Backdoor.Linux.GOMIR.THEBABD

 Analysis by: Melvin Jhun Palbusa

 ALIASES:

UDS:Backdoor.Linux.Gomir.a (KASPERSKY)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

  TECHNICAL DETAILS

File Size:

5,947,392 bytes

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

21 May 2024

Payload:

Connects to URLs/IPs, Drops files, Executes commands

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

  • /etc/systemd/system/syslogd.service → If "install" parameter is used with process running under superuser privilege.
  • {Malware File Path}\cron.txt → If "install" parameter is used with process not running under superuser privilege. Deletes afterwards.

It drops the following copies of itself into the affected system:

  • /var/log/syslogd → If "install" parameter is used with process running under superuser privilege.

It adds the following processes:

  • $SHELL -c systemctl daemon-reload → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c systemctl reenable syslogd → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c systemctl start syslogd → If "install" parameter is used with process running under superuser privilege.
  • /bin/sh -c crontab -1 → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c crontab cron.txt → If "install" parameter is used with process running under superuser privilege.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

  • 01 → Temporarily halts communication with the C&C server for a specified period.
  • 02 → Executes an arbitrary string as a shell command ("[shell]" "-c" "[arbitrary_string]").
  • 03 → Reports the current working directory.
  • 04 → Changes the current working directory and reports the working directory’s new pathname.
  • 05 → Checks TCP connectivity for arbitrary network endpoints.
  • 06 → Terminates its own process, effectively stopping the backdoor.
  • 07 → Reports the pathname of its own executable file.
  • 08 → Gathers statistics about a specified directory tree and reports the total number of subdirectories, total number of files, and the cumulative size of all files.
  • 09 → Reports the configuration details of the affected computer, including hostname, username, CPU, RAM, and network interfaces, listing each interface's name, MAC address, IP address, and IPv6 address.
  • 10 → Sets a fallback shell for executing shell commands in operation 02, with the initial value set to "/bin/sh".
  • 11 → Sets a codepage for interpreting the output from the shell commands in operation 02.
  • 12 → Delays communication with the C&C server until a specified datetime.
  • 13 → Responds with the message "Not implemented on Linux!".
  • 14 → Starts a reverse proxy by connecting to an arbitrary control endpoint.
  • 15 → Reports the control endpoints of the reverse proxy.
  • 30 → Creates an arbitrary file on the affected computer.
  • 31 → Exfiltrates an arbitrary file from the affected computer.

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.34/mir/index.php

Other Details

This Backdoor does the following:

  • It adds the following service:
    • Service Name: syslogd
    • Start type: Restart=always
  • Deletes and terminates itself →If "install" parameter is used with process running under superuser privilege.

It accepts the following parameters:

  • install → Adds persistence through services if running with superuser privilege or creates a crontab to start the malware with every reboot.

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

19.354.03

FIRST VSAPI PATTERN DATE:

21 May 2024

VSAPI OPR PATTERN File:

19.355.00

VSAPI OPR PATTERN Date:

22 May 2024

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

     
    • Troj.ELF.TRX.XXELFC1DFF040

Step 2

Scan your computer with your Trend Micro product to delete files detected as Backdoor.Linux.GOMIR.THEBABD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.