Backdoor.Linux.GOMIR.THEBABD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Ejecuta comandos desde un usuario remoto malicioso que pone en peligro el sistema afectado.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• /etc/systemd/system/syslogd.service → If "install" parameter is used with process running under superuser privilege.
• {Malware File Path}\cron.txt → If "install" parameter is used with process not running under superuser privilege. Deletes afterwards.

Crea las siguientes copias de sí mismo en el sistema afectado:

• /var/log/syslogd → If "install" parameter is used with process running under superuser privilege.

Agrega los procesos siguientes:

• $SHELL -c systemctl daemon-reload → If "install" parameter is used with process running under superuser privilege.
• $SHELL -c systemctl reenable syslogd → If "install" parameter is used with process running under superuser privilege.
• $SHELL -c systemctl start syslogd → If "install" parameter is used with process running under superuser privilege.
• /bin/sh -c crontab -1 → If "install" parameter is used with process running under superuser privilege.
• $SHELL -c crontab cron.txt → If "install" parameter is used with process running under superuser privilege.

Rutina de puerta trasera

Ejecuta los comandos siguientes desde un usuario remoto malicioso:

• 01 → Temporarily halts communication with the C&C server for a specified period.
• 02 → Executes an arbitrary string as a shell command ("[shell]" "-c" "[arbitrary_string]").
• 03 → Reports the current working directory.
• 04 → Changes the current working directory and reports the working directory’s new pathname.
• 05 → Checks TCP connectivity for arbitrary network endpoints.
• 06 → Terminates its own process, effectively stopping the backdoor.
• 07 → Reports the pathname of its own executable file.
• 08 → Gathers statistics about a specified directory tree and reports the total number of subdirectories, total number of files, and the cumulative size of all files.
• 09 → Reports the configuration details of the affected computer, including hostname, username, CPU, RAM, and network interfaces, listing each interface's name, MAC address, IP address, and IPv6 address.
• 10 → Sets a fallback shell for executing shell commands in operation 02, with the initial value set to "/bin/sh".
• 11 → Sets a codepage for interpreting the output from the shell commands in operation 02.
• 12 → Delays communication with the C&C server until a specified datetime.
• 13 → Responds with the message "Not implemented on Linux!".
• 14 → Starts a reverse proxy by connecting to an arbitrary control endpoint.
• 15 → Reports the control endpoints of the reverse proxy.
• 30 → Creates an arbitrary file on the affected computer.
• 31 → Exfiltrates an arbitrary file from the affected computer.

Otros detalles

Hace lo siguiente:

• It adds the following service:
  • Service Name: syslogd
  • Start type: Restart=always
• Deletes and terminates itself →If "install" parameter is used with process running under superuser privilege.