Trojan.SH.HADGLIDER.TSD

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• /urs/bin/config1.json → contains the configuration of the miner
• /proc/sys/vm/drop_caches
• /etc/systemd/system/watchdogd.service

It adds the following processes:

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /etc/init.d/watchdogd
• /etc/systemd/system/watchdogd.service
• systemctl --system daemon-reload
• systemctl enable watchdogd.service
• systemctl start watchdogd.service
• systemctl status watchdogd.service
• systemctl start watchdogd || service Watchdogd start
• systemctl start watchdogd || service Watchdogd status

It creates the following folders:

• /var/spool/cron/crontabs
• /etc/cron.d/

Autostart Technique

This Trojan starts the following services:

• watchdogd.service

Other System Modifications

This Trojan deletes the following files:

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /usr/bin/rstart.sh
• /tmp/watchdogd
• /tmp/xmrigMiner
• /tmp/config.json
• /usr/bin/lo
• /usr/bin/
• /bin/hid
• /usr/bin/sysh
• /usr/bin/systemd-clean
• /usr/bin/systemd-healt
• /etc/init.d/xmrcc
• /lib/systemd/system/xmrcc.service
• /etc/systemd/system/xmrcc.service
• /etc/systemd/system/multi-user.target.wants/xmrcc.service
• .route.txt

It deletes the following folders:

• /var/spool/cron/*
• /etc/cron.d/
• /var/spool/mail/root

Process Termination

This Trojan terminates the following services if found on the affected system:

• watchdogd.service

It terminates the following processes if found running in the affected system's memory:

• aliyun.one
• curl
• wget
• /tmp/

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/config.json
• ftp://ftp.{BLOCKED}r.liu.se/pub/unix/pnscan/pnscan-1.11.tar.gz

It saves the files it downloads using the following names:

• /usr/bin/config1.json
• /usr/bin/config.json

Other Details

This Trojan does the following:

• Checks the existence of the following processes that contains the following strings in their command line:
  • "3.0.192.200:10008"
  If it exist will download malicious files in the following URL:
  • http://{BLOCKED}nt.red/load/cyo.sh
• Checks for the file "/usr/bin/64bit.tar.gz" if size is not equal to 3319957 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/64bit.tar.gz
• Checks for the file "/usr/bin/32bit.tar.gz" if size is not equal to 2269097 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/32bit.tar.gz
• Checks for the file "/usr/bin/service_files.tar.gz" if size is not equal to 1937 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/service_files.tar.gz
• Enable HugePages
• Disable Uncomplicated firewall and sets it's configuration to allow TCP connection with the following ports:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Configure the Firewall by executing the following commands:
  • firewall-cmd --add-port={Port}/tcp --permanent
  • firewall-cmd --reload
  • Where {Port} are the following:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Save the all of the network information and connection in the machine in the following files:
  • /etc/iptables/iptables.rules
  This covers all of the connection related to the port listed.
• Hides the following processes:
  • watchdogd
  • xmrigMiner
• Sends the following files to the URL, "http:/teamtnt.red/up/setup_upload.php":
  • /root/.ssh/id_rsa
  • /root/.ssh/id_rsa.pub
  • /root/.ssh/known_host
  • /root/.bash_history
  • /etc/host