Analisado por: Melvin Jhun Palbusa   

 

UDS:Backdoor.Linux.Gomir.a (KASPERSKY)

 Plataforma:

Linux

 Classificao do risco total:
 Potencial de dano:
 Potencial de distribuição:
 infecção relatada:
 Exposição das informações:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Backdoor

  • Destrutivo:
    Não

  • Criptografado:
     

  • In the Wild:
    Sim

  Visão geral

Canal de infecção: Aus dem Internet heruntergeladen, Fallen gelassen von anderer Malware

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Führt Befehle eines externen, böswilligen Benutzers aus, wodurch das betroffene System gefährdet wird.

  Detalhes técnicos

Tipo de compactação: 5,947,392 bytes
Tipo de arquivo: ELF
Residente na memória: Sim
Data de recebimento das amostras iniciais: 21 maio 2024
Carga útil: Connects to URLs/IPs, Drops files, Executes commands

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

  • /etc/systemd/system/syslogd.service → If "install" parameter is used with process running under superuser privilege.
  • {Malware File Path}\cron.txt → If "install" parameter is used with process not running under superuser privilege. Deletes afterwards.

Schleust die folgenden Eigenkopien in das betroffene System ein:

  • /var/log/syslogd → If "install" parameter is used with process running under superuser privilege.

Fügt die folgenden Prozesse hinzu:

  • $SHELL -c systemctl daemon-reload → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c systemctl reenable syslogd → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c systemctl start syslogd → If "install" parameter is used with process running under superuser privilege.
  • /bin/sh -c crontab -1 → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c crontab cron.txt → If "install" parameter is used with process running under superuser privilege.

Backdoor-Routine

Führt die folgenden Befehle eines externen, böswilligen Benutzers aus:

  • 01 → Temporarily halts communication with the C&C server for a specified period.
  • 02 → Executes an arbitrary string as a shell command ("[shell]" "-c" "[arbitrary_string]").
  • 03 → Reports the current working directory.
  • 04 → Changes the current working directory and reports the working directory’s new pathname.
  • 05 → Checks TCP connectivity for arbitrary network endpoints.
  • 06 → Terminates its own process, effectively stopping the backdoor.
  • 07 → Reports the pathname of its own executable file.
  • 08 → Gathers statistics about a specified directory tree and reports the total number of subdirectories, total number of files, and the cumulative size of all files.
  • 09 → Reports the configuration details of the affected computer, including hostname, username, CPU, RAM, and network interfaces, listing each interface's name, MAC address, IP address, and IPv6 address.
  • 10 → Sets a fallback shell for executing shell commands in operation 02, with the initial value set to "/bin/sh".
  • 11 → Sets a codepage for interpreting the output from the shell commands in operation 02.
  • 12 → Delays communication with the C&C server until a specified datetime.
  • 13 → Responds with the message "Not implemented on Linux!".
  • 14 → Starts a reverse proxy by connecting to an arbitrary control endpoint.
  • 15 → Reports the control endpoints of the reverse proxy.
  • 30 → Creates an arbitrary file on the affected computer.
  • 31 → Exfiltrates an arbitrary file from the affected computer.

Andere Details

Es macht Folgendes:

  • It adds the following service:
    • Service Name: syslogd
    • Start type: Restart=always
  • Deletes and terminates itself →If "install" parameter is used with process running under superuser privilege.

  Solução

Mecanismo de varredura mínima: 9.800
Primeiro arquivo padrão VSAPI: 19.354.03
Data do lançamento do primeiro padrão VSAPI: 21 maio 2024
VSAPI OPR Pattern Version: 19.355.00
VSAPI OPR Pattern veröffentlicht am: 22 maio 2024

Step 2

Durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt, und löschen Sie Dateien, die als Backdoor.Linux.GOMIR.THEBABD entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.


Participe da nossa pesquisa!