Trojan.SH.MALXMR.UWEKB

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Dropping Routine

This Trojan drops the following files:

• /root/.ssh/authorized_keys

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.218.107/b2f627/svcupdate
• http://{BLOCKED}.{BLOCKED}.218.107/b2f627/newsvc.sh
• http://{BLOCKED}.{BLOCKED}.218.107/b2f627/config.json
• http://{BLOCKED}.{BLOCKED}.218.107/b2f627/svcworkmanager
• http://{BLOCKED}.{BLOCKED}.218.107/b2f627/svcguard
• http://global.{BLOCKED}x.com.de/b2f627fff19fda/svcguard
• http://global.{BLOCKED}x.com.de/b2f627fff19fda/svcupdate
• http://global.{BLOCKED}x.com.de/b2f627fff19fda/newsvc.sh
• http://global.{BLOCKED}x.com.de/b2f627fff19fda/config.json
• http://global.{BLOCKED}x.com.de/b2f627fff19fda/svcworkmanager

It saves the files it downloads using the following names:

• If /etc/svcupdate exists on the affected machine:
  
  • /etc/config.json → Detected as Coinminer.JS.MALXMR.CMPAT
  • /etc/svcupdate → Detected as Coinminer.Linux.MALXMR.UWEKM
  • /etc/svcguard → Detected as Trojan.Linux.MALXMR.UWEKV
  • /etc/newsvc.sh → Detected as Trojan.SH.MALXMR.UWEKB
  • /etc/svcworkmanager → Detected as HackTool.Linux.ExploitScan.AB
• If there is no /etc/svcupdate on the affected machine:
  
  • /tmp/config.json
  • /tmp/svcupdate
  • /tmp/svcguard
  • /tmp/newsvc.sh
  • /tmp/svcworkmanager

Other Details

This Trojan does the following:

• It creates the following cron jobs for persistence:
  
  • Path: /var/spool/cron/crontabs/
  • Schedule: Every 30 minutes
  • Command: */30 * * * * sh /etc/newsvc.sh >/dev/null 2>&1
• Disables Firewall
• Deletes the following user accounts:
  
  • akay
  • vfinder
• Stops and Disables the following services:
  
  • apparmor
  • aliyun.service
• Uninstalls the following security products (AV) found running on the system:
  
  • Aliyun (Alibaba Cloud)
  • YunJing (Tencent Cloud)
• Terminates the following connections:
  
  • {BLOCKED}.{BLOCKED}.65.238
  • {BLOCKED}.{BLOCKED}.52.87
  • {BLOCKED}.{BLOCKED}.253.15
  • {BLOCKED}.{BLOCKED}.6.16
  • :443
  • :23
  • :443
  • :143
  • :2222
  • :3333
  • :3389
  • :4444
  • :5555
  • :6666
  • :6665
  • :6667
  • :7777
  • :8444
  • :3347
  • :14433
• Terminates processes that contains the following strings:
  
  • ':3333'
  • ':5555'
  • 'kworker -c\'
  • 'log_'
  • 'systemten'
  • 'netns'
  • 'voltuned'
  • 'darwin'
  • '/tmp/dl'
  • '/tmp/ddg'
  • '/tmp/pprt'
  • '/tmp/ppol'
  • '/tmp/65ccE*'
  • '/tmp/jmx*'
  • '/tmp/2Ne80*'
  • 'IOFoqIgyC0zmf2UR'
  • '{BLOCKED}.{BLOCKED}.122.92'
  • '{BLOCKED}.{BLOCKED}.191.178'
  • '{BLOCKED}.{BLOCKED}.56.161'
  • '86s.jpg'
  • 'aGTSGJJp'
  • 'nMrfmnRa'
  • 'PuNY5tm2'
  • 'I0r8Jyyt'
  • 'AgdgACUD'
  • 'uiZvwxG8'
  • 'hahwNEdB'
  • 'BtwXn5qH'
  • '3XEzey2T'
  • 't2tKrCSZ'
  • 'HD7fcBgg'
  • 'zXcDajSs'
  • '3lmigMo'
  • 'AkMK4A2'
  • 'AJ2AkKe'
  • 'HiPxCJRS'
  • 'http_0xCC030'
  • 'http_0xCC031'
  • 'http_0xCC032'
  • 'http_0xCC033'
  • "C4iLM4L"
  • 'aziplcr72qjhzvin'
  • '/boot/vmlinuz'
  • "i4b503a52cc5"
  • "dgqtrcst23rtdi3ldqk322j2"
  • "2g0uv7npuhrlatd"
  • "nqscheduler"
  • "rkebbwgqpl4npmm"
  • "2fhtu70teuhtoh78jc5s"
  • "0kwti6ut420t"
  • "44ct7udt0patws3agkdfqnjm"
  • "\[^"
  • "rsync"
  • "watchd0g"
  • 'wnTKYg|2t3ik|qW3xT.2|ddg'
  • "{BLOCKED}.{BLOCKED}.133.18:8220"
  • "/tmp/java"
  • 'gitee.com'
  • '/tmp/java'
  • '{BLOCKED}.{BLOCKED}.4.162'
  • '{BLOCKED}.{BLOCKED}.39.78'
  • '/dev/shm/z3.sh'
  • 'kthrotlds'
  • 'ksoftirqds'
  • 'netdns'
  • 'watchdogs'
  • 'kdevtmpfsi'
  • 'kinsing'
  • 'redis2'
  • "sync_supers"
  • "cpuset"
  • '/tmp/l.sh'
  • '/tmp/zmcat'
  • 'CnzFVPLF'
  • 'CvKzzZLs'
  • '/tmp/udevd'
  • 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA'
  • 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo'
  • 'sustse'
  • 'sustse3'
  • 'mr.sh'
  • '2mr.sh'
  • 'cr5.sh'
  • 'logo9.jpg'
  • 'j2.conf'
  • 'luk-cpu'
  • 'ficov'
  • 'he.sh'
  • 'miner.sh'
  • 'nullcrew'
  • '{BLOCKED}.{BLOCKED}.47.156'
  • '{BLOCKED}.{BLOCKED}.169.247'
  • '{BLOCKED}.{BLOCKED}.203.146'
  • '{BLOCKED}.{BLOCKED}.45.45'
  • '{BLOCKED}.{BLOCKED}.47.181'
  • '176.31.6.16'
  • "mine.moneropool.com"
  • "pool.t00ls.ru"
  • "xmr.crypto-pool.fr:8080"
  • "xmr.crypto-pool.fr:3333"
  • "{BLOCKED}n@yahoo.com"
  • "monerohash.com"
  • "/tmp/a7b104c270"
  • "xmr.crypto-pool.fr:6666"
  • "xmr.crypto-pool.fr:7777"
  • "xmr.crypto-pool.fr:443"
  • "stratum.f2pool.com:8888"
  • "xmrpool.eu"
  • "{BLOCKED}{BLOCKED}m.me"
  • xiaoyao
  • xiaoxue
  • monerohash
  • L2Jpbi9iYXN
  • xzpauectgr
  • slxfbkmxtd
  • mixtape
  • addnj
  • {BLOCKED}.{BLOCKED}.17.196
  • IyEvYmluL3NoCgpzUG
  • KHdnZXQgLXFPLSBodHRw
  • FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3
  • Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo
  • {BLOCKED}dbpq.conf
  • {BLOCKED}asbf.conf
  • {BLOCKED}lm.cf
  • stratum
  • lower.sh
  • ./ppp
  • cryptonight
  • ./seervceaess
  • ./servceaess
  • ./servceas
  • ./servcesa
  • ./vsp
  • ./jvs
  • ./pvv
  • ./vpp
  • ./pces
  • ./rspce
  • ./haveged
  • ./jiba
  • ./watchbog
  • ./A7mA5gb
  • kacpi_svc
  • kswap_svc
  • kauditd_svc
  • kpsmoused_svc
  • kseriod_svc
  • kthreadd_svc
  • ksoftirqd_svc
  • kintegrityd_svc
  • jawa
  • oracle.jpg
  • 45cToD1FzkjAxHRBhYKKLg5utMGEN
  • {BLOCKED}.{BLOCKED}.49.54
  • {BLOCKED}.{BLOCKED}.87.241
  • etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ
  • 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj
  • etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK
  • servim
  • kblockd_svc
  • native_svc
  • ynn
  • 65ccEJ7
  • jmxx
  • 2Ne80nA
  • sysstats
  • systemxlv
  • watchbog
  • OIcJi1m
  • biosetjenkins
  • Loopback
  • apaceha
  • mixnerdx
  • performedl
  • JnKihGjn
  • irqba2anc1
  • irqba5xnc1
  • irqbnc1
  • ir29xc1
  • conns
  • irqbalance
  • crypto-pool
  • XJnRj
  • mgwsl
  • pythno
  • jweri
  • lx26
  • NXLAi
  • BI5zj
  • askdljlqw
  • minerd
  • minergate
  • Guard.sh
  • ysaydh
  • bonns
  • donns
  • kxjd
  • Duck.sh
  • bonn.sh
  • conn.sh
  • kworker34
  • kw.sh
  • pro.sh
  • polkitd
  • acpid
  • icb5o
  • nopxi
  • irqbalanc1
  • i586
  • gddr
  • mstxmr
  • ddg.2011
  • wnTKYg
  • deamon
  • disk_genius
  • sourplum
  • nanoWatch
  • zigw
  • devtool
  • devtools
  • systemctI
  • sustes
  • xmrig
  • xmrig-cpu
  • 121.42.151.137
  • init12.cfg
  • nginxk
  • tmp/wc.conf
  • xmrig-notls
  • xmr-stak
  • suppoie
  • zer0day.ru
  • dbus-daemon--system
  • nullcrew
  • kworkerds
  • init10.cfg
  • /wl.conf
  • crond64
  • sustse
  • vmlinuz
  • exin
  • apachiii
  • svcguard
  • newsvc.sh
  • svcupdate
  • svcworkmanager
  • "pocosow"
  • "gakeaws"
  • "azulu"
  • "auto"
  • "xmr"
  • "mine"
  • "monero"
  • "slowhttp"
  • "bash.shell"
  • "entrypoint.sh"
  • "/var/sbin/bash"
  • "buster-slim"
  • "hello-"
  • "registry"
  • 'aegis'
  • 'Yun'
• Deletes the following directories:
  
  • /usr/bin/config.json
  • /usr/bin/exin
  • /tmp/wc.conf
  • /tmp/log_rot
  • /tmp/apachiii
  • /tmp/sustse
  • /tmp/php
  • /tmp/p2.conf
  • /tmp/pprt
  • /tmp/ppol
  • /tmp/javax/config.sh
  • /tmp/javax/sshd2
  • /tmp/.profile
  • /tmp/1.so
  • /tmp/kworkerds
  • /tmp/kworkerds3
  • /tmp/kworkerdssx
  • /tmp/xd.json
  • /tmp/syslogd
  • /tmp/syslogdb
  • /tmp/65ccEJ7
  • /tmp/jmxx
  • /tmp/2Ne80nA
  • /tmp/dl
  • /tmp/ddg
  • /tmp/systemxlv
  • /tmp/systemctI
  • /tmp/.abc
  • /tmp/osw.hb
  • /tmp/.tmpleve
  • /tmp/.tmpnewzz
  • /tmp/.java
  • /tmp/.omed
  • /tmp/.tmpc
  • /tmp/.tmpleve
  • /tmp/.tmpnewzz
  • /tmp/gates.lod
  • /tmp/conf.n
  • /tmp/devtool
  • /tmp/devtools
  • /tmp/fs
  • /tmp/.rod
  • /tmp/.rod.tgz
  • /tmp/.rod.tgz.1
  • /tmp/.rod.tgz.2
  • /tmp/.mer
  • /tmp/.mer.tgz
  • /tmp/.mer.tgz.1
  • /tmp/.hod
  • /tmp/.hod.tgz
  • /tmp/.hod.tgz.1
  • /tmp/84Onmce
  • /tmp/C4iLM4L
  • /tmp/lilpip
  • /tmp/3lmigMo
  • /tmp/am8jmBP
  • /tmp/tmp.txt
  • /tmp/baby
  • /tmp/.lib
  • /tmp/systemd
  • /tmp/lib.tar.gz
  • /tmp/baby
  • /tmp/java
  • /tmp/j2.conf
  • /tmp/.mynews1234
  • /tmp/a3e12d
  • /tmp/.pt
  • /tmp/.pt.tgz
  • /tmp/.pt.tgz.1
  • /tmp/go
  • /tmp/java
  • /tmp/j2.conf
  • /tmp/.tmpnewasss
  • /tmp/java
  • /tmp/go.sh
  • /tmp/go2.sh
  • /tmp/khugepageds
  • /tmp/.censusqqqqqqqqq
  • /tmp/.kerberods
  • /tmp/kerberods
  • /tmp/seasame
  • /tmp/touch
  • /tmp/.p
  • /tmp/runtime2.sh
  • /tmp/runtime.sh
  • /dev/shm/z3.sh
  • /dev/shm/z2.sh
  • /dev/shm/.scr
  • /dev/shm/.kerberods
  • /etc/ld.so.preload
  • /usr/local/lib/libioset.so
  • chattr -i /etc/ld.so.preload
  • /etc/ld.so.preload
  • /usr/local/lib/libioset.so
  • /tmp/watchdogs
  • /etc/cron.d/tomcat
  • /etc/rc.d/init.d/watchdogs
  • /usr/sbin/watchdogs
  • /tmp/kthrotlds
  • /etc/rc.d/init.d/kthrotlds
  • /tmp/.sysbabyuuuuu12
  • /tmp/logo9.jpg
  • /tmp/miner.sh
  • /tmp/nullcrew
  • /tmp/proc
  • /tmp/2.sh
  • /opt/atlassian/confluence/bin/1.sh
  • /opt/atlassian/confluence/bin/1.sh.1
  • /opt/atlassian/confluence/bin/1.sh.2
  • /opt/atlassian/confluence/bin/1.sh.3
  • /opt/atlassian/confluence/bin/3.sh
  • /opt/atlassian/confluence/bin/3.sh.1
  • /opt/atlassian/confluence/bin/3.sh.2
  • /opt/atlassian/confluence/bin/3.sh.3
  • /var/tmp/f41
  • /var/tmp/2.sh
  • /var/tmp/config.json
  • /var/tmp/xmrig
  • /var/tmp/1.so
  • /var/tmp/kworkerds3
  • /var/tmp/kworkerdssx
  • /var/tmp/kworkerds
  • /var/tmp/wc.conf
  • /var/tmp/nadezhda.
  • /var/tmp/nadezhda.arm
  • /var/tmp/nadezhda.arm.1
  • /var/tmp/nadezhda.arm.2
  • /var/tmp/nadezhda.x86_64
  • /var/tmp/nadezhda.x86_64.1
  • /var/tmp/nadezhda.x86_64.2
  • /var/tmp/sustse3
  • /var/tmp/sustse
  • /var/tmp/moneroocean/
  • /var/tmp/devtool
  • /var/tmp/devtools
  • /var/tmp/play.sh
  • /var/tmp/systemctI
  • /var/tmp/.java
  • /var/tmp/1.sh
  • /var/tmp/conf.n
  • /var/tmp/lib
  • /var/tmp/.lib
  • /usr/local/aegis
  • /var/spool/cron/*
• It blocks outgoing traffic to the following ports:
  
  • 3333
  • 5555
  • 7777
  • 9999
• It checks for the existence of /root/.ssh/known_hosts and /root/.ssh/id_rsa.pub on the affected machine and if found, it will try to connect to all of the known ports and it will connect to the following URL to download and execute to the affexted machine:
  
  • http://global.{BLOCKED}x.com.de/b2f627fff19fda/is.sh - Detected as Trojan.SH.MALXMR.UWEKB