HKTL_SSHSCAN.GA-ELF

 Analysis by: Augusto II Remillano

 ALIASES:

HackTool.Linux.Sshscan.b (Kaspersky), Linux/Sshscan.A trojan (NOD32)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware


This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages.

  TECHNICAL DETAILS

File Size:

842,736 bytes

File Type:

ELF

Memory Resident:

Yes

Initial Samples Received Date:

29 Aug 2018

Payload:

Creates files

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

Other Details

This Hacking Tool does the following:

  • The hacking tool requires the following arguments to proceed with its intended routine:
    • max forks - maximum forks allowed
  • The hacking tool requires the following files to proceed with its intended routine:
    • mfu.txt - contains list of IP addresses that the hacking tool will try to access via SSH
    • pass_file - a list of space separated credentials.
  • This hacking tool is a SSH brute force tool. It will try to access the servers listed in mfu.txt via SSH by using the credentials contained in the pass_file.
  • This hacking tool creates and modifies the following file:
    • vuln.txt - contains result of the brute force SSH scan. Contains the list of the vulnerable IP addresses and their associated working credentials

  SOLUTION

Minimum Scan Engine:

9.850

SSAPI PATTERN File:

1.995.00

SSAPI PATTERN Date:

06 Sep 2018

Scan your computer with your Trend Micro product to delete files detected as HKTL_SSHSCAN.GA-ELF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.