Author: Melvin Jhun Palbusa   

 

UDS:Backdoor.Linux.Gomir.a (KASPERSKY)

 PLATFORM:

Linux

 OVER ALL RISK RATING:
 DAMAGE POTENTIAL::
 DISTRIBUTION POTENTIAL::
 REPORTED INFECTION:
 INFORMATION EXPOSURE:
Low
Medium
High
Critical

  • Threat Type:
    Backdoor

  • Destructiveness:
    No

  • Encrypted:
     

  • In the wild::
    Yes

  OVERVIEW

INFECTION CHANNEL: Descargado de Internet, Eliminado por otro tipo de malware

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Ejecuta comandos desde un usuario remoto malicioso que pone en peligro el sistema afectado.

  TECHNICAL DETAILS

File size: 5,947,392 bytes
File type: ELF
Memory resident: Yes
INITIAL SAMPLES RECEIVED DATE: 21 maja 2024
PAYLOAD: Connects to URLs/IPs, Drops files, Executes commands

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

  • /etc/systemd/system/syslogd.service → If "install" parameter is used with process running under superuser privilege.
  • {Malware File Path}\cron.txt → If "install" parameter is used with process not running under superuser privilege. Deletes afterwards.

Crea las siguientes copias de sí mismo en el sistema afectado:

  • /var/log/syslogd → If "install" parameter is used with process running under superuser privilege.

Agrega los procesos siguientes:

  • $SHELL -c systemctl daemon-reload → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c systemctl reenable syslogd → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c systemctl start syslogd → If "install" parameter is used with process running under superuser privilege.
  • /bin/sh -c crontab -1 → If "install" parameter is used with process running under superuser privilege.
  • $SHELL -c crontab cron.txt → If "install" parameter is used with process running under superuser privilege.

Rutina de puerta trasera

Ejecuta los comandos siguientes desde un usuario remoto malicioso:

  • 01 → Temporarily halts communication with the C&C server for a specified period.
  • 02 → Executes an arbitrary string as a shell command ("[shell]" "-c" "[arbitrary_string]").
  • 03 → Reports the current working directory.
  • 04 → Changes the current working directory and reports the working directory’s new pathname.
  • 05 → Checks TCP connectivity for arbitrary network endpoints.
  • 06 → Terminates its own process, effectively stopping the backdoor.
  • 07 → Reports the pathname of its own executable file.
  • 08 → Gathers statistics about a specified directory tree and reports the total number of subdirectories, total number of files, and the cumulative size of all files.
  • 09 → Reports the configuration details of the affected computer, including hostname, username, CPU, RAM, and network interfaces, listing each interface's name, MAC address, IP address, and IPv6 address.
  • 10 → Sets a fallback shell for executing shell commands in operation 02, with the initial value set to "/bin/sh".
  • 11 → Sets a codepage for interpreting the output from the shell commands in operation 02.
  • 12 → Delays communication with the C&C server until a specified datetime.
  • 13 → Responds with the message "Not implemented on Linux!".
  • 14 → Starts a reverse proxy by connecting to an arbitrary control endpoint.
  • 15 → Reports the control endpoints of the reverse proxy.
  • 30 → Creates an arbitrary file on the affected computer.
  • 31 → Exfiltrates an arbitrary file from the affected computer.

Otros detalles

Hace lo siguiente:

  • It adds the following service:
    • Service Name: syslogd
    • Start type: Restart=always
  • Deletes and terminates itself →If "install" parameter is used with process running under superuser privilege.

  SOLUTION

Minimum scan engine: 9.800
First VSAPI Pattern File: 19.354.03
First VSAPI Pattern Release Date: 21 de maja de 2024
VSAPI OPR PATTERN-VERSION: 19.355.00
VSAPI OPR PATTERN DATE: 22 de maja de 2024

Step 2

Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Backdoor.Linux.GOMIR.THEBABD En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.


Did this description help? Tell us how we did.