Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year old XHide

By Augusto Remillano II

One of our honeypots detected a threat that propagates by scanning for open ports and brute forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based IRC backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open source tool used to fake the name of a process.

According to our analysis, we found the attacker issuing commands to the vulnerable machine that will download and install the backdoor and miner. The backdoor called Shellbot, and is capable of scanning for open ports, downloading files, executing UDP floods, and remotely executing shell commands. Infecting devices with two payloads may prove to be more profitable since malicious actors can monetize both the shellbot and the miner. Our telemetry has been detecting sporadic detections of this malware attempting to infect systems in Japan, Myanmar, Brazil, Denmark, China, and Turkey since March.


The malware scans for open ports and weak credentials to infiltrate and then sends a command that will download the Perl-based Internet Relay Chat (IRC) Shellbot with file name “sshd2” (detected by Trend Micro as Backdoor.Perl.SHELLBOT.D) and “findz” (detected by Trend Micro as Trojan.SH.MINESTARTER.A) — which will infect the system with the miner by downloading and extracting “so3” (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEJQ).

Figure 1. Code snippet of the sshd2 Shellbot

Figure 2. Infection chain of findz

After decompressing the archived “so3” file, we found that it contained the following scripts:

  • “x”, a bash script that executes “a”.
  • “a”, a bash script that performs the following (detected by Trend Micro as Trojan.SH.MINESTARTER.A):
    • Drops “upd”, a shell script that serves as a watchdog for the mining process
    • Sets up a cron tab executing “upd” every minute
    • Executes “r”

Figure 3. Dropped “upd” file executing “r”

  • “r”, a script that executes “e” or “f” depending on the central processing unit (CPU) architecture of the infected machine (detected by Trend Micro as Trojan.SH.MINESTARTER.A).
  • “e” is XHide (detected by Trend Micro as Linux.XHide.GA), which hides the process of the 32-bit Monero miner binary “systemd” (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEJQ) by renaming it “/www/vhosts”. The hash of the XHide tool used in this malware is exactly the same as the one in the most recent Outlaw attack.
  • “f” is XHide that hides the process of 64-bit Monero miner binary “kthreadd” (detected by Trend Micro as Linux.MALXMR.UWEJR), by renaming it “/www/vhosts”.

Figure 4. XHide upon execution without any parameters.

  • “httpd” serves as the configuration file for the miner, posing as a legitimate file name of the Apache web server.



The use of a Perl-based IRC bot is not new; Outlaw has used it for several attacks, and the code to build the bot for malicious purposes is available online. The same goes for the use Xhide, a relatively old tool.

Despite these techniques and tools having been known and available for some time, the mix of these routines can still be effective if the targeted systems have weak and/or default usernames and passwords that can be brute forced. While the high CPU usage of the miner can be easily spotted through monitoring, the attacker may still have access to the infected system after the malicious miner has been removed because of the backdoor.

Furthermore, by dropping both Shellbot and miner, the attackers have maximized their possible sources of income once potential buyers deem its usability either on its own or by further combining it with other techniques and malware. With the shellbot as a botnet-for-hire and the miner as passive income generator, attackers may expect a larger income from their campaigns.

Organizations and users can consider adopting security solutions that defend against malicious bot-related activities through a cross-generational blend of threat defense techniques. Trend Micro![™](upload://i37LNJilZJqDABNdtpur9g75TG.png) XGen![™](upload://i37LNJilZJqDABNdtpur9g75TG.png) security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud SecurityUser Protection, and Network Defense.


Trend Micro solutions

Customers of the Trend Micro![™](upload://i37LNJilZJqDABNdtpur9g75TG.png) Deep Discovery Inspector (DDI) are protected from this threat under these rules:

  • Rule 4132: SHELLBOT – IRC (Request)


Indicators of Compromise (IoCs)

Filename SHA256 Detection
a 448e81b2149596966b574de5b588bcb30ab1f8dc858439d024f0c2fc7bcb55be Trojan.SH.MINESTARTER.A
findz 52ee7ab09f9a78318ac21bf920df81c3036508f0c3bab46538510c880fb43d7d
r c81e470cb3bf320ac1c235bf9799f33e20b6761f15bb9254e6655f8f284adcec
e 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161 HackTool.Linux.XHide.GA
f 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf
kthreadd 20f188aaea79a104d945908db570f07e586f2a074431c3bcd2492346837f1001 Coinminer.Linux.MALXMR.UWEJR
systemd 60bbffaf1a359224a26717b44f6050b3f983c716a294af7d8d5f707c72074ee6 Coinminer.Linux.MALXMR.UWEJQ
so3 0fd59d93f53d926a432c47a03374238a010e71a381d8af4d2fcacdabd1d26bbc
sshd2 ea72c36916f53509d42755dfbcb7a5bbdb5616a6ebde122ae242eaea2bb47454 Backdoor.Perl.SHELLBOT.D


hxxp://128[.]199[.]202[.]28/uploads/findz           Disease vector

hxxp://128[.]199[.]202[.]28/uploads/sshd2          Disease vector

hxxp://138[.]68[.]52[.]55/uploads/findz                Disease vector

hxxp://138[.]68[.]52[.]55/uploads/so3                   Malware accomplice, coin miners

hxxp://138[.]68[.]52[.]55/uploads/sshd2               Insecure IoT connections, disease vector

The post Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year old XHide appeared first on .

Article Link: http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RtU3T8XSrNA/