Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

BashLegend
active

First seen in Guardicore Centra

2020-05-14

Last seen in Guardicore Centra

2020-09-02

BashLegend is an attack campaign operated by a hacker named UzzySenpai. Its first attack incidents were captured by Guardicore sensors in May 2020, however, its current wave started late August.
In this campaign, the hacker brute-forces public SSH servers. After a successful connection, the attacker downloads an executable file named .0803 from its command-and-control server.This file is an obfuscated version of an open-source tool called RootHelper, which “aids in the process of privilege escalation on a compromised Linux system”, according to its description on Github.
Afterwards, an XMRig Monero miner is downloaded alongside a JSON configuration. Since its emergence, we’ve observed only a single wallet being used – 89QZqpUHJBUJTYWKXxcHMrWrsJNVhKLUh2EmYd9KbBkmNhY6MNcJc8BJJ89QE621aLWuffSWHe2y7cA9up7t2kohJH42rWY.
BashLegend’s cryptominer names its workers using the number of CPU cores on the compromised machine – e.g. 1-Squad, 4-Squad, etc. – which gives us an insight into the nature of the victims. Some active workers are named 60-Squad, indicating that at least one victim with 60 CPU cores was hit by the attack.The strings observed in the attack files, combined with the first attack incidents which originated in Romania – strongly suggest that BashLegend operator is of Romanian origin.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Attack Flow

Breached Services

SSH

Tags

2 Shell Commands

Log Tampering

Download File

HTTP

SSH

Download and Execute

Outgoing Connection

Successful SSH Login

Download and Allow Execution

Download Operation

Incident Summary

A user logged in using SSH with the following credentials: root / ******** – Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 4 times

Download Operation

History File Tampering detected from /usr/sbin/sshd 2 times

Log Tampering

Process /usr/bin/wget generated outgoing network traffic to: 165.22.191.183:80 2 times

Outgoing Connection

Process /bin/bash generated outgoing network traffic to: 165.22.191.183:80

Outgoing Connection

A user logged in using SSH with the following credentials: root / ******** – Authentication policy: Correct Password

Successful SSH Login

/tmp/.0803.1 was downloaded

Download File

The file /tmp/.ICMP-unix/xmrig was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.0803 was downloaded and executed

Download and Execute

History File Tampering detected from /bin/rm on the following logs: /root/.bash_history

Log Tampering

Connection was closed due to user inactivity