servers by sending high volumes of packets at maximum speed.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Key Features of cShell
According to the Asec research, Six DDoS instructions are integrated into cShell, which was created using the Go programming language and includes an update function. It gets instructions via interacting with a command-and-control (C&C) server. Some of the commands that are supported are:
- SYN Flood:
hping3 -S -d <Data Size> -p <Port> --flood <Target IP>
- ACK Flood:
hping3 -A -d <Data Size> -p <Port> --flood <Target IP>
- UDP Flood:
hping3 -2 -d <Data Size> -p <Port> --flood <Target IP>
- Custom DDoS attacks using flags like
-FXYAP
.
The malware also connects to multiple Pastebin URLs during its update process to download the latest version of itself using curl. This redundancy ensures continued operation even if some C&C servers are taken down.
Recommendations for Protection
Administrators managing Linux servers are urged to take proactive measures to defend against such threats:
- Use strong, unique passwords for SSH accounts and change them regularly.
- Keep systems updated with the latest security patches.
- Deploy firewalls and other security tools to restrict unauthorized access.
- Monitor server activity for unusual behavior or unauthorized installations.
- Update antivirus solutions like V3 to block malware infections proactively.
Poorly secured Linux systems remain prime targets for attackers seeking to build botnets for DDoS campaigns.
By implementing stringent security measures, administrators can mitigate risks and protect their infrastructure from exploitation.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The post New DDoS Malware “cShell” Exploit Linux Tools to Attack SSH Servers appeared first on Cyber Security News.