Analysis by: Earle Maui Earnshaw

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 3,150,056 bytes
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 28 May 2019
Payload: Connects to URLs/IPs

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan accesses the following websites to download files:

  • http://{BLOCKED}.{BLOCKED}.70.249/.x15cache
  • {BLOCKED}.{BLOCKED}.70.249/rp
  • {BLOCKED}.{BLOCKED}.70.249/.satan

Other Details

This Trojan does the following:

  • Accepts the following parameters:
    Format → scan [ARGUMENT] [[USER PASS] FILE] [IPs/IPs Port FILE]
    • -t [NUMTHREADS] → change the number of threads used. Default is 10
    • -m [MODE] → Change the way the scan works. Default is 1
    • -f [FINAL SCAN] → Does a final scan on found servers. Default is 2
    • Use -f 1 for A.B class /16. Default is 2 for A.B.C /24
    • -i [IPSCAN] → use -i 0 to scan ip class A.B. Default is 1
    • if you use -i 0 then use ./scan -p 22 -i 0 p 192.168 as argument for ip file
    • -m 0 → for non selective scanning
    • -P 0 leave default password unchanged. Changes password by default.
    • -s [TIMEOUT] → Change the timeout. Default is 6
    • -S [2ndTimeout] → change the 2nd time out. Default is 6
    • -p [PORT] → Specify another port to connect to. 0 for multiport
    • -c [REMOTE-COMMAND] → Command to execute on connect. Use ; or && with commands
    • -h → Show this help
    • -H 1 → For Extra help
  • This malware performs SSH brute-force to the aforementioned list of IP address from the [IPs/IPs Port FILE] Input file and uses the credentials given by the [[USER PASS] FILE] input file.

  SOLUTION

Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 15.138.06
FIRST VSAPI PATTERN DATE: 28 May 2019
VSAPI OPR PATTERN File: 15.137.00
VSAPI OPR PATTERN Date: 29 May 2019

Scan your computer with your Trend Micro product to delete files detected as Trojan.Linux.SSHBRUTE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.