Analysis by: Joshua Paul Ignacio

 ALIASES:

HEUR:Trojan.Shell.Agent.u (KASPERSKY); BV:Agent-BGD [Trj] (AVAST)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Canal de infecção: Dropped by other malware, Downloaded from the Internet

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It executes downloaded files whose malicious routines are exhibited by the affected system.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

Tipo de compactação: 35,104 bytes
Tipo de arquivo: Other
Residente na memória: No
Data de recebimento das amostras iniciais: 12 Feb 2020
Carga útil: Terminates processes, Deletes files, Drops files, Executes files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

  • /usr/lib/...
  • /tmp/...

It drops the following copies of itself into the affected system:

  • /usr/lib/.../diskmanagerd
  • /tmp/.../diskmanagerd
  • /tmp/.../just4root

It executes then deletes itself afterward.

Other System Modifications

This Trojan deletes the following files:

  • /usr/lib/.../diskmanagerd
  • /tmp/.../just4run
  • /tmp/.../pxe
  • /tmp/.../pxe.c
  • /tmp/.../.d1r7y.txt
  • /tmp/.h
  • /tmp/.hh
  • /tmp/.helpdd
  • /tmp/.../
  • /tmp/.../brootkit.sh
  • /tmp/.../install.sh
  • /tmp/vxbkyxrlq2hly2s
  • /usr/lib/.../kacpi_notify
  • /tmp/moni.lod
  • /tmp/gates.lod
  • /etc/init.d/selinux
  • /etc/init.d/DbSecuritySpt
  • /etc/rc1.d/S97DbSecuritySpt
  • /etc/rc2.d/S97DbSecuritySpt
  • /etc/rc3.d/S97DbSecuritySpt
  • /etc/rc4.d/S97DbSecuritySpt
  • /etc/rc5.d/S97DbSecuritySpt
  • /usr/bin/bsd-port/conf.n
  • /usr/bin/bsd-port/getty
  • /usr/bin/bsd-port/getty.lock
  • /tmp/pythompy
  • /etc/rc1.d/S99selinux
  • /etc/rc2.d/S99selinux
  • /etc/rc3.d/S99selinux
  • /etc/rc4.d/S99selinux
  • /etc/rc5.d/S99selinux

Dropping Routine

This Trojan drops the following files:

  • /tmp/.helpdd
  • /etc/cron.hourly/gcc4lef.sh
  • /tmp/.../just4run

Download Routine

This Trojan executes downloaded files :

  • /tmp/diskmanagerd → Downloaded from http://owa.{BLOCKED}g.com/shell
  • /tmp/diskmanagerd → Downloaded from http://{BLOCKED}.{BLOCKED}.140.59/shell
  • /tmp/.../brootkit.sh (Detected as Rootkit.SH.BROOTKIT.A)→ Downloaded from http://owa.{BLOCKED}g.com/l/tiktoor/brootkit.sh
  • /tmp/.../brootkit.sh (Detected as Rootkit.SH.BROOTKIT.A) → Downloaded from http://{BLOCKED}.{BLOCKED}.140.59/l/tiktoor/brootkit.sh
  • /tmp/.../install.sh (Detected as Trojan.SH.BROOTKIT.B) → Downloaded from http://owa.{BLOCKED}g.com/l/tiktoor/install.sh
  • /tmp/.../install.sh (Detected as Trojan.SH.BROOTKIT.B) → Downloaded from http://{BLOCKED}.{BLOCKED}.140.59/l/tiktoor/install.sh
  • /tmp/.../pxe.c → Downloaded from http://owa.{BLOCKED}g.com/l/pxe/dtC.c
  • /tmp/.../pxe.c → Downloaded from http://{BLOCKED}.{BLOCKED}.140.59/l/pxe/dtC.c
  • /tmp/.../pxe.c → Downloaded from http://owa.{BLOCKED}g.com/l/pxe/dtU.c
  • /tmp/.../pxe.c → Downloaded from http://{BLOCKED}.{BLOCKED}.140.59/l/pxe/dtU.c
  • /tmp/.../pxe (Detected as Trojan.Linux.CVE20165195.D) → Downloaded from http://owa.{BLOCKED}g.com/l/pxe/dtC
  • /tmp/.../pxe (Detected as Trojan.Linux.CVE20165195.D) → Downloaded from http://{BLOCKED}.{BLOCKED}.140.59/l/pxe/dtC
  • /tmp/.../pxe (Detected as Trojan.Linux.CVE20165195.C) → Downloaded from http://owa.{BLOCKED}g.com/l/pxe/dtU
  • /tmp/.../pxe (Detected as Trojan.Linux.CVE20165195.C) → Downloaded from http://{BLOCKED}.{BLOCKED}.140.59/l/pxe/dtU
whose malicious routines are exhibited by the affected system.

Other Details

This Trojan does the following:

  • It creates the following cron jobs for persistence:
    • Path: /etc/cron.hourly/gcc4lef.sh
    • Schedule: Every 3 minutes
    • Command: */3 * * * * root /etc/cron.hourly/gcc4lef.sh
  • It does the following once an Anti-Virus program is running on the affected machine:
    • safedog
      • Uninstall the following:
        • sddev
      • Terminates the following:
        • safedog
        • sdmonitor
        • sdcc
        • udcenter
        • sdcmd
        • sdsvrd
        • Sdacm
        • Udpro
        • sduibin
      • Deletes the following:
        • /etc/sd_uninstall
        • /etc/init.d/sdccboot
        • /etc/init.d/safedog
        • /etc/init.d/sdboot
        • /etc/init.d/udboot
        • /etc/rc2.d/S99sdccboot
        • /etc/rc3.d/S99sdccboot
        • /etc/rc4.d/S99sdccboot
        • /etc/rc5.d/S99sdccboot
        • /etc/rc2.d/S99udboot
        • /etc/rc3.d/S99udboot
        • /etc/rc4.d/S99udboot
        • /etc/rc5.d/S99udboot
        • /etc/rc2.d/S99sdboot
        • /etc/rc3.d/S99sdboot
        • /etc/rc4.d/S99sdboot
        • /etc/rc5.d/S99sdboot
        • /usr/bin/sdcc
        • /usr/bin/sdmonitor
        • /usr/bin/sd_autoexmn
        • /usr/bin/runsdcc
        • /usr/bin/sdccboot
        • /usr/bin/udboot
        • /usr/bin/udcenter
        • /usr/bin/udpro
        • /usr/bin/sdalarm
        • /usr/bin/sdsetos
        • /usr/bin/safedog_uninstall
        • /usr/bin/safedog
        • /usr/bin/sdboot
        • /usr/bin/sdstart
        • /usr/bin/sdsvrd
        • /usr/bin/sdwebdir
        • /usr/bin/sdrtdefendupdate
        • /usr/bin/sdcmd
        • /usr/bin/sdtest
        • /usr/bin/sdui
        • /usr/bin/sduibin
        • /usr/bin/sdcloud
        • /usr/bin/udinstall
        • /usr/bin/sdacm
        • /usr/bin/sdrepo
        • /usr/bin/uduninstall
        • /usr/bin/SDDownload
        • /etc/sdinfo.conf
        • /etc/udcenter.conf
        • /etc/safedog
        • /etc/safedog/libs/safedog
        • /etc/safedog/libs/sdcommon
        • /etc/safedog/libs/sdcc
        • /etc/cloudhelper
        • /etc/init.d/sdccboot
        • /etc/init.d/rc2.d/S99sdccboot
        • /etc/init.d/rc3.d/S99sdccboot
        • /etc/init.d/rc4.d/S99sdccboot
        • /etc/init.d/rc5.d/S99sdccboot
        • /etc/rc2.d/S99sdccboot
        • /etc/rc3.d/S99sdccboot
        • /etc/rc4.d/S99sdccboot
        • /etc/rc5.d/S99sdccboot
        • /etc/safedog/sdcc/bin/sdcc
        • /usr/bin/sdcc
        • /etc/safedog/sdcc/script/runsdcc
        • /usr/bin/runsdcc
        • /etc/safedog/sdcc/script/sdccboot
        • /usr/bin/sdccboot
        • /etc/safedog/logs/sdcc.log
        • /etc/safedog/sdcc/script/udboot
        • /etc/safedog/sdcc/bin/udcenter
        • /etc/safedog/sdcc/bin/udpro
        • /etc/safedog/sdcc/bin/sdalarm
        • /etc/safedog/server/script/sdsetos
        • /etc/safedog/script/safedog_uninstall
        • /etc/sd_uninstall/
    • aegis
      • Uninstall the following:
        • /etc/init.d/aegis
      • Terminates the following:
        • /etc/init.d/aegis
        • aegis_cli
        • aegis_update
        • AliYunDun
        • AliHids
        • AliYunDunUpdate
      • Deletes the following:
        • /etc/init.d/aegis
        • /etc/runlevels/default/aegis
        • /etc/rc2.d/S80aegis
        • /etc/rc3.d/S80aegis
        • /etc/rc4.d/S80aegis
        • /etc/rc5.d/S80aegis
        • /etc/rc.d/rc2.d/S80aegis
        • /etc/rc.d/rc3.d/S80aegis
        • /etc/rc.d/rc4.d/S80aegis
        • /etc/rc.d/rc5.d/S80aegis
        • /usr/local/aegis/aegis_client
        • /usr/local/aegis/aegis_update
        • /usr/local/aegis/alihids
    • yunsuo
      • Uninstall the following:
        • /usr/local/yunsuo_agent
      • Terminates the following:
        • yunsuo
        • /etc/init.d/yunsuo
      • Deletes the following:
        • /etc/init.d/yunsuo
    • clamd
      • Terminates the following:
        • clamd
        • /etc/init.d/avast
      • Deletes the following files:
        • all files related to clamav
    • avast
      • Terminates the following:
        • avast
        • /etc/init.d/avast
      • Deletes the following:
        • all files related to avast
    • avgd
      • Terminates the following:
        • avgd
        • /etc/init.d/avgd
      • Deletes the following:
        • /opt/avg/
        • all files related to avg
    • cmdavd and cmdmgd
      • Terminates the following:
        • cmdavd
        • Cmdmgd
        • /etc/init.d/cmdavd
        • /etc/init.d/cmdmgd
      • Deletes the following:
        • /opt/COMODO
        • all files related to CAV_LINUX
    • drweb-configd and drweb-spider-kmod
      • Terminates the following:
        • drweb-spider-kmod
        • drweb-configd
        • /etc/init.d/drweb-spider-kmod
        • /etc/init.d/drweb-configd
      • Deletes the following:
        • /opt/drweb.com
        • all files related to drweb
    • esets
      • Terminates the following:
        • /etc/init.d/esets
      • Deletes the following:
        • /opt/eset/
    • xmirrord
      • Uninstall the following:
        • /usr/share/xmirror/scripts
      • Terminates the following:
        • xmirrord
        • /etc/init.d/xmirrord
      • Deletes the following:
        • all files related to xmirrord

However, as of this writing, the said sites are inaccessible.

It checks for the presence of the following antivirus and security applications:

  • safedog
  • aegis
  • yunsuo
  • clamd
  • avast
  • avgd
  • cmdavd
  • cmdmgd
  • drweb-configd
  • drweb-spider-kmod
  • esets
  • xmirrord

  SOLUTION

Mecanismo de varredura mínima: 9.850
Primeiro arquivo padrão VSAPI: 15.694.07
Data do lançamento do primeiro padrão VSAPI: 19 Feb 2020
VSAPI OPR Pattern Version: 15.695.00
VSAPI OPR Pattern veröffentlicht am: 20 Feb 2020

Scan your computer with your Trend Micro product to delete files detected as Trojan.SH.BROOTKIT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.