Trojan.Linux.CUTTLESNIFF.AB
UDS:Trojan.Linux.Agent.a (KASPERSKY)
Linux
Tipo de malware
Trojan
Destructivo?
No
Cifrado
No
In the Wild:
Sí
Resumen y descripción
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Detalles técnicos
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Rutina de descarga
Guarda los archivos que descarga con los nombres siguientes:
- /tmp/tconfigjs
Otros detalles
It connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/
Hace lo siguiente:
- It hides itself in /tmp/.{random}.so, mounting to the current /proc/{PID}
- It attempts to connect to the following URL to download and update the ruleset:
- http://{BLOCKED}.{BLOCKED}.39:443/rules{BLOCKED}.
- It compares outbound network traffics to the following ports:
- tcp dst port 21
- tcp dst port 22
- tcp dst port 23
- tcp dst port 25
- udp dst port 53
- tcp dst port 69
- tcp dst port 80
- tcp dst port 81
- tcp dst port 82
- tcp dst port 83
- tcp dst port 88
- tcp dst port 110
- tcp dst port 135
- tcp dst port 139
- tcp dst port 143
- tcp dst port 164
- tcp dst port 389
- tcp dst port 443
- tcp dst port 444
- tcp dst port 445
- tcp dst port 554
- tcp dst port 888
- tcp dst port 992
- tcp dst port 993
- tcp dst port 995
- tcp dst port 1024
- tcp dst port 1080
- tcp dst port 1194
- tcp dst port 1433
- tcp dst port 1443
- tcp dst port 1521
- tcp dst port 1701
- tcp dst port 1723
- tcp dst port 1935
- tcp dst port 2000
- tcp dst port 2103
- tcp dst port 2222
- tcp dst port 2323
- tcp dst port 2375
- tcp dst port 2600
- tcp dst port 2601
- tcp dst port 3128
- tcp dst port 3306
- tcp dst port 3333
- tcp dst port 3389
- tcp dst port 3443
- tcp dst port 4343
- tcp dst port 4430
- tcp dst port 4433
- tcp dst port 4443
- tcp dst port 4444
- tcp dst port 4567
- tcp dst port 4899
- tcp dst port 5000
- tcp dst port 5060
- tcp dst port 5061
- tcp dst port 5432
- tcp dst port 5443
- tcp dst port 5523
- tcp dst port 5555
- tcp dst port 5900
- tcp dst port 6000
- tcp dst port 6379
- tcp dst port 6443
- tcp dst port 7000
- tcp dst port 7001
- tcp dst port 7170
- tcp dst port 7210
- tcp dst port 7443
- tcp dst port 7547
- tcp dst port 7777
- tcp dst port 8000
- tcp dst port 8008
- tcp dst port 8009
- tcp dst port 8080
- tcp dst port 8081
- tcp dst port 8085
- tcp dst port 8088
- tcp dst port 8090
- tcp dst port 8181
- tcp dst port 8229
- tcp dst port 8333
- tcp dst port 8383
- tcp dst port 8443
- tcp dst port 8888
- tcp dst port 9000
- tcp dst port 9001
- tcp dst port 9002
- tcp dst port 9090
- tcp dst port 9200
- tcp dst port 9443
- tcp dst port 10001
- tcp dst port 10443
- tcp dst port 20443
- tcp dst port 27017
- tcp dst port 30005
- tcp dst port 50995
- tcp dst port 50996
- tcp dst port 58000
- tcp dst port 60443
- tcp dst port 65527
- tcp dst port 9220
- If matches, it searches for the following credential markers:
- username=
- user_name=
- username
- account=
- passwd
- password
- passwd
- pass_word
- userName
- password
- passwd=
- password=
- pass_word=
- Authorization:
- access_key=
- access_token=
- admin_pass=
- admin_user=
- algolia_admin_key=
- algolia_api_key=
- alias_pass=
- alicloud_access_key=
- amazon_secret_access_key=
- amazonaws=
- ansible_vault_password=
- aos_key=
- api_key=
- api_key_secret=
- api_key_sid=
- api_secret=
- api.googlemaps AIza=
- apidocs=
- apikey=
- apiSecret=
- app_debug=
- app_id=
- app_key=
- app_log_level=
- app_secret=
- appkey=
- appkeysecret=
- application_key=
- appsecret=
- appspot=
- auth_token=
- authorizationToken=
- authsecret=
- aws_access=
- aws_access_key_id=
- aws_bucket=
- aws_key=
- aws_secret=
- aws_secret_key=
- aws_token=
- AWSSecretKey=
- b2_app_key=
- bashrc password=
- bintray_apikey=
- bintray_gpg_password=
- bintray_key=
- bintraykey=
- bluemix_api_key=
- bluemix_pass=
- browserstack_access_key=
- bucket_password=
- bucketeer_aws_access_key_id=
- bucketeer_aws_secret_access_key=
- built_branch_deploy_key=
- bx_password=
- cache_driver=
- cache_s3_secret_key=
- cattle_access_key=
- cattle_secret_key=
- certificate_password=
- ci_deploy_password=
- client_secret=
- client_zpk_secret_key=
- clojars_password=
- cloud_api_key=
- cloud_watch_aws_access_key=
- cloudant_password=
- cloudflare_api_key=
- cloudflare_auth_key=
- cloudinary_api_secret=
- cloudinary_name=
- codecov_token=
- config=
- conn.login=
- connectionstring=
- consumer_key=
- consumer_secret=
- credentials=
- cypress_record_key=
- database_password=
- database_schema_test=
- datadog_api_key=
- datadog_app_key=
- db_password=
- db_server=
- db_username=
- dbpasswd=
- dbpassword=
- dbuser=
- deploy_password=
- digitalocean_ssh_key_body=
- digitalocean_ssh_key_ids=
- docker_hub_password=
- docker_key=
- docker_pass=
- docker_passwd=
- docker_password=
- dockerhub_password=
- dockerhubpassword=
- dot-files=
- dotfiles=
- droplet_travis_password=
- dynamoaccesskeyid=
- dynamosecretaccesskey=
- elastica_host=
- elastica_port=
- elasticsearch_password=
- encryption_key=
- encryption_password=
- env.heroku_api_key=
- env.sonatype_password=
- eureka.awssecretkey=
- It logs output to /tmp/log.txt
- It archives the log file using gzip (%s.gz) and upload the file to http://{BLOCKED}.{BLOCKED}.{BLOCKED}.39:443/upload?uuid=%s&filename=%s&tid={hex value}
Soluciones
Step 2
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Trojan.Linux.CUTTLESNIFF.AB En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Rellene nuestra encuesta!