ELF_VPNFILT.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

As of this writing, the said sites are inaccessible.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• /var/run/client.crt <--- Used to authenticate request to the C&C Server
• /var/run/client.key <--- Used to authenticate request to the C&C Server
• /var/run/client_ca.crt <--- Used to authenticate request to the C&C Server

Download Routine

This Trojan connects to the following URL(s) to download its configuration file:

• http://photobucket.com/user/katy{BLOCKED}45/library
• http://photobucket.com/user/lisa{BLOCKED}87/library
• http://photobucket.com/user/kmi{BLOCKED}2/library
• http://photobucket.com/user/nik{BLOCKED}d11/library

As of this writing, the said sites are inaccessible.

Other Details

This Trojan does the following:

• It modifies Cron/Crontab (Linux Script Scheduler) to execute a script periodically. It schedules it to run every 5 minutes.
• It is capable of downloading different modules from the C&C Server.
• If it fails to connect to the initial URL, it then proceeds to connect to the following backup URL for the second payload:
  • http://{BLOCKED}wall.com/manage/content/update.php
• If it fails to connect to the URL, it opens a port that waits for a specific trigger to establish a connection for the author to have access interactively to the infected device.
• It generates a URL from the configuration file where it will download and save the file using the following names
  • /var/vpnfilter