www.microsoft.com
Open in
urlscan Pro
2a02:26f0:480:ba5::356e
Public Scan
URL:
https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-ca...
Submission: On July 21 via api from DE — Scanned from DE
Submission: On July 21 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft Security" data-open="false" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}"
data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
<ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
<li class="c-menu-item" style="overflow-x: visible;"> <span tabindex="-1" style="overflow-x: visible;">No results</span></li>
</ul>
</div>
</form>https://www.microsoft.com/en-us/security/blog/
<form role="search" id="searchform-1" action="https://www.microsoft.com/en-us/security/blog/" class="search-form" type="searchForm">
<meta itemprop="target" content="https://www.microsoft.com/en-us/security/blog/?s={s}">
<label for="searchform-1-field" class="sr-only"> Search the Microsoft security blog </label>
<div class="bg-white border border-gray-300 d-flex">
<input itemprop="query-input" class="form-control form-control-sm border-0 flex-grow-1 h-100 py-2" type="search" id="searchform-1-field" name="s" placeholder="Search the blog" value="">
<button class="btn btn-link-secondary m-0 py-1" type="submit">
<span class="sr-only">Submit</span>
<span class="svg" aria-hidden="true">
<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 13" width="13" height="12">
<path d="M4.833.097a4.833 4.833 0 0 1 3.753 7.879l3.268 3.267a.5.5 0 0 1-.651.756l-.057-.049L7.88 8.683A4.833 4.833 0 1 1 4.833.097Zm0 1a3.833 3.833 0 1 0 0 7.666 3.833 3.833 0 0 0 0-7.666Z" fill="#4C4C51"></path>
</svg> </span>
</button>
</div>
</form>Text Content
Experience AI-powered browsing with the new Bing built-in Get comprehensive
answers and summarized information side-by-side in Microsoft Edge
No, thanks Try now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Cloud workload protection
* Frontline workers
* Identity & network access
* Identity threat detection & response
* Industrial & critical infrastructure
* Information protection & governance
* IoT security
* Passwordless authentication
* Phishing
* Ransomware
* Risk management
* Secure remote work
* SIEM & XDR
* Small & medium business
* XDR
* Zero Trust
* Products
* Product families Product families
* Microsoft Defender
* Microsoft Entra
* Microsoft Intune
* Microsoft Priva
* Microsoft Purview
* Microsoft Sentinel
* Security AI Security AI
* Microsoft Security Copilot
* Identity & access Identity & access
* Azure Active Directory (Microsoft Entra ID)
* Microsoft Entra External ID
* Microsoft Entra ID Governance
* Microsoft Entra ID Protection
* Microsoft Entra Internet Access
* Microsoft Entra Private Access
* Microsoft Entra Permissions Management
* Microsoft Entra Verified ID
* Microsoft Entra Workload ID
* Azure Key Vault
* SIEM & XDR SIEM & XDR
* Microsoft Sentinel
* Microsoft Defender for Cloud
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for Office 365
* Microsoft Defender for Identity
* Microsoft Defender for Cloud Apps
* Microsoft Defender Vulnerability Management
* Microsoft Defender Threat Intelligence
* Cloud security Cloud security
* Microsoft Defender for Cloud
* Microsoft Defender Cloud Security Posture Mgmt
* Microsoft Defender for DevOps
* Microsoft Defender External Attack Surface Management
* Azure Firewall
* Azure Web App Firewall
* Azure DDoS Protection
* GitHub Advanced Security
* Endpoint security & management Endpoint security & management
* Microsoft Defender for Endpoint
* Microsoft 365 Defender
* Microsoft Intune core capabilities
* Microsoft Intune Endpoint Privilege Management
* Microsoft Intune Remote Help
* Microsoft Defender for IoT
* Microsoft Defender for Business
* Microsoft Defender Vulnerability Management
* Risk management & privacy Risk management & privacy
* Microsoft Purview Insider Risk Management
* Microsoft Purview Communication Compliance
* Microsoft Purview eDiscovery
* Microsoft Purview Compliance Manager
* Microsoft Purview Audit
* Microsoft Priva Risk Management
* Microsoft Priva Subject Rights Requests
* Information protection Information protection
* Microsoft Purview Information Protection
* Microsoft Purview Data Lifecycle Management
* Microsoft Purview Data Loss Prevention
* Services
* Microsoft Security Experts
* Microsoft Defender Experts for XDR
* Microsoft Defender Experts for Hunting
* Microsoft Incident Response
* Microsoft Security Services for Modernization
* Partners
* Resources
* Get started Get started
* Cybersecurity awareness
* Customer stories
* Security 101
* Product trials
* How we protect Microsoft
* Reports and analysis Reports and analysis
* Industry recognition
* Microsoft Security Insider
* Microsoft Digital Defense Report
* Security Response Center
* Community Community
* Microsoft Security Blog
* Microsoft Security Events
* Microsoft Tech Community
* Documentation and training Documentation and training
* Documentation
* Technical Content Library
* Training & certifications
* Cyberattack support Cyberattack support
* Under attack?
* Additional sites Additional sites
* Compliance Program for Microsoft Cloud
* Microsoft Trust Center
* Security Engineering Portal
* Service Trust Portal
* Microsoft built in security
* Contact Sales
* More
* Start free trial
* All Microsoft
* GLOBAL
* Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap
Search Search Microsoft Security
* No results
Cancel
1. Blog home
2. Threat intelligence
Search the Microsoft security blog
Submit
* Research
* Threat intelligence
* Microsoft Defender
* IoT / OT threats
11 min read
IOT DEVICES AND LINUX-BASED SYSTEMS TARGETED BY OPENSSH TROJAN CAMPAIGN
* By Microsoft Threat Intelligence
June 22, 2023
*
*
*
* Microsoft Defender for Endpoint
* Microsoft Defender for IoT
* Microsoft Sentinel
* Attacker techniques, tools, and infrastructure
more
Cryptojacking, the illicit use of computing resources to mine cryptocurrency,
has become increasingly prevalent in recent years, with attackers building a
cybercriminal economy around attack tools, infrastructure, and services to
generate revenue from targeting a wide range of vulnerable systems, including
Internet of Things (IoT) devices. Microsoft researchers have recently discovered
an attack leveraging custom and open-source tools to target internet-facing
Linux-based systems and IoT devices. The attack uses a patched version of
OpenSSH to take control of impacted devices and install cryptomining malware.
Utilizing an established criminal infrastructure that has incorporated the use
of a Southeast Asian financial institution’s subdomain as a command and control
(C2) server, the threat actors behind the attack use a backdoor that deploys a
wide array of tools and components such as rootkits and an IRC bot to steal
device resources for mining operations. The backdoor also installs a patched
version of OpenSSH on affected devices, allowing threat actors to hijack SSH
credentials, move laterally within the network, and conceal malicious SSH
connections. The complexity and scope of this attack are indicative of the
efforts attackers make to evade detection.
In this blog post, we present our analysis of the tools and techniques used in
this attack and the efforts made by the threat actor to evade detection on
affected devices. We also provide indicators of compromise and relevant
Microsoft Defender for IoT and Microsoft Defender for Endpoint detections, as
well as recommendations for defenders to protect devices and networks.
ATTACK CHAIN
The threat actors initiate the attack by attempting to brute force various
credentials on misconfigured internet-facing Linux devices. Upon compromising a
target device, they disable shell history and retrieve a compromised OpenSSH
archive named openssh-8.0p1.tgz from a remote server. The archive contains
benign OpenSSH source code alongside several malicious files: the shell script
inst.sh, backdoor binaries for multiple architectures (x86-64, arm4l, arm5l,
i568, and i686), and an archive containing the shell script vars.sh, which holds
embedded files for the backdoor’s operation.
After installing the payload, the shell script inst.sh runs a backdoor binary
that matches the target device’s architecture. The backdoor is a shell script
compiled using an open-source project called Shell Script Compiler (shc), and
enables the threat actors to perform subsequent malicious activities and deploy
additional tools on affected systems.
Figure 1. OpenSSH trojan attack chain.
CUSTOM BACKDOOR DEPLOYS OPEN-SOURCE ROOTKITS
Once running on a device, the shell script backdoor tests access to /proc to
determine whether the device is a honeypot. If it can’t access /proc, it
determines the device is a honeypot and exits. Otherwise, it exfiltrates
information about the device, including its operating system version, network
configuration, and the contents of /etc/passwd and /etc/shadow over email to the
hardcoded address dotsysadmin[@]protonmail[.]com, and to any email address
provided by the threat actor as an argument to the script.
On supported systems, the backdoor downloads, compiles, and installs two
open-source rootkits available on GitHub, Diamorphine and Reptile. The backdoor
configures Reptile to connect to the C2 domain rsh.sys-stat[.]download on port
4444 and to hide its child processes, files, or their content. Microsoft
researchers assess that the Diamorphine rootkit is used to hide processes as
well.
Figure 2. Any content in a file that appears between __R_TAG, which is defined
as “ubiqsys”, will be hidden.
To ensure persistent SSH access to the device, the backdoor appends two public
keys to the authorized_keys configuration files of all users on the system.
Figure 3. Adding SSH keys to all users to preserve SSH access.
The backdoor obscures its activity by removing records from Apache, nginx,
httpd, and system logs that contain the IP and username specified as arguments
to the script. Additionally, it has the capability to install an open-source
utility called logtamper to clear the utmp and wtmp logs, which record
information about user sign-in sessions and system events.
The backdoor eliminates cryptomining competition from other miners that may
exist on the device by monopolizing device resources and preventing
communication with a hardcoded list of hosts and IPs related to these
activities. It accomplishes this by adding iptables rules to drop communication
with the hosts and IPs and configuring /etc/hosts to make the hosts resolve to
the localhost address. It also identifies miner processes and files by their
names and either terminates them or blocks access to them, and removes SSH
access configured in authorized_keys by other adversaries.
PATCHING OPENSSH SOURCE CODE
The backdoor uses the Linux patch utility to apply the patch file ss.patch,
which is embedded in vars.sh, to the OpenSSH source code files included in its
package. Once the patches are applied, the backdoor compiles and installs the
modified OpenSSH on the device.
The compromised OpenSSH grants the attackers persistent access to the device and
to the SSH credentials the device handles. The patches install hooks that
intercept the passwords and keys of the device’s SSH connections, whether as a
client or a server. The passwords and keys are then stored encrypted in a file
on the disk. Moreover, the patches enable root login over SSH and conceal the
intruder’s presence by suppressing the logging of the threat actors’ SSH
sessions, which are distinguished by a special password.
The modified version of OpenSSH mimics the appearance and behavior of a
legitimate OpenSSH server and may thus pose a greater challenge for detection
than other malicious files. The patched OpenSSH could also enable the threat
actors to access and compromise additional devices. This type of attack
demonstrates the techniques and persistence of adversaries who seek to
infiltrate and control exposed devices.
Figure 4. OpenSSH patch to save incoming SSH passwords (ss.patch)
BOTNET OPERATION
The backdoor runs a secondary payload embedded in the shell script vars.sh,
which is a slightly modified version of ZiggyStarTux, an open-source IRC bot
based on the Kaiten malware. Among its features is executing bash commands
issued from the C2 and possessing distributed denial of service (DDoS)
capabilities.
The backdoor employs various mechanisms to set up ZiggyStarTux’s persistence on
compromised systems. It copies the ZiggyStarTux binary to several locations on
the disk and establishes cron jobs to invoke it at regular intervals. Moreover,
it runs a bash script that registers ZiggyStarTux as a systemd service by
creating and configuring the service file
/etc/systemd/system/network-check.service.
Figure 5. Registration of ZiggyStarTux as a systemd service
Analysis of ZiggyStarTux revealed that the threat actors stripped the binary of
logging-related strings and incorporated a function that writes the bot’s
process ID to /var/run/sys_checker.pid, allowing the backdoor to read that file
and conceal that process ID using the installed rootkits.
The ZiggyStarTux bots communicate with the C2 via an IRC server hosted on
various domains and IPs located in different geographical regions. Evidence
indicates that the threat actors disguise their traffic by utilizing the
subdomain of a Southeast Asian financial institution that is hosted on one of
their own servers.
To receive commands, the ZiggyStarTux bots connect to the IRC server and join a
hidden password-protected channel named ##..##. The server was observed issuing
bash commands that instruct bots to download and launch two shell scripts from a
remote server. The first script, lscan, retrieves lssh.tgz from the server, an
archive of scripts that scan each IP in the subnet for SSH access using a
password list. The scripts record the results of each connection attempt in a
log file.
The second script, zaz, fetches the compromised OpenSSH package with the
embedded backdoor from the remote server. The installation is carried out using
the email address ancientgh0st@yahoo[.]com as an argument to serve as an
additional exfiltration point for device information. Additionally, zaz
retrieves an archive called hive-start.tgz which contains mining malware crafted
for Hiveon OS systems, a Linux-based open-source operating system designed for
cryptomining.
INDICATIONS OF CRIMINAL COOPERATION
Microsoft researchers have traced the campaign to a user named asterzeu on the
hacking forum cardingforum[.]cx, who offered multiple tools for sale on the
platform, including an SSH backdoor. The domain madagent[.]tm was registered in
2015 with an email address matching the username and shared numerous servers
over a four-year period with madagent[.]cc, one of the C2 domains of
ZiggyStarTux. Furthermore, the distribution of the shell script backdoor between
threat actors has been identified, adding to the evidence of a network of tools
and infrastructure shared or sold on the malware-as-a-service market.
Figure 6. Post on hacking forum where malicious tools are being sold by the user
“asterzeu”
MITIGATION AND PROTECTION GUIDANCE
Microsoft recommends the following steps to protect devices and networks against
this threat:
* Harden internet-facing devices against attacks
* Ensure secure configurations for devices: Change the default password to a
strong one, and block SSH from external access.
* Maintain device health with updates: Make sure devices are up to date with
the latest firmware and patches.
* Use least-privileges access: Use a secure virtual private network (VPN)
service for remote access and restrict remote access to the device.
* When possible, update OpenSSH to the latest version.
* Adopt a comprehensive IoT security solution such as Microsoft Defender for
IoT to allow visibility and monitoring of all IoT and OT devices, threat
detection and response, and integration with SIEM/SOAR and XDR platforms such
as Microsoft Sentinel and Microsoft 365 Defender.
* Use security solutions with cross-domain visibility and detection
capabilities like Microsoft 365 Defender, which provides integrated defense
across endpoints, identities, email, applications, and data.
DETECTIONS
MICROSOFT DEFENDER FOR IOT
Microsoft Defender for IoT uses detection rules and signatures to identify
malicious behavior. Microsoft Defender for IoT has alerts for the use of
open-source tools and exploits that may be tied to this attack.
MICROSOFT DEFENDER ANTIVIRUS
Microsoft Defender Antivirus detects this threat as the following malware:
* Trojan:Linux/SamDust!MTB
* Trojan:Linux/SamDust.D!MTB
* Trojan:Linux/SamDust.B!MTB
* Trojan:Linux/SamDust.A!MTB
* Trojan:Linux/SamDust.N!MTB
* Trojan:Linux/Reptile.A
* Trojan:Linux/Reptile.B
* Trojan:Linux/Reptile.C
* Trojan:Linux/Reptile.D
* Trojan:Linux/Diamorphine.A!MTB
MICROSOFT DEFENDER FOR ENDPOINT
The following Microsoft Defender for Endpoint alerts can indicate associated
threat activity:
* Unusual number of failed sign-in attempts
The following alerts might also indicate threat activity related to this threat.
Note, however, that these alerts can be also triggered by unrelated threat
activity.
* Suspicious file property modification occurred
* Suspicious termination of security tool
* Suspicious service launched
* Suspicious Linux service created
* File masquerading
HUNTING QUERIES
MICROSOFT SENTINEL
Microsoft Sentinel customers can use the TI Mapping analytics (a series of
analytics all prefixed with ‘TI map’) to automatically match the malicious
domain indicators mentioned in this blog post with data in their workspace. If
the TI Map analytics are not currently deployed, customers can install the
Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the
analytics rule deployed in their Sentinel workspace. More details on the Content
Hub can be found here:
https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.
In addition, customers can use the SSH Brute force detection template in the
Syslog solution package to monitor for brute force attempts against their
exposed SSH endpoints.
INDICATORS OF COMPROMISE
IndicatorTypeasterzeu[@]yahoo[.]comEmail
addressdotsysadmin[@]protonmail[.]comEmail
address185.161.208[.]234C2139.180.185[.]24C2199.247.30[.]230C2149.28.239[.]146C2209.250.234[.]77C270.34.220[.]100C2irc[.]socialfreedom[.]partyC2singapore[.]sg[.]socialfreedom[.]partyC2amsterdam[.]nl[.]socialfreedom[.]partyC2frankfurt[.]de[.]socialfreedom[.]partyC2sidney[.]au[.]socialfreedom[.]partyC2losangeles[.]us[.]socialfreedom[.]partyC2mumbaitravelers[.]orgC2sh[.]madagent[.]tmC2ssh[.]madagent[.]tmC2dumpx[.]madagent[.]tmC2reg[.]madagent[.]tmC2sshm[.]madagent[.]tmC2z[.]madagent[.]tmC2ssho[.]madagent[.]tmC2sshr[.]madagent[.]tmC2sshu[.]madagent[.]tmC2user[.]madagent[.]tmC2madagent[.]ccC2cler[.]madagent[.]ccC2dumpx[.]madagent[.]ccC2mh[.]madagent[.]ccC2ns1[.]madagent[.]ccC2ns2[.]madagent[.]ccC2ns3[.]madagent[.]ccC2ns4[.]madagent[.]ccC2reg[.]madagent[.]ccC2ssh[.]madagent[.]ccC2sshm[.]madagent[.]ccC2ssho[.]madagent[.]ccC2sshr[.]madagent[.]ccC2sshu[.]madagent[.]ccC2user[.]madagent[.]ccC2www[.]madagent[.]ccC2rsh[.]sys-stat[.]downloadC2sh[.]sys-stat[.]downloadC2sh[.]rawdot[.]netC2ssho[.]rawdot[.]netC2donate[.]xmr[.]rawdot[.]netC2pool[.]rawdot[.]netC22018[.]rawdot[.]netC2blog[.]rawdot[.]netC2clients[.]rawdot[.]netC2ftp[.]rawdot[.]netC2psql01[.]rawdot[.]netC2www[.]rawdot[.]netC2sh[.]0xbadc0de[.]streamC2ss[.]0xbadc0de[.]streamC2a26631dcc1aef92a92d2d37476fb1e9becae54541e0411224a441d3afc20b02aScript
to launch
ZiggyStarTux6e9b692b401a57db306bd6c95409042aa6ed075088a40a6ceb74f96895116b62ZiggyStarTux5e11731e570fc79ad07da4f137e103e0ebfa45530fabd8fa9a9fece4e497bce0ZiggyStarTux22c2115becd1d0ff9dfe70d14a52ab0354e420f4bfe0df70ca0d55d3c557c6b3ZiggyStarTuxd335c83c0dd5bc9a078e796016f9a9f845ff89ee434c63c7a2e7b360e8be3e95ZiggyStarTux336928c813f3c0ab9aaad5a9853ed96b3f82e7b2b6d96139a7ebb146337dd248ZiggyStarTux1f6a52ce5ee017f88bd5f9028e3741e69837437cc48444d31d50ef28f1ed03f4ZiggyStarTuxb72f21077f9f4d85d555cc6c18677e285b61f980ca99d0495d52f0cbbe66517aMalicious
OpenSSH8e7c6cbbb17ffe5ea98986dd36c3e979bc348626637ff9bfd55cb08414f3494cMalicious
OpenSSH39b640f62c0046139c41bccd0f98f96165597d50c4823ed88154160c0cae6bd1Malicious
OpenSSHb77f991a9e0533a7bb39480ba7e96c29a1c1c9e2e212497cfbf6221751a196a2Malicious
OpenSSH1782930bc2d46da541c980c09b13811f504b743e485a2befb0df1e5865a95847Malicious
OpenSSH7ea1db1581afb977ec6d4abadf98660526205f23c366f7ba6aa04061762b5a7eMalicious
OpenSSH4b23d2126a6aec79396630dc10bdf279d9dafc71358145ab0b726cdf0a90dedfMalicious
OpenSSH081ad11e67af3fd98cb34cae89a5d26699f132a7ada62b1409eb85eaa4431437Malicious
OpenSSH8ff06c7f0c105301397d15b1be3f6fe3ba081bbe042136c5b0fa4478ab59650dBackdoor28616594b320b492c04429ab2f569d22d56bd9a047903f214d8b0eacab9b9c14Backdoore22148ae0cb1a5cc7743351909cd0ae99ba6a84e181dded1cfa9fa0ed9e4f0e2Backdoor6101fcda212f2ee2340e85eaac071ffa95507166ba253d555a69c9ab6c16b148Backdoor52fb0dcd929d57e32c8383873897963dd671b626d7e31dd98d2b092a9b57be43Backdoor78701d6cafb3e477a033d63b99d480c2d7647079133ecabdcb54cd7a520e46deBackdoor2eb5a4766dd7b90674f16eea62ba4e9c33dac8023e1692ed67c917bca448d14fBackdoorc775964fe1207b6a6f9faf818c63874b2bf5612581e3c3b2d9f6eeee969229d8Backdoor75385bb1548c567c4814ad5c13fde6bf64e47694c244e1c26e903abc4523c667Backdoorbc1e444ab92bb40e41e08846f3e485ffa17ab98563f2ed2129ef1b02c3d5a878Backdoor8cb1df542bc60eb187066c136ae413540b33dd28c856ee472dd073affb96a84bBackdoor55448d04183a253c939a6463c8992cbc007be237c80de92ff31e3f6606ebd470Backdoor9967921339799ed6f510c8a567f8bd69129d75d113f5c63612ceef0d5c4bf019Backdoor0a565ebae65fb5fbb34801c2948d35a0b7b5762a9ce51bd55a43181f46bc9723Backdoorfdfed7c2bf55d0f2440f623e265ab8b8006987f94d23982688914feffb3c549eBackdoor32aa3e5fd9b79dcfd9ebe590b6784527cb17217cdeb61a1791bd4a5f721f0099vars.sh
archive30d456d6dbd492923972d5f3ceb72c0f7e80d1f6391d6f9c0f5e889b6f71be66vars.sh
archive74f4b030529435a8872c3e10d3341a1988d4fdbba89d9afd876458980f6f7a49vars.sh
archive3033bb18554ce62f2f96338af682efb647c98d126734bb20426da8ec49ec1cddDecode
utility used by the
backdoor58b9622960e1bb189a403da6cd73e6ec2cb446680a18092351e5a9fa1a205cbcss.patch0027edb4a3c33f3d0cb5cc6fc85b58a8f7c70b8e57a2d28bed53f11c5f649848inst.sh7ca66932d9015bf14b89b8650408e39a65c96f59f9273feaede28cabca8a3bbchive-start.tgz9564172445e66f0d3cb64c42f2298f14093c342b95b023bcb82408b6f2a66cd3lssh.tgz722b1970caa804154d85fb3dba88cf192bf3eedd2fea40c8c49c98130797649dFile
from
lssh.tgz85877eb8f60c903ccb256e776c3e077295cf10eccff8d8ce4400edc699e8021fFile
from
lssh.tgz635b3dfadeab6b3c2574b1689607b776518d42c2b9fdb895e25c04a8ae9dee92File
from
lssh.tgz3ba302f533fcf065fe3f80b4bbea4653e86a5a8c1c752e4798a64a6be3d06e5dFile
from
lssh.tgzb8a360e7094e27857c7daacf624f2d9916e002201caf8a88c5aa3bd37f7bc264File
from lssh.tgz
Rotem Sde-Or, Microsoft Threat Intelligence Community
FURTHER READING
For the latest security research from the Microsoft Threat Intelligence
community, check out the Microsoft Threat Intelligence Blog:
https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media,
follow us on Twitter at https://twitter.com/MsftSecIntel.
RELATED POSTS
* * Research
* Threat intelligence
* IoT / OT threats
Published Dec 21
12 min read
MICROSOFT RESEARCH UNCOVERS NEW ZEROBOT CAPABILITIES
The Microsoft Defender for IoT research team details information on the
recent distribution of a Go-based botnet, known as Zerobot, that spreads
primarily through IoT and web-application vulnerabilities.
* * Research
* Threat intelligence
* Microsoft Defender
* IoT / OT threats
Published Dec 15
9 min read
MCCRASH: CROSS-PLATFORM DDOS BOTNET TARGETS PRIVATE MINECRAFT SERVERS
The Microsoft Defender for IoT research team analyzed a cross-platform botnet
that infects both Windows and Linux systems from PCs to IoT devices, to
launch distributed denial of service (DDoS) attacks against private Minecraft
servers.
* * Research
* Threat intelligence
* Microsoft Defender
* Supply chain attacks
Published Nov 22
6 min read
VULNERABLE SDK COMPONENTS LEAD TO SUPPLY CHAIN RISKS IN IOT AND OT
ENVIRONMENTS
As vulnerabilities in network components, architecture files, and developer
tools have become an increasingly popular attack vector to leverage access
into secure networks and devices, Microsoft identified such a vulnerable
component and found evidence of a supply chain risk that might affect
millions of organizations and devices.
* * Research
* Threat intelligence
* Microsoft Defender
* IoT / OT threats
Published Oct 21
4 min read
SECURING IOT DEVICES AGAINST ATTACKS THAT TARGET CRITICAL INFRASTRUCTURE
South Staffordshire PLC, a company that supplies water to over one million
customers in the United Kingdom, notified its customers in August of being a
target of a criminal cyberattack. This incident highlights the sophisticated
threats that critical industries face today. According to South
Staffordshire, the breach did not appear to have caused damage to […]
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more
CONNECT WITH US ON SOCIAL
*
*
*
What's new
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Surface Laptop Go 2
* Surface Laptop Studio
* Surface Go 3
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Trade-in for Cash
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* How to buy for your school
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your
Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy
Choices
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* Recycling
* About our ads
* © Microsoft 2023
Notifications