{"id":130622,"date":"2023-06-22T09:00:00","date_gmt":"2023-06-22T16:00:00","guid":{"rendered":""},"modified":"2025-06-18T01:57:20","modified_gmt":"2025-06-18T08:57:20","slug":"iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/22\/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign\/","title":{"rendered":"IoT devices and Linux-based systems targeted by OpenSSH trojan campaign"},"content":{"rendered":"\n

Cryptojacking, the illicit use of computing resources to mine cryptocurrency, has become increasingly prevalent in recent years, with attackers building a cybercriminal economy around attack tools, infrastructure, and services to generate revenue from targeting a wide range of vulnerable systems, including Internet of Things (IoT) devices. Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware.<\/p>\n\n\n\n

Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution\u2019s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.<\/p>\n\n\n\n

In this blog post, we present our analysis of the tools and techniques used in this attack and the efforts made by the threat actor to evade detection on affected devices. We also provide indicators of compromise and relevant Microsoft Defender for IoT and Microsoft Defender for Endpoint detections, as well as recommendations for defenders to protect devices and networks.<\/p>\n\n\n\n

Attack chain<\/h2>\n\n\n\n

The threat actors initiate the attack by attempting to brute force various credentials on misconfigured internet-facing Linux devices. Upon compromising a target device, they disable shell history and retrieve a compromised OpenSSH archive named openssh-8.0p1.tgz<\/em> from a remote server. The archive contains benign OpenSSH source code alongside several malicious files: the shell script inst.sh<\/em>, backdoor binaries for multiple architectures (x86-64, arm4l, arm5l, i568, and i686), and an archive containing the shell script vars.sh<\/em>, which holds embedded files for the backdoor\u2019s operation.<\/p>\n\n\n\n

After installing the payload, the shell script inst.sh<\/em> runs a backdoor binary that matches the target device\u2019s architecture. The backdoor is a shell script compiled using an open-source project called Shell Script Compiler (shc), and enables the threat actors to perform subsequent malicious activities and deploy additional tools on affected systems.<\/p>\n\n\n

\"OpenSSH
Figure 1. OpenSSH trojan attack chain.<\/figcaption><\/figure>\n\n\n\n

Custom backdoor deploys open-source rootkits<\/h2>\n\n\n\n

Once running on a device, the shell script backdoor tests access to \/proc<\/em> to determine whether the device is a honeypot. If it can\u2019t access \/proc<\/em>, it determines the device is a honeypot and exits. Otherwise, it exfiltrates information about the device, including its operating system version, network configuration, and the contents of \/etc\/passwd<\/em> and \/etc\/shadow<\/em> over email to the hardcoded address dotsysadmin[@]protonmail[.]com<\/em>, and to any email address provided by the threat actor as an argument to the script.<\/p>\n\n\n\n

On supported systems, the backdoor downloads, compiles, and installs two open-source rootkits available on GitHub, Diamorphine and Reptile. The backdoor configures Reptile to connect to the C2 domain rsh.sys-stat[.]download<\/em> on port 4444 and to hide its child processes, files, or their content. Microsoft researchers assess that the Diamorphine rootkit is used to hide processes as well.<\/p>\n\n\n

\"Screenshot
Figure 2. Any content in a file that appears between __R_TAG, which is defined as “ubiqsys”, will be hidden.<\/figcaption><\/figure>\n\n\n\n

To ensure persistent SSH access to the device, the backdoor appends two public keys to the authorized_keys<\/em> configuration files of all users on the system.<\/p>\n\n\n

\"Screenshot
Figure 3. Adding SSH keys to all users to preserve SSH access.<\/figcaption><\/figure>\n\n\n\n

The backdoor obscures its activity by removing records from Apache, nginx, httpd, and system logs that contain the IP and username specified as arguments to the script. Additionally, it has the capability to install an open-source utility called logtamper<\/em> to clear the utmp <\/em>and wtmp<\/em> logs, which record information about user sign-in sessions and system events.<\/p>\n\n\n\n

The backdoor eliminates cryptomining competition from other miners that may exist on the device by monopolizing device resources and preventing communication with a hardcoded list of hosts and IPs related to these activities. It accomplishes this by adding iptables rules to drop communication with the hosts and IPs and configuring \/etc\/hosts<\/em> to make the hosts resolve to the localhost address. It also identifies miner processes and files by their names and either terminates them or blocks access to them, and removes SSH access configured in authorized_keys<\/em> by other adversaries.<\/p>\n\n\n\n

Patching OpenSSH source code<\/h2>\n\n\n\n

The backdoor uses the Linux patch<\/em> utility to apply the patch file ss.patch<\/em>, which is embedded in vars.sh<\/em>, to the OpenSSH source code files included in its package. Once the patches are applied, the backdoor compiles and installs the modified OpenSSH on the device.<\/p>\n\n\n\n

The compromised OpenSSH grants the attackers persistent access to the device and to the SSH credentials the device handles. The patches install hooks that intercept the passwords and keys of the device\u2019s SSH connections, whether as a client or a server. The passwords and keys are then stored encrypted in a file on the disk. Moreover, the patches enable root login over SSH and conceal the intruder\u2019s presence by suppressing the logging of the threat actors\u2019 SSH sessions, which are distinguished by a special password.<\/p>\n\n\n\n

The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server and may thus pose a greater challenge for detection than other malicious files. The patched OpenSSH could also enable the threat actors to access and compromise additional devices. This type of attack demonstrates the techniques and persistence of adversaries who seek to infiltrate and control exposed devices.<\/p>\n\n\n

\"Screenshot
Figure 4. OpenSSH patch to save incoming SSH passwords (ss.patch)<\/figcaption><\/figure>\n\n\n\n

Botnet operation<\/h2>\n\n\n\n

The backdoor runs a secondary payload embedded in the shell script vars.sh<\/em>, which is a slightly modified version of ZiggyStarTux<\/a>, an open-source IRC bot based on the Kaiten malware. Among its features is executing bash commands issued from the C2 and possessing distributed denial of service (DDoS) capabilities.<\/p>\n\n\n\n

The backdoor employs various mechanisms to set up ZiggyStarTux\u2019s persistence on compromised systems. It copies the ZiggyStarTux binary to several locations on the disk and establishes cron<\/em> jobs to invoke it at regular intervals. Moreover, it runs a bash script that registers ZiggyStarTux as a systemd <\/em>service by creating and configuring the service file \/etc\/systemd\/system\/network-check.service<\/em>.<\/p>\n\n\n

\"Screenshot
Figure 5. Registration of ZiggyStarTux as a systemd service<\/figcaption><\/figure>\n\n\n\n

Analysis of ZiggyStarTux revealed that the threat actors stripped the binary of logging-related strings and incorporated a function that writes the bot\u2019s process ID to \/var\/run\/sys_checker.pid<\/em>, allowing the backdoor to read that file and conceal that process ID using the installed rootkits.<\/p>\n\n\n\n

The ZiggyStarTux bots communicate with the C2 via an IRC server hosted on various domains and IPs located in different geographical regions. Evidence indicates that the threat actors disguise their traffic by utilizing the subdomain of a Southeast Asian financial institution that is hosted on one of their own servers.<\/p>\n\n\n\n

To receive commands, the ZiggyStarTux bots connect to the IRC server and join a hidden password-protected channel named ##..##<\/em>. The server was observed issuing bash commands that instruct bots to download and launch two shell scripts from a remote server. The first script, lscan<\/em>, retrieves lssh.tgz<\/em> from the server, an archive of scripts that scan each IP in the subnet for SSH access using a password list. The scripts record the results of each connection attempt in a log file.<\/p>\n\n\n\n

The second script, zaz<\/em>, fetches the compromised OpenSSH package with the embedded backdoor from the remote server. The installation is carried out using the email address ancientgh0st@yahoo[.]com<\/em> as an argument to serve as an additional exfiltration point for device information. Additionally, zaz<\/em> retrieves an archive called hive-start.tgz<\/em> which contains mining malware crafted for Hiveon OS systems, a Linux-based open-source operating system designed for cryptomining.<\/p>\n\n\n\n

Indications of criminal cooperation<\/h2>\n\n\n\n

Microsoft researchers have traced the campaign to a user named asterzeu<\/em> on the hacking forum cardingforum[.]cx<\/em>, who offered multiple tools for sale on the platform, including an SSH backdoor. The domain madagent[.]tm<\/em> was registered in 2015 with an email address matching the username and shared numerous servers over a four-year period with madagent[.]cc<\/em>, one of the C2 domains of ZiggyStarTux. Furthermore, the distribution of the shell script backdoor between threat actors has been identified, adding to the evidence of a network of tools and infrastructure shared or sold on the malware-as-a-service market.<\/p>\n\n\n

\"\"
Figure 6. Post on hacking forum where malicious tools are being sold by the user “asterzeu”<\/figcaption><\/figure>\n\n\n\n

Mitigation and protection guidance<\/h2>\n\n\n\n

Microsoft recommends the following steps to protect devices and networks against this threat:<\/p>\n\n\n\n