It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Instalación
Infiltra los archivos siguientes:
- /urs/bin/config1.json → contains the configuration of the miner
- /proc/sys/vm/drop_caches
- /etc/systemd/system/watchdogd.service
Agrega los procesos siguientes:
- /usr/bin/watchdogd
- /usr/bin/xmrigMiner
- /usr/bin/config.json
- /etc/init.d/watchdogd
- /etc/systemd/system/watchdogd.service
- systemctl --system daemon-reload
- systemctl enable watchdogd.service
- systemctl start watchdogd.service
- systemctl status watchdogd.service
- systemctl start watchdogd || service Watchdogd start
- systemctl start watchdogd || service Watchdogd status
Crea las carpetas siguientes:
- /var/spool/cron/crontabs
- /etc/cron.d/
Técnica de inicio automático
Inicia los servicios siguientes:
Otras modificaciones del sistema
Elimina los archivos siguientes:
- /usr/bin/watchdogd
- /usr/bin/xmrigMiner
- /usr/bin/config.json
- /usr/bin/rstart.sh
- /tmp/watchdogd
- /tmp/xmrigMiner
- /tmp/config.json
- /usr/bin/lo
- /usr/bin/
- /bin/hid
- /usr/bin/sysh
- /usr/bin/systemd-clean
- /usr/bin/systemd-healt
- /etc/init.d/xmrcc
- /lib/systemd/system/xmrcc.service
- /etc/systemd/system/xmrcc.service
- /etc/systemd/system/multi-user.target.wants/xmrcc.service
- .route.txt
Elimina las carpetas siguientes:
- /var/spool/cron/*
- /etc/cron.d/
- /var/spool/mail/root
Finalización del proceso
Finaliza los servicios siguientes si los detecta en el sistema afectado:
Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:
Rutina de descarga
Guarda los archivos que descarga con los nombres siguientes:
- /usr/bin/config1.json
- /usr/bin/config.json
Otros detalles
Hace lo siguiente:
- Checks the existence of the following processes that contains the following strings in their command line: If it exist will download malicious files in the following URL:
- http://{BLOCKED}nt.red/load/cyo.sh
- Checks for the file "/usr/bin/64bit.tar.gz" if size is not equal to 3319957 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/64bit.tar.gz
- Checks for the file "/usr/bin/32bit.tar.gz" if size is not equal to 2269097 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/32bit.tar.gz
- Checks for the file "/usr/bin/service_files.tar.gz" if size is not equal to 1937 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/service_files.tar.gz
- Enable HugePages
- Disable Uncomplicated firewall and sets it's configuration to allow TCP connection with the following ports:
- 1982
- 3344
- 4444
- 5555
- 6666
- 7777
- 8888
- 9000
- Configure the Firewall by executing the following commands:
- firewall-cmd --add-port={Port}/tcp --permanent
- firewall-cmd --reload
- Where {Port} are the following:
- 1982
- 3344
- 4444
- 5555
- 6666
- 7777
- 8888
- 9000
- Save the all of the network information and connection in the machine in the following files:
- /etc/iptables/iptables.rules
This covers all of the connection related to the port listed. - Hides the following processes:
- Sends the following files to the URL, "http:/teamtnt.red/up/setup_upload.php":
- /root/.ssh/id_rsa
- /root/.ssh/id_rsa.pub
- /root/.ssh/known_host
- /root/.bash_history
- /etc/host
