Trojan.Linux.SKIDMAP.UWEJX

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• /lib64/security/pam_unix.so -> if 64-bit, compromised pam_unix.so file
• /lib/x86_64-linux-gnu/security/pam_unix.so -> if 32-bit, compromised pam_unix.so file
• /root/.ssh/authorized_keys

Other System Modifications

This Trojan deletes the following files:

• /usr/bin/kaudited
• /usr/bin/kswaped
• /usr/bin/irqbalanced
• /usr/bin/rctlcli
• /usr/bin/systemd-network
• /usr/bin/pamdicks
• /lib/udev/ssd_control/iproute.ko
• /lib/udev/ssd_control/netlink.ko
• /lib/udev/ssd_control/cryptov2.ko

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• kaudeited
• kswaped
• systemd-network
• rctlcli
• irqbalanced
• ip6network
• pamdicks

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://pm.{BLOCKED}llet.tk/cos7.tar.gz

It saves the files it downloads using the following names:

• /usr/include/cos7.tar.gz

Other Details

This Trojan does the following:

• Checks if OS is centos or redhat, if not it will connect and download from the following URL(s):
  http://pm.{BLOCKED}llet.tk/miner2
  It will save and execute the downloaded file as:
  tmp/miner2
• It creates a copy of "/usr/bin/pamdicks.org" and saves it as "tmp/mmm" and "/usr/bin/mmm"
• It changes the file attribute of "/etc/cron.d" to remove immutable and append only
• Adds the following lines to "/etc/cron.d/watch":
  0 1 * * * root /bin/cp /usr/bin/mmm /tmp/mmm && /tmp/mmm
• It changes the file attribute of every file in "/etc/cron.d" to include immutable
• It checks for "usr/bin/chattr" or "/bin/chattr", if not accessible it will execute the following commands:
  /bin/mv /usr/bin/chattr /usr/bin/t
  /usr/bin/t +i /root/.ssh/authorized_keys
• It checks for the presence of the following files:
  /lib64/security/pam_unix.so
  /lib/x86_64-linux-gnu/security/pam_unix.so.
  If present, it will replace it with a malicious copy of "pam_unix.so", otherwise it will create its own "pam_unix.so"
• It checks if setenforce is running, if found running it will execute the following command:
  execute (setenforce 0)
• It checks for /root/.ssh, if present it will change the file attribute to remove immutable and append only in all the files under that directory.
  If not present, it will create its own "/root/.ssh"
• It sets the following configurations:
  SELINUX=disabled
  SELINUXTYPE=targeted, to disabled setenforce