SSHPsychos regroup after takedown operation

Apr 9, 2015 17:30 GMT  ·  By

A group of cybercriminals dubbed SSHPsychos by security researchers has been creating large amounts of scanning traffic on the Internet in search of SSH hosts, in an attempt to log in via brute-force attacks that leveraged a dictionary with more than 300,000 passwords.

The activity of the threat actor, which is also known as Group 93, was first spotted in June 2014, based on passive DNS data gathering. The SSH traffic generated by the attacker sometimes passed 35% of all the SSH traffic on the Internet.

Malware protects infected machine from other threats

The goal of SSHPsychos was to install a rootkit that enslaved the machine in a botnet used for distributed denial-of-service (DDoS) purposes. The malware was covered by Malware Must Die! in September 2014 and by FireEye in February 2015.

Security researchers at Cisco Talos Group and Level 3 Communications monitored the activity of the attacker and found that they relied on the dictionary to find only the log-in password for the root user.

After finding the correct access string, authentication would be done from a different IP address outside the United States and a wget request would be sent from the compromised system, to download the DDoS rootkit.

“Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers,” Cisco researchers said in a blog post on Thursday.

The configuration file included instruction for terminating a running process based on several indicators: its CRC checksum, active communication with an IP.

When an entry matching the provided parameters was found, it was immediately removed from the infected machine. This action is likely taken to protect the asset from being used by other malware pieces.

Disrupting the activity of the group is not easy

Based on the data amassed from the monitoring activity, Talos initiated a collaboration with Level 3 in order to establish the steps that could be taken to stop SSHPsychos action.

An analysis from Level 3 determined that only malicious traffic originated from or was intended for the 103.41.124.0/23 netblock. As such, the two security entities began to take it down.

However, the cybercriminals took some steps themselves to protect their operation and switched to a new /23 network (43.255.190.0/23), at the same time changing the malware serving host.

“Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period,” Cisco says.

Level 3 recommends admins of Linux machines with SSH daemon running on the open Internet to disable the root log-in possibility.

SSH Psychos SSH traffic is shown in red, traffic from the rest of the world is green
SSH Psychos SSH traffic is shown in red, traffic from the rest of the world is green

Photo Gallery (2 Images)

Overview of the SSHPsychos atack
SSH Psychos SSH traffic is shown in red, traffic from the rest of the world is green
Open gallery