Trojan.Linux.CUTTLESNIFF.AB

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Rutina de descarga

Guarda los archivos que descarga con los nombres siguientes:

• /tmp/tconfigjs

Otros detalles

It connects to the following possibly malicious URL:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/

Hace lo siguiente:

• It hides itself in /tmp/.{random}.so, mounting to the current /proc/{PID}
• It attempts to connect to the following URL to download and update the ruleset:
  • http://{BLOCKED}.{BLOCKED}.39:443/rules{BLOCKED}.
• It compares outbound network traffics to the following ports:
  • tcp dst port 21
  • tcp dst port 22
  • tcp dst port 23
  • tcp dst port 25
  • udp dst port 53
  • tcp dst port 69
  • tcp dst port 80
  • tcp dst port 81
  • tcp dst port 82
  • tcp dst port 83
  • tcp dst port 88
  • tcp dst port 110
  • tcp dst port 135
  • tcp dst port 139
  • tcp dst port 143
  • tcp dst port 164
  • tcp dst port 389
  • tcp dst port 443
  • tcp dst port 444
  • tcp dst port 445
  • tcp dst port 554
  • tcp dst port 888
  • tcp dst port 992
  • tcp dst port 993
  • tcp dst port 995
  • tcp dst port 1024
  • tcp dst port 1080
  • tcp dst port 1194
  • tcp dst port 1433
  • tcp dst port 1443
  • tcp dst port 1521
  • tcp dst port 1701
  • tcp dst port 1723
  • tcp dst port 1935
  • tcp dst port 2000
  • tcp dst port 2103
  • tcp dst port 2222
  • tcp dst port 2323
  • tcp dst port 2375
  • tcp dst port 2600
  • tcp dst port 2601
  • tcp dst port 3128
  • tcp dst port 3306
  • tcp dst port 3333
  • tcp dst port 3389
  • tcp dst port 3443
  • tcp dst port 4343
  • tcp dst port 4430
  • tcp dst port 4433
  • tcp dst port 4443
  • tcp dst port 4444
  • tcp dst port 4567
  • tcp dst port 4899
  • tcp dst port 5000
  • tcp dst port 5060
  • tcp dst port 5061
  • tcp dst port 5432
  • tcp dst port 5443
  • tcp dst port 5523
  • tcp dst port 5555
  • tcp dst port 5900
  • tcp dst port 6000
  • tcp dst port 6379
  • tcp dst port 6443
  • tcp dst port 7000
  • tcp dst port 7001
  • tcp dst port 7170
  • tcp dst port 7210
  • tcp dst port 7443
  • tcp dst port 7547
  • tcp dst port 7777
  • tcp dst port 8000
  • tcp dst port 8008
  • tcp dst port 8009
  • tcp dst port 8080
  • tcp dst port 8081
  • tcp dst port 8085
  • tcp dst port 8088
  • tcp dst port 8090
  • tcp dst port 8181
  • tcp dst port 8229
  • tcp dst port 8333
  • tcp dst port 8383
  • tcp dst port 8443
  • tcp dst port 8888
  • tcp dst port 9000
  • tcp dst port 9001
  • tcp dst port 9002
  • tcp dst port 9090
  • tcp dst port 9200
  • tcp dst port 9443
  • tcp dst port 10001
  • tcp dst port 10443
  • tcp dst port 20443
  • tcp dst port 27017
  • tcp dst port 30005
  • tcp dst port 50995
  • tcp dst port 50996
  • tcp dst port 58000
  • tcp dst port 60443
  • tcp dst port 65527
  • tcp dst port 9220
• If matches, it searches for the following credential markers:
  • username=
  • user_name=
  • username
  • account=
  • passwd
  • password
  • passwd
  • pass_word
  • userName
  • password
  • passwd=
  • password=
  • pass_word=
  • Authorization:
  • access_key=
  • access_token=
  • admin_pass=
  • admin_user=
  • algolia_admin_key=
  • algolia_api_key=
  • alias_pass=
  • alicloud_access_key=
  • amazon_secret_access_key=
  • amazonaws=
  • ansible_vault_password=
  • aos_key=
  • api_key=
  • api_key_secret=
  • api_key_sid=
  • api_secret=
  • api.googlemaps AIza=
  • apidocs=
  • apikey=
  • apiSecret=
  • app_debug=
  • app_id=
  • app_key=
  • app_log_level=
  • app_secret=
  • appkey=
  • appkeysecret=
  • application_key=
  • appsecret=
  • appspot=
  • auth_token=
  • authorizationToken=
  • authsecret=
  • aws_access=
  • aws_access_key_id=
  • aws_bucket=
  • aws_key=
  • aws_secret=
  • aws_secret_key=
  • aws_token=
  • AWSSecretKey=
  • b2_app_key=
  • bashrc password=
  • bintray_apikey=
  • bintray_gpg_password=
  • bintray_key=
  • bintraykey=
  • bluemix_api_key=
  • bluemix_pass=
  • browserstack_access_key=
  • bucket_password=
  • bucketeer_aws_access_key_id=
  • bucketeer_aws_secret_access_key=
  • built_branch_deploy_key=
  • bx_password=
  • cache_driver=
  • cache_s3_secret_key=
  • cattle_access_key=
  • cattle_secret_key=
  • certificate_password=
  • ci_deploy_password=
  • client_secret=
  • client_zpk_secret_key=
  • clojars_password=
  • cloud_api_key=
  • cloud_watch_aws_access_key=
  • cloudant_password=
  • cloudflare_api_key=
  • cloudflare_auth_key=
  • cloudinary_api_secret=
  • cloudinary_name=
  • codecov_token=
  • config=
  • conn.login=
  • connectionstring=
  • consumer_key=
  • consumer_secret=
  • credentials=
  • cypress_record_key=
  • database_password=
  • database_schema_test=
  • datadog_api_key=
  • datadog_app_key=
  • db_password=
  • db_server=
  • db_username=
  • dbpasswd=
  • dbpassword=
  • dbuser=
  • deploy_password=
  • digitalocean_ssh_key_body=
  • digitalocean_ssh_key_ids=
  • docker_hub_password=
  • docker_key=
  • docker_pass=
  • docker_passwd=
  • docker_password=
  • dockerhub_password=
  • dockerhubpassword=
  • dot-files=
  • dotfiles=
  • droplet_travis_password=
  • dynamoaccesskeyid=
  • dynamosecretaccesskey=
  • elastica_host=
  • elastica_port=
  • elasticsearch_password=
  • encryption_key=
  • encryption_password=
  • env.heroku_api_key=
  • env.sonatype_password=
  • eureka.awssecretkey=
• It logs output to /tmp/log.txt
• It archives the log file using gzip (%s.gz) and upload the file to http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/upload?uuid=%s&filename=%s&tid={hex value}