Backdoor.Linux.BASHLITE.SMJC

This is an updated Bashlite malware designed to add infected internet-of-things devices to a distributed-denial-of-service (DDoS) botnet.

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• UDP - UDP flood
• STD - STD flood
• TCP - TCP flood
• CLOUDFLARE - HTTP Flood w/ CloudFlare protection bypass
• HTTP - HTTP Flood
• STOMP - STD + UDP Flood
• RAID - STD + TCP Flood
• UPDATE - downloaded updated binary from C&C
• CNC - set CNC
• STOP - Stop bot operation

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.7.231:46216

Information Theft

This Backdoor gathers the following data:

• Linux distro - OpenSuse/REHL or Centos/Gentoo/Ubuntu or Debian/Unknown
• files -Presence of the following files:
  • /usr/sbin/telnetd
  • /usr/bin/python
  • /usr/bin/python3
• device - returns the string “SSH” if there is a file “/usr/sbin/telnetd”, otherwise, it will return “Unknown Device”
• Port - returns the string “22” if the four files mentioned above is found, otherwise, it will return “Unknown Port”

Other Details

This Backdoor does the following:

• It is capable of updating itself and download binaries by accessing the following URL:
  • {BLOCKED}.{BLOCKED}.7.231/bins.sh