Samba Trojan becomes the bread and butter of fresh attack campaign

The malware's veteran operators go low and slow to compromise Linux machines without detection.
Written by Charlie Osborne, Contributing Writer

The Butter attack campaign has been bolstered through the deployment of the Samba Trojan, a recent change to the stealthy criminal operation.

Researchers from cybersecurity firm GuardiCore have been tracking the Butter campaign since 2015 and while attacks originating from the criminals behind it have been generally limited -- specifically, only from four IPs -- a new payload has now been implemented which "has gone undetected by many security products."

In a blog post on Thursday, the team said that "Butter originates from a very limited number of attack sources and keeps them [the campaign] alive without being caught due to its low and slow operation."

The attack begins with a brute-force SSH attack on Linux machines. If this simple, initial attack vector proves successful, the campaign leaves a backdoor behind called Butter, together with a Trojan payload.

The payload has undergone a number of transitions over time. The most common payloads are the older 80 malware and the new Samba, the former of which is an x64 variant of the well known XOR.DDOS with the filename 80.

80 is a remote access Trojan (RAT) capable of launching distributed denial-of-service (DDoS) attacks, implements measures to maintain persistence, kills off any competing malware on infected machines, and installs a Linux kernel rootkit to hide its presence.

In comparison, Samba is a RAT which appeared on stage in 2018. Not to be confused with the SambaCry vulnerability, this Trojan is not only capable of the standard Trojan functionalities as mentioned above, but also able to execute shell commands, download additional files, contains an upgrade mechanism, and is able to install and execute a cryptocurrency miner.

See also: KingMiner malware hijacks the full power of Windows Server CPUs

GuardiCore says that since the malware first emerged, seven variants have been discovered.

Samba appears to be unique to Butter, and in the same way as previous campaigns tracked by the security firm -- in the cases of Bondnet and Prowli -- some of the malware is written in the Golang programming language.

The latest variant of the campaign, once inside a vulnerable machine, will run a set of system commands in order to create the user "Butter" and install the backdoor. File permissions are changed to permit file execution, including the deployment of Samba.

Upon execution, Samba will wipe log files to hide the infection, adding itself to configuration and startup systems for persistence. Samba will also undergo "long sleep periods" to avoid detection.

The RAT then implements an update procedure and miner executor over plain HTTP to a command-and-control (C2) server. The miner uses power stolen from the victim machine's CPU to mine for Monero.

CNET: Congress still wants answers from Amazon about its facial recognition tech

It is not known how much money the attackers have generated through these attacks.

"The attackers behind Butter are pros," the researchers say. "They have managed to collect machines, stay active for several years and monetize their operations -- and all this without being caught. By 'laying low' and avoid making attribution mistakes, they managed to stay stealthy with a relatively simple infrastructure."

In order to detect potential Butter and fraudulent mining activities, admins need to simply search for a user called "Butter" in their systems and keep an eye on CPU processes. If any intensive activities are discovered which are using high amounts of power, they need to be stopped and their binaries removed.

TechRepublic: How hospitals can use AI to fight medical device hacking

In Butter's case, the cryptocurrency mining-related domain is fr.minexmr.com. The IPs connected to Butter originate from Hong Kong and Singapore.

"We continuously find that the most basic attack methods that worked ten years ago still work and will probably continue to be effective in the future," GuardiCore says. "Brute-forcing credentials and simple persistence methods such as adding users to the system are not going away anytime soon.

"Attackers will continue to search for low-hanging fruit and abuse it as long as it's profitable," the team added. "These easy-to-compromise servers must be handled as part of an attempt to "clean up the Internet."

Top vehicle hacking examples (in pictures)

Previous and related coverage

Editorial standards