Supershell Malware Targeting Linux SSH Servers
Overview of Supershell
Supershell is a command-and-control (C2) platform designed to remotely control systems through web services. Its main feature is a reverse SSH tunnel that establishes an interactive shell session. Recently, ASEC researchers uncovered that hackers have been using Supershell malware to launch attacks on poorly managed Linux SSH servers.
Malware Capabilities and Development
The Supershell malware stands out for its versatility. It supports Windows, Linux, and Android, making it a cross-platform threat. Developed by Chinese-speaking threat actors using the Go programming language, Supershell’s primary function is to act as a reverse shell, giving attackers complete remote control over infected systems.
How the Supershell Attack Unfolds
The attack likely progresses in multiple stages. Initially, hackers compromise unsecured Linux SSH servers using dictionary attacks from various IP addresses. After gaining unauthorized access, they install a backdoor or deploy a shell script that functions as a downloader for Supershell.
Once installed, Supershell’s reverse shell enables remote access to compromised systems, allowing attackers to execute commands and maintain control.
Distribution Methods
Supershell spreads through both web servers and FTP servers, which increases its reach and makes it harder to detect. This sophisticated distribution method highlights how modern cyber threats leverage multiple platforms and exploit vulnerabilities in SSH server configurations.
Supershell’s Role in Cryptocurrency Mining
Although Supershell’s initial installation focuses on establishing a backdoor, the ultimate goal is often to mine cryptocurrency. This malware is frequently accompanied by other malicious software, such as the XMRig cryptominer or DDoS bots like ShellBot and Tsunami.
Detecting and Mitigating Supershell Attacks
ASEC researchers have outlined several ways to identify Supershell malware. Detection relies on examining its internal strings, behavior, and execution process. Since it targets vulnerable Linux systems, ensuring that your SSH servers are properly secured is critical.
Recommendations for Protection
To protect your systems from this and similar malware, follow these recommendations:
- Use complex passwords.
- Change passwords regularly.
- Apply the latest security patches.
- Use firewalls to block unauthorized access.
- Keep security software up-to-date to detect and block malware.
Indicators of Compromise (IoCs)
If you suspect your server may be compromised, here are some indicators of compromise (IoCs) associated with Supershell:
MD5 Hashes:
- 4ee4f1e7456bb2b3d13e93797b9efbd3
- 5ab6e938028e6e9766aa7574928eb062
- e06a1ba2f45ba46b892bef017113af09
URLs:
http[:]//45[.]15[.]143[.]197/sensi[.]sh
http[:]//45[.]15[.]143[.]197/ssh1
http[:]//45[.]15[.]143[.]197/x64[.]bin
http[:]//45[.]15[.]143[.]197[:]10086/supershell/compile/download/ssh
http[:]//45[.]15[.]143[.]197[:]44581/ssh1
IP Addresses:
- 107[.]189[.]8[.]15
- 179[.]61[.]253[.]67
- 2[.]58[.]84[.]90
- 209[.]141[.]60[.]249
- 45[.]15[.]143[.]197
Conclusion
The discovery of Supershell malware reveals the ongoing evolution of cyber threats targeting Linux SSH servers. By taking preventive measures, such as using strong passwords and regularly updating security software, administrators can minimize the risk of compromise.
Click below and ‘share’ this article!