Trojan.SH.MALXMR.UWEJJ

Otras modificaciones del sistema

Modifica los archivos siguientes:

• /root/.ssh/authorized_keys → appends the attacker's SSH public-key (creates the file instead, if it does not exist)

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• biosetjenkins
• Loopback
• apaceha
• cryptonight
• stratum
• mixnerdx
• performedl
• JnKihGjn
• irqba2anc1
• irqba5xnc1
• irqbnc1
• ir29xc1
• conns
• irqbalance
• crypto-pool
• minexmr
• XJnRj
• mgwsl
• pythno
• jweri
• lx26
• NXLAi
• BI5zj
• askdljlqw
• minerd
• minergate
• Guard.sh
• ysaydh
• bonns
• donns
• kxjd
• Duck.sh
• bonn.sh
• conn.sh
• kworker34
• kw.sh
• pro.sh
• polkitd
• acpid
• icb5o
• nopxi
• irqbalanc1
• minerd
• i586
• gddr
• mstxmr
• ddg.2011
• wnTKYg
• deamon
• disk_genius
• sourplum
• polkitd
• nanoWatch
• zigw
• devtool
• systemctI
• WmiPrwSe
• sysguard
• sysupdate
• networkservice
• Process that contains the following strings in its commandline:
  • {BLOCKED}e.{BLOCKED}eropool.com
  • {BLOCKED}l.{BLOCKED}ls.ru
  • {BLOCKED}r.{BLOCKED}to-pool.fr:8080
  • {BLOCKED}r.{BLOCKED}to-pool.fr:3333
  • {BLOCKED}n@yahoo.com
  • {BLOCKED}hash.com
  • /tmp/a7b104c270
  • {BLOCKED}r.{BLOCKED}to-pool.fr:6666
  • {BLOCKED}r.{BLOCKED}to-pool.fr:7777
  • {BLOCKED}r.{BLOCKED}to-pool.fr:443
  • {BLOCKED}m.f2pool.com:8888
  • {BLOCKED}l.eu
  • xiaoyao
  • xiaoxue
  • var, lib, jenkins and "\-c", without httPort and headless
  • ./{numbers} -c
  • stratum

Rutina de descarga

Guarda los archivos que descarga con los nombres siguientes:

• {directory}/sysupdate → detected as Coinminer.Linux.MALXMR.UWEJJ
• {directory}/update.sh → copy of itself
• {directory}/config.json → coinminer configuration file
• {directory}/networkservice → detected as HackTool.Linux.ExploitScan.AA
• {directory}/sysguard → detected as Trojan.Linux.WATCHGO.AA