The ASEC analysis team recently confirmed that the Linux malware developed by Shc is installing coin miner malware. The attacker is presumed to have installed various malicious codes after successful authentication through a dictionary attack targeting an improperly managed Linux SSH server.

Coin miner malware can be installed in two ways: either directly by the attacker through the command line, or conversely through the exploitation of a buffer overflow vulnerability.

Direct installation:

1. The attacker uploads a malicious code/script in advance and accesses the SSH server with a script to execute it via sudo. The malicious code then executes automatically, which becomes the coin miner malware binary file, and finally installs and runs itself.

Buffer overflow exploit:

2. An attacker first accesses the SSH server with an exploit script to execute it after authentication. The malicious code then executes automatically, which becomes the coin miner malware binary file, and finally installs and runs itself.

The attacker uses a dictionary password attack targeting the SSH server with weak authentication such as a default password. If a user has chosen to set up the default password to access his server, this could lead to an attacker breaching the system and causing additional damage.

‍

Source: Shc Linux Malware Installs Coin Miner - AlienVault - Open Threat Exchange