Trojan.SH.HADGLIDER.J

This Trojan may be dropped by other malware.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Trojan may be dropped by the following malware:

• Trojan.SH.HADGLIDER.A

Installation

This Trojan drops the following files:

• /tmp/log_rot
• /proc/sys/kernel/nmi_watchdog
• /etc/sysctl.conf
• /usr/bin/.profile

Autostart Technique

This Trojan adds and runs the following services:

• /etc/systemd/system/moneroocean_miner.service

Other System Modifications

This Trojan deletes the following files:

• /var/log/syslog
• /tmp/*
• /tmp/.*
• /tmp/xmrig.tar.gz

Process Termination

This Trojan terminates the following services if found on the affected system:

• Aliyun (Alibaba Cloud)
• YunJing (Tencent Cloud)

It terminates the following processes if found running in the affected system's memory:

• migration

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• http://{BLOCKED}.{BLOCKED}.148.123/COVID19/bin/xmrig.tar.gz
• It will look for the latest version of Monero miner and downloads it.
  
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/bin/xmrig-5.11.0.tar.gz

It saves the files it downloads using the following names:

• /tmp/xmrig.tar.gz
  
  • It will try to extract the files of /tmp/xmrig.tar.gz on /usr/bin. If successful, it will delete /tmp/xmrig.tar.gz and if not success, it will display an error message on terminal.

Information Theft

This Trojan gathers the following data:

• Hostname
• Number of Processing Units

Other Details

This Trojan does the following:

• Disables Firewall
• Disables NMI Watchdog
• Disables and removes older version of moneroocean miner
• It will uninstall the following security products (AV) found running on the system:
  
  • Aliyun (Alibaba Cloud)
  • YunJing (Tencent Cloud)
• It will check if the advanced and stock version of /usr/bin/migration is working properly or removed by an antivirus software

However, as of this writing, the said sites are inaccessible.