Backdoor.Linux.NOODLERAT.ZKJJ

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system:

• /tmp/CCCCCCCCCCCCCCCC → deletes afterwards

It adds the following processes:

• "/tmp/CCCCCCCCCCCCCCCC"

Propagation

This Backdoor does not have any propagation routine.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Reverse Shell
• File Management (Create/Search Directory, Rename/Delete/Upload/Download File)
• Timer Management (Get current time, Set next execution time)
• Socks Tunneling

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.174.15:443

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Other Details

This Backdoor does the following:

• Run itself as a daemon
• It sends the output of the executed command back to the C&C Server
• It checks for the current time and day
  • if it matches it's config, it will attempt to connect to it's C&C Server
  • if not, it will sleep then will check for the current time and day after the specified time
• It can create either the following files that contains a timestamp (year, month, day, hour, minutes) for when the C&C connection will connect
  • /usr/include/sdfwex.h
  • /tmp/.llock

However, as of this writing, the said sites are inaccessible.

It does not exploit any vulnerability.