UNIX_PIMINE.A
Linux
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.
TECHNICAL DETAILS
557,323 bytes
Script
No
03 Jun 2017
Drops files, Executes files, Terminates processes
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- /tmp/minerd ← coinminer
Process Termination
This Trojan terminates the following processes if found running in the affected system's memory:
- bins.sh
- minerd
- node
- nodejs
- ktx-armv4l
- ktx-i586
- ktx-m68k
- ktx-mips
- ktx-mipsel
- ktx-powerpc
- ktx-sh4
- ktx-sparc
- arm5
- zmap
Dropping Routine
This Trojan executes the dropped file. As a result, malicious routines of the dropped file are exhibited on the affected system.
HOSTS File Modification
This Trojan adds the following strings to the Windows HOSTS file:
- {BLOCKED}.{BLOCKED}.0.1 bins.{BLOCKED}hland-zahlung.eu
Other Details
This Trojan does the following:
- Execute the following command to download libraries needed:
- apt-get install libcurl4-openssl-dev libjansson-dev openssl libssl-dev zmap sshpass -y
- Execute the dropped file with the following argument: -a cryptonight -o stratum+tcp://xmr.{BLOCKED}-pool.fr:443 -u 45hgMAs1sNdMs7H9aCQm8oMCG5HGg37nv9Ab5r8u4R9gcWkSteobyt6faTuV8tnzhSUH3WFmStG1YXtsvSkSo5sz2ugxSW4
- -a sets the algorithm
- -o sets the url for mining server
- -u sets username for mining server
- Changes the password for user pi, using the following command:
- usermod -p \$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1 pi
- Scan for networks with open port 22 (with username:pi and password:raspberry) and try to drop a copy and execute it
SOLUTION
9.850
13.468.01
12 Jun 2017
13.469.00
13 Jun 2017
Step 1
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 2
Search and delete this file
- /tmp/minerd
Step 3
Remove these strings added by the malware/grayware/spyware in the HOSTS file
- 127.0.0.1 bins.deutschland-zahlung.eu
Step 4
Scan your computer with your Trend Micro product to delete files detected as UNIX_PIMINE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.