ELF_BASHLITE.DJD

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following command(s) from a remote malicious user:

• PING -> check if the server and bot are alive
• NUP -> convert IP address to string
• SPOOF -> Set an IP or an IP range for spoofing
• KILLSUB -> terminate backdoor if sub version matched
• TABLE -> return the table size
• SCAN -> Disable/enable the telnet scanner
• GETLOCALIP -> get local IP address
• GETPUBLICIP -> get public IP address
• VERSION -> Return backdoor's version
• RANGE -> set range of IP
• SPOOFABLE -> check if IP address can be spoof
• HTTP -> DDos using HTTP packet
• UDP -> DDoS using UDP packet
• TCP -> DDoS using TCP packet
• CNC -> connect to specified CNC server regularly
• STD -> Launch a DDoS attack
• KILLATTK -> Kill the bot processes
• LOLNOGTFO -> terminate bot

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.1.233:666

Other Details

This Backdoor does the following:

• Get CPU Information
• Get System Information
• Get network activity
• Download file and execute
• Execute Shell