Backdoor.Linux.GOMIR.THEBABD

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• /etc/systemd/system/syslogd.service → If "install" parameter is used with process running under superuser privilege.
• {Malware File Path}\cron.txt → If "install" parameter is used with process not running under superuser privilege. Deletes afterwards.

It drops the following copies of itself into the affected system:

• /var/log/syslogd → If "install" parameter is used with process running under superuser privilege.

It adds the following processes:

• $SHELL -c systemctl daemon-reload → If "install" parameter is used with process running under superuser privilege.
• $SHELL -c systemctl reenable syslogd → If "install" parameter is used with process running under superuser privilege.
• $SHELL -c systemctl start syslogd → If "install" parameter is used with process running under superuser privilege.
• /bin/sh -c crontab -1 → If "install" parameter is used with process running under superuser privilege.
• $SHELL -c crontab cron.txt → If "install" parameter is used with process running under superuser privilege.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• 01 → Temporarily halts communication with the C&C server for a specified period.
• 02 → Executes an arbitrary string as a shell command ("[shell]" "-c" "[arbitrary_string]").
• 03 → Reports the current working directory.
• 04 → Changes the current working directory and reports the working directory’s new pathname.
• 05 → Checks TCP connectivity for arbitrary network endpoints.
• 06 → Terminates its own process, effectively stopping the backdoor.
• 07 → Reports the pathname of its own executable file.
• 08 → Gathers statistics about a specified directory tree and reports the total number of subdirectories, total number of files, and the cumulative size of all files.
• 09 → Reports the configuration details of the affected computer, including hostname, username, CPU, RAM, and network interfaces, listing each interface's name, MAC address, IP address, and IPv6 address.
• 10 → Sets a fallback shell for executing shell commands in operation 02, with the initial value set to "/bin/sh".
• 11 → Sets a codepage for interpreting the output from the shell commands in operation 02.
• 12 → Delays communication with the C&C server until a specified datetime.
• 13 → Responds with the message "Not implemented on Linux!".
• 14 → Starts a reverse proxy by connecting to an arbitrary control endpoint.
• 15 → Reports the control endpoints of the reverse proxy.
• 30 → Creates an arbitrary file on the affected computer.
• 31 → Exfiltrates an arbitrary file from the affected computer.

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.34/mir/index.php

Other Details

This Backdoor does the following:

• It adds the following service:
  • Service Name: syslogd
  • Start type: Restart=always
• Deletes and terminates itself →If "install" parameter is used with process running under superuser privilege.

It accepts the following parameters:

• install → Adds persistence through services if running with superuser privilege or creates a crontab to start the malware with every reboot.