Analysé par: Leidryn Saludez   

 

UDS:Trojan.Linux.Agent.a (KASPERSKY)

 Plate-forme:

Linux

 Overall Risk:
 Dommages potentiels: :
 Distribution potentielle: :
 reportedInfection:
 Information Exposure Rating::
Faible
Medium
Élevé
Critique

  • Type de grayware:
    Trojan

  • Destructif:
    Non

  • Chiffrement:
    Non

  • In the wild::
    Oui

  Overview

Voie d'infection: Aus dem Internet heruntergeladen, Fallen gelassen von anderer Malware

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  Détails techniques

File size: 1,125,524 bytes
File type: ELF
Memory resident: Non
Date de réception des premiers échantillons: 08 mai 2024
Charge malveillante: Connects to URLs/IPs, Downloads files

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download-Routine

Speichert die heruntergeladenen Dateien unter den folgenden Namen:

  • /tmp/tconfigjs

Andere Details

It connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/

Es macht Folgendes:

  • It hides itself in /tmp/.{random}.so, mounting to the current /proc/{PID}
  • It attempts to connect to the following URL to download and update the ruleset:
    • http://{BLOCKED}.{BLOCKED}.39:443/rules{BLOCKED}.
  • It compares outbound network traffics to the following ports:
    • tcp dst port 21
    • tcp dst port 22
    • tcp dst port 23
    • tcp dst port 25
    • udp dst port 53
    • tcp dst port 69
    • tcp dst port 80
    • tcp dst port 81
    • tcp dst port 82
    • tcp dst port 83
    • tcp dst port 88
    • tcp dst port 110
    • tcp dst port 135
    • tcp dst port 139
    • tcp dst port 143
    • tcp dst port 164
    • tcp dst port 389
    • tcp dst port 443
    • tcp dst port 444
    • tcp dst port 445
    • tcp dst port 554
    • tcp dst port 888
    • tcp dst port 992
    • tcp dst port 993
    • tcp dst port 995
    • tcp dst port 1024
    • tcp dst port 1080
    • tcp dst port 1194
    • tcp dst port 1433
    • tcp dst port 1443
    • tcp dst port 1521
    • tcp dst port 1701
    • tcp dst port 1723
    • tcp dst port 1935
    • tcp dst port 2000
    • tcp dst port 2103
    • tcp dst port 2222
    • tcp dst port 2323
    • tcp dst port 2375
    • tcp dst port 2600
    • tcp dst port 2601
    • tcp dst port 3128
    • tcp dst port 3306
    • tcp dst port 3333
    • tcp dst port 3389
    • tcp dst port 3443
    • tcp dst port 4343
    • tcp dst port 4430
    • tcp dst port 4433
    • tcp dst port 4443
    • tcp dst port 4444
    • tcp dst port 4567
    • tcp dst port 4899
    • tcp dst port 5000
    • tcp dst port 5060
    • tcp dst port 5061
    • tcp dst port 5432
    • tcp dst port 5443
    • tcp dst port 5523
    • tcp dst port 5555
    • tcp dst port 5900
    • tcp dst port 6000
    • tcp dst port 6379
    • tcp dst port 6443
    • tcp dst port 7000
    • tcp dst port 7001
    • tcp dst port 7170
    • tcp dst port 7210
    • tcp dst port 7443
    • tcp dst port 7547
    • tcp dst port 7777
    • tcp dst port 8000
    • tcp dst port 8008
    • tcp dst port 8009
    • tcp dst port 8080
    • tcp dst port 8081
    • tcp dst port 8085
    • tcp dst port 8088
    • tcp dst port 8090
    • tcp dst port 8181
    • tcp dst port 8229
    • tcp dst port 8333
    • tcp dst port 8383
    • tcp dst port 8443
    • tcp dst port 8888
    • tcp dst port 9000
    • tcp dst port 9001
    • tcp dst port 9002
    • tcp dst port 9090
    • tcp dst port 9200
    • tcp dst port 9443
    • tcp dst port 10001
    • tcp dst port 10443
    • tcp dst port 20443
    • tcp dst port 27017
    • tcp dst port 30005
    • tcp dst port 50995
    • tcp dst port 50996
    • tcp dst port 58000
    • tcp dst port 60443
    • tcp dst port 65527
    • tcp dst port 9220
  • If matches, it searches for the following credential markers:
    • username=
    • user_name=
    • username
    • account=
    • passwd
    • password
    • passwd
    • pass_word
    • userName
    • password
    • passwd=
    • password=
    • pass_word=
    • Authorization:
    • access_key=
    • access_token=
    • admin_pass=
    • admin_user=
    • algolia_admin_key=
    • algolia_api_key=
    • alias_pass=
    • alicloud_access_key=
    • amazon_secret_access_key=
    • amazonaws=
    • ansible_vault_password=
    • aos_key=
    • api_key=
    • api_key_secret=
    • api_key_sid=
    • api_secret=
    • api.googlemaps AIza=
    • apidocs=
    • apikey=
    • apiSecret=
    • app_debug=
    • app_id=
    • app_key=
    • app_log_level=
    • app_secret=
    • appkey=
    • appkeysecret=
    • application_key=
    • appsecret=
    • appspot=
    • auth_token=
    • authorizationToken=
    • authsecret=
    • aws_access=
    • aws_access_key_id=
    • aws_bucket=
    • aws_key=
    • aws_secret=
    • aws_secret_key=
    • aws_token=
    • AWSSecretKey=
    • b2_app_key=
    • bashrc password=
    • bintray_apikey=
    • bintray_gpg_password=
    • bintray_key=
    • bintraykey=
    • bluemix_api_key=
    • bluemix_pass=
    • browserstack_access_key=
    • bucket_password=
    • bucketeer_aws_access_key_id=
    • bucketeer_aws_secret_access_key=
    • built_branch_deploy_key=
    • bx_password=
    • cache_driver=
    • cache_s3_secret_key=
    • cattle_access_key=
    • cattle_secret_key=
    • certificate_password=
    • ci_deploy_password=
    • client_secret=
    • client_zpk_secret_key=
    • clojars_password=
    • cloud_api_key=
    • cloud_watch_aws_access_key=
    • cloudant_password=
    • cloudflare_api_key=
    • cloudflare_auth_key=
    • cloudinary_api_secret=
    • cloudinary_name=
    • codecov_token=
    • config=
    • conn.login=
    • connectionstring=
    • consumer_key=
    • consumer_secret=
    • credentials=
    • cypress_record_key=
    • database_password=
    • database_schema_test=
    • datadog_api_key=
    • datadog_app_key=
    • db_password=
    • db_server=
    • db_username=
    • dbpasswd=
    • dbpassword=
    • dbuser=
    • deploy_password=
    • digitalocean_ssh_key_body=
    • digitalocean_ssh_key_ids=
    • docker_hub_password=
    • docker_key=
    • docker_pass=
    • docker_passwd=
    • docker_password=
    • dockerhub_password=
    • dockerhubpassword=
    • dot-files=
    • dotfiles=
    • droplet_travis_password=
    • dynamoaccesskeyid=
    • dynamosecretaccesskey=
    • elastica_host=
    • elastica_port=
    • elasticsearch_password=
    • encryption_key=
    • encryption_password=
    • env.heroku_api_key=
    • env.sonatype_password=
    • eureka.awssecretkey=
  • It logs output to /tmp/log.txt
  • It archives the log file using gzip (%s.gz) and upload the file to http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/upload?uuid=%s&filename=%s&tid={hex value}

  Solutions

Moteur de scan minimum: 9.800
First VSAPI Pattern File: 19.328.04
First VSAPI Pattern Release Date: 08 mai 2024
VSAPI OPR Pattern Version: 19.329.00
VSAPI OPR Pattern Release Date: 09 mai 2024

Step 2

Durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt, und löschen Sie Dateien, die als Trojan.Linux.CUTTLESNIFF.AB entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.


Participez à notre enquête!