SambaCry allows hackers to remotely control vulnerable Linux and Unix systems, but can only be used in certain situations, that is, to meet the networking to create files with shared port 445, configure write permissions when sharing files and files using known server paths , The attacker can remotely upload the specified malicious code and use the server to load the implementation.
SambaCry has network worm features, at least 485,000 computers worldwide have Samba vulnerabilities and are exposed to the Internet. According to the researchers speculated that the recent use of SambaCry the number of network attacks will increase rapidly. Kaspersky Labs researchers have found that a malware is using the SambaCry vulnerability to infect the Linux system and install an encryption mining tool when setting up honeypots. Once the Linux device suffers from a SambaCry vulnerability, the attacker will execute two different payloads in the target system:
INAebsGB.so – reverse shell, allowing remote attacker access to target system
cblRWuoCc.so – backdoor, including backdoor CPUminer with encrypted currency mining tool
The attacked system will become a “private mine” that specifically exploits the virtual currency for the attacker. In addition, through the reverse shell in the system, the attacker can also change the already running miners configuration, or use other malware to infect the victim’s computer. According to Kaspersky revealed that the attack behind the scenes black profit has been at least 5,380 US dollars. With the increase in the number of Linux systems being attacked, the income of cybercriminals will increase.