Backdoor.Linux.NEKO.AB

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It takes advantage of certain vulnerabilities.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Execute shell command
• Kill specified processes
• Launch UDP flood
• Run scanner function and propagate via exploit
• Change CnC

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.25.200

Process Termination

This Backdoor terminates the following malware-related processes:

• 902i13
• BzSxLxBxeY
• HOHO-LUGO7
• HOHO-U79OL
• JuYfouyf87
• NiGGeR69xd
• SO190Ij1X
• LOLKIKEEEDDE
• Ex0420
• ekjheory98e
• rzr
• EXTENDO
• scansh4
• MDMA
• fdevalvex
• scanspc
• MELTEDNINJAREALZ
• flexsonskids
• scanx86
• MISAKI-U79OL
• foAxi102kxe
• swodjwodjwoj
• MmKiy7f87l
• freecookiex86
• sysgpu
• frgege
• sysupdater
• 0DnAzepd
• NiGGeRD0nks69
• frgreu
• 0x766f6964
• NiGGeRd0nks1337
• gaft
• urasgbsigboa
• 120i3UI49
• OaF3
• geae
• vaiolmao
• 123123a
• Ofurain0n4H34D
• ggTrex
• ew
• wasads
• 1293194hjXD
• OthLaLosn
• ggt
• wget-log
• cupsddh
• 1337SoraLOADER
• SAIAKINA
• atddd
• sksapdd
• ggtq
• 1378bfp919GRB1Q2
• SAIAKUSO
• skysapdd
• ggtr
• 14Fa
• SEXSLAVE1337
• ggtt
• 1902a3u912u3u4
• haetrghbr
• 19ju3d
• SORAojkf120
• hehahejeje92
• 2U2JDJA901F91
• SlaVLav12
• helpmedaddthhhhh
• 2wgg9qphbq
• Slav3Th3seD3vices
• hzSmYZjYMQ
• 5Gbf
• sora
• SoRAxD123LOL
• iaGv
• 5aA3
• SoRAxD420LOL
• insomni
• 640277
• SoraBeReppin1337
• ipcamCache
• 66tlGg9Q
• 6ke3
• TOKYO3
• lyEeaXul2dULCVxh
• 93OfjHZ2z
• TY2gD6MZvKc7KU6r
• mMkiy6f87l
• A023UU4U24UIU
• TheWeeknd
• mioribitches
• A5p9
• TheWeeknds
• mnblkjpoi
• AbAd
• Tokyos
• neb
• Akiru
• U8inTz
• netstats
• Alex
• W9RCAKM20T
• newnetword
• Ayo215
• g1abc4dmo35hnp2lie0kjf
• Word
• nloads
• BAdAsV
• Wordmane
• notyakuzaa
• Belch
• Wordnets
• obp
• BigN0gg0r420
• X0102I34f
• ofhasfhiafhoi
• X19I239124UIU
• oism
• 8Deported
• XSHJEHHEIIHWO
• olsVNwo12
• DeportedDeported
• XkTer0GbA1
• onry0v03
• FortniteDownLOLZ
• Y0urM0mGay
• pussyfartlmaojk
• GrAcEnIgGeRaNn
• YvdGkqndCO
• qGeoRBe6BE
• GuiltyCrown
• ZEuS69
• s4beBsEQhd
• HOHO-KSNDO
• ZEuz69
• sat1234
• aj93hJ23
• scanHA
• alie293z0k2L
• scanJoshoARM
• HellInSide
• ayyyGangShit
• scanJoshoARM5
• HighFry
• b1gl
• scanJoshoARM6
• IWhPyucDbJ
• boatnetz
• scanJoshoARM7
• IuYgujeIqn
• btbatrtah
• scanJoshoM68K
• JJDUHEWBBBIB
• scanJoshoMIPS
• JSDGIEVIVAVIG
• cKbVkzGOPa
• scanJoshoMPSL
• ccAD
• scanJoshoPPC
• KAZEN-OIU97
• chickenxings
• scanJoshoSH4
• yakuskzm8
• KAZEN-PO78H
• cleaner
• scanJoshoSPC
• KAZEN-U79OL
• dbeef
• scanJoshoX86
• yakuz4c24
• KETASHI32
• ddrwelper
• scanarm5
• zPnr6HpQj2
• Kaishi-Iz90Y
• deexec
• scanarm6
• zdrtfxcgy
• Katrina32
• doCP3fVj
• scanarm7
• zxcfhuio
• Ksif91je39
• scanm68k
• Kuasa
• dvrhelper
• scanmips
• KuasaBinsMate
• eqnOhRk8s
• scanmpsl
• LOLHHHOHOHBUI
• eXK20CL12Z
• nya
• mezy
• QBotBladeSPOOKY
• hikariwashere
• p4029x91xx
• 32uhj4gbejh
• zhr
• lzrd
• PownedSecurity69
• .ares
• fxlyazsxhy
• jnsd9sdoila
• yourmomgaeis
• sdfjiougsioj
• Oasis
• SEGRJIJHFVNHSNHEIHFOS
• apep999
• KOWAI-BAdAsV
• KOWAI-SAD
• jHKipU7Yl
• airdropmalware
• your_verry_fucking_gay
• Big-Bro-Bright
• sefaexec
• shirololi
• eagle.
• For-Gai-Mezy
• 0x6axNL
• cloqkisvspooky
• myth
• SwergjmioG
• KILLEJW(IU(JIWERGFJGJWJRG
• Hetrh
• APEP
• wewrthe
• IuFdKssCxz
• jSDFJIjio
• OnrYoXd666
• ewrtkjoketh
• ajbdf89wu823
• AAaasrdgs
• REKAI
• WsGA4@F6F
• GhostWuzHere666
• BOGOMIPS
• sfc6aJfIuY
• Demon.
• xeno-is-god
• ICY-P-0ODIJ
• gSHUIHIfh
• wrgL
• hu87VhvQPz
• dakuexecbin
• TacoBellGodYo
• loligang
• PRIVMSG
• Execution
• orbitclient
• Amnesia
• Owari
• UnHAnaAW
• DUP
• Eats8
• z3hir
• obbo
• miori
• eagle
• MASUTA
• doxxRollie
• WHOIS
• KILLATTK
• daddyl33t
• lessie.
• 1gba4cdom53nhp12ei0kfj
• 9u123448u124au814d4x10
• hax.
• yakuza
• wordminer
• v[0v
• minerword
• SinixV4
• hoho
• g0dbu7tu
• orphic
• furasshu
• horizon
• assailant
• Ares
• Kawaiihelper
• ECHOBOT
• DEMONS
• kalon
• Josho
• daddyscum
• akira.ak
• Hilix
• daku
• Tsunami
• estella
• Solar
• rift
• _-255.Net
• Cayosin
• Okami
• Kosha
• bushido
• trojan
• shiina
• Reaper.
• Corona.
• wrgnuwrijo
• Aka
• Hari
• orage
• fibre
• galil
• stresserpw
• stresser.pw
• Tohru
• Omni
• kawaii
• Frosti
• sxj472sz
• HU6FIZTQU
• PFF1500RG
• plzjustfuckoff
• nvitpj
• elfLoad
• Amakano
• tokupdater
• /dev/netslink/
• /dev/FTWDT101_watchdog
• cum-n-go
• oblivion
• Voltage
• Votan
• .anime
• scanppc

Other Details

This Backdoor takes advantage of the following vulnerabilities:

• Eir D1000 Wireless Router - WAN Side Remote Command Injection
• ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
• D-Link Devices - HNAP SOAPAction-Header Command Execution
• D-Link DSL-2750B - OS Command Injection
• Huawei Router HG532 - Arbitrary Command Execution
• GPON Routers - Authentication Bypass / Command Injection
• Linksys E-series - Remote Code Execution
• MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Execution
• Realtek SDK - Miniigd UPnP SOAP Command Execution
• Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Remote Code Execution (Metasploit)