South Korean cybersecurity firm AhnLab Security Emergency Response Center said it has observed a new Linux malware in the wild that deploys a cryptocurrency miner on infiltrated systems using a shell script compiler downloader, reports The Hacker News.
According to the report, a successful breach will be followed by execution of the shc downloader malware to fetch the XMRig cryptocurrency miner software and a Perl-based DDoS IRC Bot that allows the attacker to connect through a remote server and proceed to mount distributed denial-of-service attacks.
"It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. This bot supports not only DDoS attacks such as TCP flood, UDP flood, and HTTP flood, but various other features including command execution, reverse shell, port scanning, and log deletion," researchers said.
Based on the shc downloader artifacts all being uploaded from South Korea, it's likely that the threat actors are primarily targeting poorly secured Linux SSH servers in that country.
The surge comes after malicious actors impersonated well-known brands, such as Adobe Reader and Microsoft Teams, to deliver numerous malware strains, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer and Vidar.
At least 1,200 Redis database servers worldwide have been compromised by a sophisticated piece of malware since September 2021, while more than 2,800 uninfected servers remain at high risk of exploitation.