Trojan.SH.MALXMR.UWEIU

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• /bin/sh /etc/cron.hourly/oanacroner -> contains the connection to http://{BLOCKED}h.shop/1.jpg
• /bin/sh /etc/cron.daily/oanacroner -> contains the connection to http://{BLOCKED}h.shop/1.jpg
• /bin/sh /etc/cron.monthly/oanacroner -> contains the connection to http://{BLOCKED}h.shop/1.jpg
• /opt/yilu/mservice
• /opt/yilu/work/xig/xig
• /opt/yilu/work/xige/xige
• /tmp/thisxxs
• /usr/bin/.sshd
• /usr/bin/bsd-port/getty

It creates the following folders:

• /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
• /var/tmp
• /var/spool/cron/crontabs
• /etc/cron.hourly
• /etc/cron.daily
• /etc/cron.monthly
• /opt/yilu/work/xig
• /opt/yilu/work/xige
• /usr/bin/bsd-port

Other System Modifications

This Trojan deletes the following files:

• /tmp/qW3xT.2
• /tmp/ddgs.3013
• /tmp/ddgs.3012
• /tmp/wnTKYg
• /tmp/2t3ik
• /boot/grub/deamon
• /boot/grub/disk_genius
• /tmp/*index_bak*
• /tmp/*httpd.conf*
• /tmp/*httpd.conf
• /tmp/a7b104c270
• /tmp/ddg*
• /tmp/wnTKYg
• /var/tmp/j*
• /tmp/j*
• /var/tmp/java
• /tmp/java
• /var/tmp/java2
• /tmp/java2
• /var/tmp/java*
• /tmp/java*
• /tmp/httpd.conf
• /tmp/conn
• /tmp/.uninstall*
• /tmp/.python*
• /tmp/.tables*
• /tmp/.mas
• /tmp/root.sh
• /tmp/pools.txt
• /tmp/libapache
• /tmp/config.json
• /tmp/bashf
• /tmp/bashg
• /tmp/libapache
• /tmp/kworkerds
• /var/tmp/kworkerds
• /var/tmp/config.json
• /tmp/.systemd-private-* .systemd-private-*
• /etc/rc*.d/S01nfstruncate
• /etc/rc.d/rc*.d/S01nfstruncate
• /bin/ddus-uidgen
• /etc/init.d/acpidtd
• /etc/rc.d/rc*.d/S01acpidtd
• /etc/rc*.d/S01acpidtd
• /etc/ld.sc.conf
• /etc/ld.so.preload

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• sourplum
• wnTKYg
• ddg*
• kworkerds
• biosetjenkins
• AnXqV.yam
• xmrigDaemon
• xmrigMiner
• xmrig
• Loopback
• apaceha
• cryptonight
• stratum
• mixnerdx
• performedl
• JnKihGjn
• irqba2anc1
• irqba5xnc1
• irqbnc1
• ir29xc1
• conns
• irqbalance
• crypto-pool
• minexmr
• XJnRj
• NXLAi
• BI5zj
• askdljlqw
• minerd
• minergate
• Guard.sh
• ysaydh
• bonns
• donns
• kxjd
• Duck.sh
• bonn.sh
• conn.sh
• kworker34
• kw.sh
• pro.sh
• polkitd
• acpid
• icb5o
• nopxi
• irqbalanc1
• minerd
• i586
• gddr
• mstxmr
• ddg.2011
• wnTKYg
• deamon
• disk_genius
• sourplum
• bashx
• bashg
• bashe
• bashf
• bashh
• XbashY
• libapache
• qW3xT.2
• /usr/bin/.sshd
• sustes
• Xbash
• kthreadd
• xmrig
• xmrigDaemon
• xmrigMiner
• xig
• ddgs
• qW3xT
• t00ls.ru
• /var/tmp/sustes
• sustes
• Xbash
• hashfish
• cranbery
• stratum
• xmr
• minerd
• /tmp/thisxxs
• /opt/yilu/work/xig/xig
• /opt/yilu/mservice
• /usr/bin/.sshd
• /usr/bin/bsd-port/getty
• Process that uses the following URL and Ports:
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.86:443
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.238
  • {BLOCKED}.{BLOCKED}.{BLOCKED}2.87
  • :3333
  • :4444
  • :5555
  • :6666
  • :7777
  • :3347
  • :14444
  • :14433
  • :56415

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}h.shop/86
• http://{BLOCKED}h.shop/64
• http://{BLOCKED}h.shop/0
• http://{BLOCKED}h.shop/1.jpg

It saves the files it downloads using the following names:

• /var/tmp/r1x -> 32 bit miner. Detected as Coinminer.Linux.MALXMR.UWEIU
• /tmp/r1x -> 64 bit miner

Other Details

This Trojan does the following:

• Terminates itself if found running and then execute the updated miner