Backdoor.Linux.BASHLITE.AMW

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• PINGING - checks connection with C&C
• ECHOSCAN OFF/ON - scan and infects telnet ports with weak credentials
• OELINUX123 OFF/ON - similar to ECHOSCAN
• CFBYPASS - bypasses CloudFlare Protection
• HOLD - stops any DDOS module
• GRENADE - launches all DDOS module
  • JUNK - sends randomly generated strings
  • VSE - sends spoofed queries and/or connection attempts
  • ACK - ACK flood
  • UDP - UDP flood
  • TCP - TCP flood
  • OVH - OVH flood an anti-DDOS web service
• STD - Does the following routine/command
  • Bricker - downloads and executes bricker
  • MINER - downloads and exercutes miner
  • PKILL - kills a specified process

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.25.213:3437

Other Details

This Backdoor does the following:

• It uses the following credentials to try to login to other machines:
  • Username:
    • root
    • admin
  • Password:
    • root
    • admin
    • admin123
    • huigu309
    • xc3511
    • vizxv
• It is capable of dropping downloader binaries depending on the system architecture.
  The dropped binary accesses the following URL to download its payload:
  
  • {BLOCKED}.{BLOCKED}.185.250/hakai.{architecture}
    where {architecture} is any of the following:
    • arm
    • arm7
    • m68k
    • mips
    • mpsl
    • ppc
    • sh4
    • spc
    • x86
    • x86_64

However, as of this writing, the said sites are inaccessible.