Honeypot Attack Observation - SFTP Password Spraying and Crypto Mining

Time and Date of Activity

June 26, 2025 @ 23:48:14 UTC

Relevant Logs, File or Email

On June 26th, 2025 at 23:48 UTC, the DShield honeypot recorded a brute-force SSH password spraying attempt originating from IP address 107.172.250.119, which is registered to ColoCrossing (AS36352). The attacker targeted ports 22 and 2222 using a limited credential spray focused on the root account, attempting common Linux-related passwords such as "centos", "debian", "ubuntu", "linux", and "nginx".

One of these, "root:nginx", successfully authenticated. Upon login, the attacker used SFTP to upload an ELF binary named "sshd" into the honeypot’s filesystem. The file was identified with SHA-256 hash 811bc350ee4a5fb2609c6fa61297ef33b6c088381737b0d8a0c9292ca02dcb53, and it has been flagged on VirusTotal by more than 30 vendors as a Linux-based trojan and cryptocurrency miner, typically labeled under the CoinMiner or Multiverze family.

Sensor data showed an automation pattern. Each burst of 31 connection attempts reused the same source port, with new bursts using 44,002, 46,876, 51,106, 54,792, and 58,326 respectively. SSH handshake logs show the remote client banner was "SSH-2.0-Go", indicating that a Go-based SSH tool was used to perform the password spraying.

The malware file is a 64-bit Linux ELF executable, 6.75 MB large. VirusTotal's result for the uploaded payload includes aliases like "Trojan:Linux/Multiverze", "ELF:Agent-CXA", "CoinMiner/Linux.Agent", and "Trojan.Linux.Generic.355701". Analysis platforms like IBM X-Force confirmed this file belongs to the "multiverze" miner family and has been seen since late 2023. MetaDefender detected 8 of 22 AV engines marking it malicious at time of analysis. Based on the consistent activity from this IP address in DShield logs over multiple days (June 20–July 5), this attack is part of an ongoing campaign against SSH services to upload crypto mining malware via SFTP.

Which vulnerability does the attack attempt to exploit?

• Exploit: SSH brute-force password spray

• Mitre ATT&CK:

  • T1110.003 – Password Spraying

  • T1496 – Resource Hijacking

What is the goal of the attack?

The attacker's goal appears to be T1496 "Resource hijacking" (A.K.A. Crypto currency mining) via default or easily guessable SSH/SFTP passwords. Once a valid root credential (root:nginx) was discovered, the attacker immediately uploaded a Linux crypto-miner binary named "sshd". Given the malware's family (multiverze) and ELF format, the attacker likely intended to execute the malware after the initial upload or use the SFTP server for further malware distribution, however, none of this activity was detected.

If the system is vulnerable, do you think the attack will be successful?

Yes. The login will be successful SSH/SFTP is using a default or weak SSH credential, if password based SSH logins are enabled, and if the SSH port is exposed to the public internet.

How can a system be protected from this attack?

There are multiple ways to prevent this attack but the most obvious would be to not use default or easily guessable password on system logins. Additionally, SSH should only allow key based logins and deny all SSH logins directly to the root user which can be done by updating the SSH config file (/etc/ssh/sshd_config) to set PermitRootLogin no and PubkeyAuthentication yes.

Where possible, SSH and SFTP should not be exposed to the public internet unless there is a business justified reason. If SSH must be exposed, consider installing anti-password spraying tools like "Rate-limit" or "fail2ban".

What do you know about the attacker?

• IP: 107.172.250.119

• ASN: AS36352 (ColoCrossing, HostPapa, US)

• Reputation: Flagged in 38 reports by SANS ISC since June 20, 2025

• VirusTotal: Malware SHA256 811bc350ee4a5fb2609c6fa61297ef33b6c088381737b0d8a0c9292ca02dcb53 is widely flagged as a Linux crypto-miner

• Shodan: IP has open SSH port 22/tcp with the header "SSH-2.0-Go"

• ISC DShield: Shows sustained and repeated port 22 scanning activity, with SYN packets observed every day from June 20 onward

• WHOIS: Registered to HostPapa; abuse contact is "[email protected]"

Indicators

• IP Address: 107.172.250.119

• SSH Client Banner: SSH-2.0-Go

• SSH client fingerprint: 98ddc5604ef6a1006a2b49a58759fbe6

• Uploaded file hash (SHA256): 811bc350ee4a5fb2609c6fa61297ef33b6c088381737b0d8a0c9292ca02dcb53

• File name: sshd

External References

1. VirusTotal – Malware file hash

2. IBM X-Force Malware Report

3. SANS ISC IP Reputation for 107.172.250.119

4. SANS ISC IP logs for 107.172.250.119

5. MITRE T1110.003 – Credential Stuffing

6. AbuseIPDB report on 107.172.250.119