Trojan.Linux.CUTTLESNIFF.AB
UDS:Trojan.Linux.Agent.a (KASPERSKY)
Linux
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
1,125,524 bytes
ELF
No
08 May 2024
Connects to URLs/IPs, Downloads files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Download Routine
This Trojan saves the files it downloads using the following names:
- /tmp/tconfigjs
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/
It does the following:
- It hides itself in /tmp/.{random}.so, mounting to the current /proc/{PID}
- It attempts to connect to the following URL to download and update the ruleset:
- http://{BLOCKED}.{BLOCKED}.39:443/rules{BLOCKED}.
- It compares outbound network traffics to the following ports:
- tcp dst port 21
- tcp dst port 22
- tcp dst port 23
- tcp dst port 25
- udp dst port 53
- tcp dst port 69
- tcp dst port 80
- tcp dst port 81
- tcp dst port 82
- tcp dst port 83
- tcp dst port 88
- tcp dst port 110
- tcp dst port 135
- tcp dst port 139
- tcp dst port 143
- tcp dst port 164
- tcp dst port 389
- tcp dst port 443
- tcp dst port 444
- tcp dst port 445
- tcp dst port 554
- tcp dst port 888
- tcp dst port 992
- tcp dst port 993
- tcp dst port 995
- tcp dst port 1024
- tcp dst port 1080
- tcp dst port 1194
- tcp dst port 1433
- tcp dst port 1443
- tcp dst port 1521
- tcp dst port 1701
- tcp dst port 1723
- tcp dst port 1935
- tcp dst port 2000
- tcp dst port 2103
- tcp dst port 2222
- tcp dst port 2323
- tcp dst port 2375
- tcp dst port 2600
- tcp dst port 2601
- tcp dst port 3128
- tcp dst port 3306
- tcp dst port 3333
- tcp dst port 3389
- tcp dst port 3443
- tcp dst port 4343
- tcp dst port 4430
- tcp dst port 4433
- tcp dst port 4443
- tcp dst port 4444
- tcp dst port 4567
- tcp dst port 4899
- tcp dst port 5000
- tcp dst port 5060
- tcp dst port 5061
- tcp dst port 5432
- tcp dst port 5443
- tcp dst port 5523
- tcp dst port 5555
- tcp dst port 5900
- tcp dst port 6000
- tcp dst port 6379
- tcp dst port 6443
- tcp dst port 7000
- tcp dst port 7001
- tcp dst port 7170
- tcp dst port 7210
- tcp dst port 7443
- tcp dst port 7547
- tcp dst port 7777
- tcp dst port 8000
- tcp dst port 8008
- tcp dst port 8009
- tcp dst port 8080
- tcp dst port 8081
- tcp dst port 8085
- tcp dst port 8088
- tcp dst port 8090
- tcp dst port 8181
- tcp dst port 8229
- tcp dst port 8333
- tcp dst port 8383
- tcp dst port 8443
- tcp dst port 8888
- tcp dst port 9000
- tcp dst port 9001
- tcp dst port 9002
- tcp dst port 9090
- tcp dst port 9200
- tcp dst port 9443
- tcp dst port 10001
- tcp dst port 10443
- tcp dst port 20443
- tcp dst port 27017
- tcp dst port 30005
- tcp dst port 50995
- tcp dst port 50996
- tcp dst port 58000
- tcp dst port 60443
- tcp dst port 65527
- tcp dst port 9220
- If matches, it searches for the following credential markers:
- username=
- user_name=
- username
- account=
- passwd
- password
- passwd
- pass_word
- userName
- password
- passwd=
- password=
- pass_word=
- Authorization:
- access_key=
- access_token=
- admin_pass=
- admin_user=
- algolia_admin_key=
- algolia_api_key=
- alias_pass=
- alicloud_access_key=
- amazon_secret_access_key=
- amazonaws=
- ansible_vault_password=
- aos_key=
- api_key=
- api_key_secret=
- api_key_sid=
- api_secret=
- api.googlemaps AIza=
- apidocs=
- apikey=
- apiSecret=
- app_debug=
- app_id=
- app_key=
- app_log_level=
- app_secret=
- appkey=
- appkeysecret=
- application_key=
- appsecret=
- appspot=
- auth_token=
- authorizationToken=
- authsecret=
- aws_access=
- aws_access_key_id=
- aws_bucket=
- aws_key=
- aws_secret=
- aws_secret_key=
- aws_token=
- AWSSecretKey=
- b2_app_key=
- bashrc password=
- bintray_apikey=
- bintray_gpg_password=
- bintray_key=
- bintraykey=
- bluemix_api_key=
- bluemix_pass=
- browserstack_access_key=
- bucket_password=
- bucketeer_aws_access_key_id=
- bucketeer_aws_secret_access_key=
- built_branch_deploy_key=
- bx_password=
- cache_driver=
- cache_s3_secret_key=
- cattle_access_key=
- cattle_secret_key=
- certificate_password=
- ci_deploy_password=
- client_secret=
- client_zpk_secret_key=
- clojars_password=
- cloud_api_key=
- cloud_watch_aws_access_key=
- cloudant_password=
- cloudflare_api_key=
- cloudflare_auth_key=
- cloudinary_api_secret=
- cloudinary_name=
- codecov_token=
- config=
- conn.login=
- connectionstring=
- consumer_key=
- consumer_secret=
- credentials=
- cypress_record_key=
- database_password=
- database_schema_test=
- datadog_api_key=
- datadog_app_key=
- db_password=
- db_server=
- db_username=
- dbpasswd=
- dbpassword=
- dbuser=
- deploy_password=
- digitalocean_ssh_key_body=
- digitalocean_ssh_key_ids=
- docker_hub_password=
- docker_key=
- docker_pass=
- docker_passwd=
- docker_password=
- dockerhub_password=
- dockerhubpassword=
- dot-files=
- dotfiles=
- droplet_travis_password=
- dynamoaccesskeyid=
- dynamosecretaccesskey=
- elastica_host=
- elastica_port=
- elasticsearch_password=
- encryption_key=
- encryption_password=
- env.heroku_api_key=
- env.sonatype_password=
- eureka.awssecretkey=
- It logs output to /tmp/log.txt
- It archives the log file using gzip (%s.gz) and upload the file to http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/upload?uuid=%s&filename=%s&tid={hex value}
SOLUTION
9.800
19.328.04
08 May 2024
19.329.00
09 May 2024
Step 1
Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:
-
Troj.ELF.TRX.XXELFC1DFF039
Step 2
Scan your computer with your Trend Micro product to delete files detected as Trojan.Linux.CUTTLESNIFF.AB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.