Microsoft Threat Intelligence has uncovered a sophisticated campaign targeting internet-facing Linux systems and IoT devices, weaponizing a trojanized version of OpenSSH to hijack device resources for illicit cryptocurrency mining. The disclosure, made in late June 2023, sends a stark warning to organizations running exposed Linux infrastructure in an era where Bitcoin trades near $30,500 and crypto mining profitability continues to incentivize malicious actors.
The Exploit Mechanics
The attack chain begins with brute-force attempts against vulnerable SSH endpoints. Once a target is compromised, the attackers deploy a trojanized OpenSSH package that installs a persistent backdoor on the infected system. This modified OpenSSH version mimics the appearance and behavior of a legitimate server, making detection considerably more difficult than conventional malware.
The backdoor immediately installs a patched version of OpenSSH that enables credential hijacking. Attackers leverage these stolen credentials to move laterally within the victim network while concealing malicious connections from system administrators. The sophistication of this approach means that traditional SSH auditing tools may fail to flag the compromised service.
What makes this campaign particularly aggressive is its anti-competition mechanism. The malware actively identifies and terminates competing cryptocurrency mining processes already running on the infected device. It scans for miner processes and files by name, terminating them or blocking access, and removes SSH access configured in authorized_keys by other adversaries. This ensures the attackers have exclusive use of the compromised hardware.
Affected Systems
The primary targets are internet-facing Linux servers and IoT devices with weak or default SSH credentials. Microsoft identified that the attackers specifically craft mining malware for Hiveon OS systems — a Linux-based open-source operating system designed for cryptocurrency mining operations. This indicates a level of targeting sophistication that goes beyond opportunistic scanning.
Additional payloads include open-source rootkits sourced from GitHub, including Diamorphine and Reptile. These rootkits enable data exfiltration and obfuscate malicious activity by deleting system logs and audit records. The attackers also deploy a modified version of ZiggyStarTux, an IRC-based DDoS client based on the Kaiten botnet malware, which registers itself as a system service at /etc/systemd/system/network-check.service.
The ZiggyStarTux bot communicates with command-and-control servers through IRC servers hosted on subdomains of a legitimate Southeast Asian financial institution. These bots are instructed to download and execute scripts that brute-force every host in the compromised device subnet, creating a self-propagating infection pattern.
The Mitigation Strategy
Microsoft attributes the campaign to a threat actor operating under the handle “asterzeu” on the cardingforum.cx hacking forum, where multiple intrusion tools including SSH backdoors are offered for sale. Organizations should immediately audit their SSH configurations, enforce key-based authentication over password-based access, and implement network segmentation to limit lateral movement.
Security teams should monitor for unauthorized systemd services, particularly files created in /etc/systemd/system/ with unusual names. Network traffic analysis should flag IRC connections originating from server infrastructure, as this is highly unusual for production systems.
Deploying endpoint detection and response solutions capable of identifying rootkit activity — specifically Diamorphine and Reptile signatures — provides an additional defensive layer. Regular integrity checks of OpenSSH binaries against known-good hashes can reveal trojanized installations before they cause damage.
Lessons Learned
This campaign demonstrates that cryptocurrency mining malware has evolved far beyond simple script deployment. The combination of credential theft, lateral movement, rootkit deployment, and anti-competition mechanisms represents a full-spectrum intrusion toolkit. With Bitcoin hovering around $30,549 and Ethereum at $1,876, the financial incentives for cryptojacking remain substantial.
The use of legitimate open-source tools from GitHub as attack components highlights the dual-use nature of security research tools. Organizations should monitor not only for known malware signatures but also for the unauthorized deployment of legitimate tools like Diamorphine and Reptile on production systems.
User Action Required
System administrators should immediately review SSH access logs for brute-force patterns, verify the integrity of OpenSSH installations, disable password-based SSH authentication, and ensure all IoT devices are running current firmware with non-default credentials. Organizations using Hiveon OS or similar mining-focused Linux distributions should conduct thorough security audits of their infrastructure.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
ran into this exact thing on a VPS last month. diamorphine rootkit is nasty, survived two reboots before i caught it
ASIC efficiency improvements are making older rigs obsolete fast
The fact that it patches OpenSSH to hijack credentials is what makes this genuinely scary. Most admins would never notice their SSH binary got replaced.
^ exactly. ran sha256sum on my sshd binary after reading this and good thing i did, matched the trojanized hash
good move running sha256sum. most people would just restart the service and call it fixed. diamorphine is designed to survive that
The halving will squeeze out inefficient miners and strengthen the network
the lateral movement via stolen credentials is the real damage. once they pivot past the initial host you are dealing with a full blown breach, not just mining