Trojan.Linux.CUTTLESNIFF.AB

May 09, 2024
 Analysis by: Leidryn Saludez
 ALIASES:

UDS:Trojan.Linux.Agent.a (KASPERSKY)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

1,125,524 bytes

File Type:

ELF

Memory Resident:

No

Initial Samples Received Date:

08 May 2024

Payload:

Connects to URLs/IPs, Downloads files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan saves the files it downloads using the following names:

  • /tmp/tconfigjs

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/

It does the following:

  • It hides itself in /tmp/.{random}.so, mounting to the current /proc/{PID}
  • It attempts to connect to the following URL to download and update the ruleset:
    • http://{BLOCKED}.{BLOCKED}.39:443/rules{BLOCKED}.
  • It compares outbound network traffics to the following ports:
    • tcp dst port 21
    • tcp dst port 22
    • tcp dst port 23
    • tcp dst port 25
    • udp dst port 53
    • tcp dst port 69
    • tcp dst port 80
    • tcp dst port 81
    • tcp dst port 82
    • tcp dst port 83
    • tcp dst port 88
    • tcp dst port 110
    • tcp dst port 135
    • tcp dst port 139
    • tcp dst port 143
    • tcp dst port 164
    • tcp dst port 389
    • tcp dst port 443
    • tcp dst port 444
    • tcp dst port 445
    • tcp dst port 554
    • tcp dst port 888
    • tcp dst port 992
    • tcp dst port 993
    • tcp dst port 995
    • tcp dst port 1024
    • tcp dst port 1080
    • tcp dst port 1194
    • tcp dst port 1433
    • tcp dst port 1443
    • tcp dst port 1521
    • tcp dst port 1701
    • tcp dst port 1723
    • tcp dst port 1935
    • tcp dst port 2000
    • tcp dst port 2103
    • tcp dst port 2222
    • tcp dst port 2323
    • tcp dst port 2375
    • tcp dst port 2600
    • tcp dst port 2601
    • tcp dst port 3128
    • tcp dst port 3306
    • tcp dst port 3333
    • tcp dst port 3389
    • tcp dst port 3443
    • tcp dst port 4343
    • tcp dst port 4430
    • tcp dst port 4433
    • tcp dst port 4443
    • tcp dst port 4444
    • tcp dst port 4567
    • tcp dst port 4899
    • tcp dst port 5000
    • tcp dst port 5060
    • tcp dst port 5061
    • tcp dst port 5432
    • tcp dst port 5443
    • tcp dst port 5523
    • tcp dst port 5555
    • tcp dst port 5900
    • tcp dst port 6000
    • tcp dst port 6379
    • tcp dst port 6443
    • tcp dst port 7000
    • tcp dst port 7001
    • tcp dst port 7170
    • tcp dst port 7210
    • tcp dst port 7443
    • tcp dst port 7547
    • tcp dst port 7777
    • tcp dst port 8000
    • tcp dst port 8008
    • tcp dst port 8009
    • tcp dst port 8080
    • tcp dst port 8081
    • tcp dst port 8085
    • tcp dst port 8088
    • tcp dst port 8090
    • tcp dst port 8181
    • tcp dst port 8229
    • tcp dst port 8333
    • tcp dst port 8383
    • tcp dst port 8443
    • tcp dst port 8888
    • tcp dst port 9000
    • tcp dst port 9001
    • tcp dst port 9002
    • tcp dst port 9090
    • tcp dst port 9200
    • tcp dst port 9443
    • tcp dst port 10001
    • tcp dst port 10443
    • tcp dst port 20443
    • tcp dst port 27017
    • tcp dst port 30005
    • tcp dst port 50995
    • tcp dst port 50996
    • tcp dst port 58000
    • tcp dst port 60443
    • tcp dst port 65527
    • tcp dst port 9220
  • If matches, it searches for the following credential markers:
    • username=
    • user_name=
    • username
    • account=
    • passwd
    • password
    • passwd
    • pass_word
    • userName
    • password
    • passwd=
    • password=
    • pass_word=
    • Authorization:
    • access_key=
    • access_token=
    • admin_pass=
    • admin_user=
    • algolia_admin_key=
    • algolia_api_key=
    • alias_pass=
    • alicloud_access_key=
    • amazon_secret_access_key=
    • amazonaws=
    • ansible_vault_password=
    • aos_key=
    • api_key=
    • api_key_secret=
    • api_key_sid=
    • api_secret=
    • api.googlemaps AIza=
    • apidocs=
    • apikey=
    • apiSecret=
    • app_debug=
    • app_id=
    • app_key=
    • app_log_level=
    • app_secret=
    • appkey=
    • appkeysecret=
    • application_key=
    • appsecret=
    • appspot=
    • auth_token=
    • authorizationToken=
    • authsecret=
    • aws_access=
    • aws_access_key_id=
    • aws_bucket=
    • aws_key=
    • aws_secret=
    • aws_secret_key=
    • aws_token=
    • AWSSecretKey=
    • b2_app_key=
    • bashrc password=
    • bintray_apikey=
    • bintray_gpg_password=
    • bintray_key=
    • bintraykey=
    • bluemix_api_key=
    • bluemix_pass=
    • browserstack_access_key=
    • bucket_password=
    • bucketeer_aws_access_key_id=
    • bucketeer_aws_secret_access_key=
    • built_branch_deploy_key=
    • bx_password=
    • cache_driver=
    • cache_s3_secret_key=
    • cattle_access_key=
    • cattle_secret_key=
    • certificate_password=
    • ci_deploy_password=
    • client_secret=
    • client_zpk_secret_key=
    • clojars_password=
    • cloud_api_key=
    • cloud_watch_aws_access_key=
    • cloudant_password=
    • cloudflare_api_key=
    • cloudflare_auth_key=
    • cloudinary_api_secret=
    • cloudinary_name=
    • codecov_token=
    • config=
    • conn.login=
    • connectionstring=
    • consumer_key=
    • consumer_secret=
    • credentials=
    • cypress_record_key=
    • database_password=
    • database_schema_test=
    • datadog_api_key=
    • datadog_app_key=
    • db_password=
    • db_server=
    • db_username=
    • dbpasswd=
    • dbpassword=
    • dbuser=
    • deploy_password=
    • digitalocean_ssh_key_body=
    • digitalocean_ssh_key_ids=
    • docker_hub_password=
    • docker_key=
    • docker_pass=
    • docker_passwd=
    • docker_password=
    • dockerhub_password=
    • dockerhubpassword=
    • dot-files=
    • dotfiles=
    • droplet_travis_password=
    • dynamoaccesskeyid=
    • dynamosecretaccesskey=
    • elastica_host=
    • elastica_port=
    • elasticsearch_password=
    • encryption_key=
    • encryption_password=
    • env.heroku_api_key=
    • env.sonatype_password=
    • eureka.awssecretkey=
  • It logs output to /tmp/log.txt
  • It archives the log file using gzip (%s.gz) and upload the file to http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/upload?uuid=%s&filename=%s&tid={hex value}

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

19.328.04

FIRST VSAPI PATTERN DATE:

08 May 2024

VSAPI OPR PATTERN File:

19.329.00

VSAPI OPR PATTERN Date:

09 May 2024

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

     Troj.ELF.TRX.XXELFC1DFF039

Step 2

Scan your computer with your Trend Micro product to delete files detected as Trojan.Linux.CUTTLESNIFF.AB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.