PER UTENTI

Chiudi

La mia libreria
La mia libreria

+ Aggiungi alla libreria

Ricerca
Ricerca

Supporto
Supporto 24/7 | Regole per contattare

Scrivi

Una richiesta attraverso il modulo

Chiama

+7 (495) 789-45-86

Forum

Richieste

Crea nuova richiesta

Chiama

+7 (495) 789-45-86

Profile

IT

RU CN DE EN ES FR IT JP KZ UZ PL BY
Chiudi
Servizi
Scanner
Dr.Web vxCube
Versione di prova
Perizia di incidenti informatici legati ai virus
Libreria dei virus
Base di conoscenza

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Notizie

Linux.MulDrop.143

Aggiunto al database dei virus Dr.Web: 2024-06-20

La descrizione è stata aggiunta:

  • ssh1:17040ad7ab4056312d6502079b7d6ea23c2cd7cd

Description

A trojan dropper for Linux written in C and packed using UPX. It is used to deliver a variety of malware to a compromised system, including the Linux.Rootkit.400 (LKM) rootkit, the Linux.BtcMine.815 miner, and the Linux.BackDoor.Pam.8/9 and Linux.BackDoor.SSH.425/426 backdoors. It is quite large, as it contains rootkits for different distributions and kernel versions (about 60 modifications).

MITRE matrix

Stage Tactic
Execution (TA0002) Unix Shell (T1059.004)
Persistence (TA0003) Kernel Modules and Extensions (T1547.006)
Privilege Escalation (TA0004) Kernel Modules and Extensions (T1547.006)
Defense Evasion (TA0005) Software Packing (T1027.002)
File and Directory Permissions Modification (T1222.002)
File deletion (T1070.004)
Rootkit (T1014)
Disable or Modify Tools (T1562.001)
Match Legitimate Name or Location (T1036.005)
Timestomp (T1070.006)

Operating routine

  1. The dropper accesses the following files and, using the chattr system utility, removes a number of attributes:
    Files Attributes 
    
/usr/bin
/usr/bin/ssh
/usr/bin/scp
/lib/udev
/etc /etc/pam.d
/etc/pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
    		a – only allows information to be added to the file
    i - prohibits the file from being renamed or deleted
    e - indicates the use of extents* by the file

    *This is an attacker's mistake since this attribute cannot be removed with chattr.

  2. Using the uname command, the dropper determines the Linux kernel version. Based on this information, it selects compatible rootkits and places them in the following paths:
    /lib/udev/collectd/kmeminfo.ko — a malicious kernel module that installs a network filter to bypass the firewall.
    /lib/udev/collectd/mcpuinfo.koLinux.Rootkit.400, a rootkit that hides the activity of the CPU, kernel modules, processes, and network ports.
  3. Checks the hashes of sshd and scp executables. If they don't match the values stored in the dropper, the specified files are replaced with malicious versions.:
    /usr/bin/sshLinux.BackDoor.SSH.425 collects SSH credentials and stores them in the olog.h file
    /usr/bin/scp — sends the olog.h file to the attackers
  4. If no compatible rootkit is found as part of the dropper, the server logs are cleared and the server is rebooted. If the rootkit is successfully installed, the /etc/reviews directory is created. It contains the following files, which are patched versions of system diagnostic utilities that have been modified to work with the mcpuinfo.ko rootkit:
    Legitimate tool Patched version
    conntrack /etc/reviews/cn
    ifconfig /etc/reviews/ig
    ip /etc/reviews/ip
    iftop /etc/reviews/it
    netstat /etc/reviews/nt
    route /etc/reviews/rt
    unhide-tcp /etc/reviews/up
    unhide-linux /etc/reviews/uu
    unhide-posix /etc/reviews/ux
    tcpdump /etc/mountinfo
    busybox /etc/dhclientd
    telnet /etc/dhclientdx
    ping /etc/dhclientdd
    1. 4.1 Additionally, the following files are created:
      /usr/bin/biosdecoded — contains malicious versions of pam_echo.so and pam_sftp.so, and ensures that they are loaded on a system call
      /usr/bin/devlinkedLinux.MulDrop.151, is a dropper for the Linux.BtcMine.815 miner (xmrig)
      /usr/bin/matchpathcondLinux.BackDoor.SSH.426 (SSH backdoor)
      /usr/bin/postcatedLinux.Stealer.8, like scp, performs the function of sending the olog.h file to intruders
      /usr/bin/postmapedLinux.Siggen.7907 removes artifacts created during infection
      /usr/bin/telinitedLinux.BackDoor.RCTL.2, a remote access and control trojan (https://github.com/ycsunjane/rctl/blob/github/client/rctl.c)
  5. Before loading rootkits, the modprobe utility loads the inet_diag, tcp_diag, and udp_diag modules and unloads the sysdig_probe_probe. If these commands are successful, it redirects the output of echo 8 to the file /tmp/8.txt. It then runs the insmod command to load mcpuinfo.ko and kmeminfo.ko. If the modules were not loaded successfully, the logs are cleared and the server is restarted.
  6. The following binaries are launched: 
    
/usr/bin/biosdecoded
/usr/bin/devlinked
/usr/bin/matchpathcond
/usr/bin/postcated
/usr/bin/postmaped
/usr/bin/telinited

    In addition, before launching each of the above files, the rootkit interacts with /proc/sys/kernel/ns_last_pid and /proc/sys/kernel/pid_max, where information about the ID of the last malicious file launched is recorded. In addition, numbered files such as 1.txt, 2.txt, and so on are stored in the /tmp directory, the appearance of which is determined by the successful execution of a particular stage of the attack.

  7. It performs a log cleanup and deletes temporary files.

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number