A group called the SSHPsychos created large amounts of scanning traffic on the Internet in search of SSH hosts so they could end up logged in via brute-force attacks.
The activity of the attackers, also known as Group 93, first came to light in June 2014, based on passive DNS data gathering. The SSH traffic generated by the attacker sometimes passed 35 percent of all the SSH traffic on the Internet.
The goal of SSHPsychos was to install a rootkit that enslaved the machine in a botnet used for distributed denial-of-service (DDoS) purposes. The malware ended up uncovered by Malware Must Die! in September 2014 and by FireEye in February 2015.
Security researchers at Cisco Talos Group and Level 3 Communications monitored the activity of the attacker and found they relied on a dictionary of over 300,000 passwords to find the log-in password for the root user.
After finding the correct access string, authentication could occur from a different IP address outside the United States and a wget request would end up sent from the compromised system, to download the DDoS rootkit.
“Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers,” Cisco researchers said in a blog post.
The configuration file included instruction for terminating a running process based on several indicators: Its CRC checksum, active communication with an IP.
When an entry matching the provided parameters ended up found, they immediately removed it from the infected machine. This action is to protect the asset from use by other malware pieces.
Talos initiated a collaboration with Level 3 in order to establish the steps they would need to take to stop SSHPsychos’ action.
An analysis from Level 3 determined only malicious traffic originated from or intended for the 184.108.40.206/23 netblock. As such, the two security companies began to take it down.
However, the cybercriminals took some steps themselves to protect their operation and switched to a new /23 network (220.127.116.11/23), at the same time changing the malware serving host.
“Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 18.104.22.168/23, but also add the new netblock 22.214.171.124/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period,” Cisco researchers said.