Trojan.SH.HADGLIDER.TSD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Löscht Dateien, so dass Programme und Anwendungen nicht ordnungsgemäß ausgeführt werden.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

• /urs/bin/config1.json → contains the configuration of the miner
• /proc/sys/vm/drop_caches
• /etc/systemd/system/watchdogd.service

Fügt die folgenden Prozesse hinzu:

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /etc/init.d/watchdogd
• /etc/systemd/system/watchdogd.service
• systemctl --system daemon-reload
• systemctl enable watchdogd.service
• systemctl start watchdogd.service
• systemctl status watchdogd.service
• systemctl start watchdogd || service Watchdogd start
• systemctl start watchdogd || service Watchdogd status

Erstellt die folgenden Ordner:

• /var/spool/cron/crontabs
• /etc/cron.d/

Autostart-Technik

Startet die folgenden Dienste:

• watchdogd.service

Andere Systemänderungen

Löscht die folgenden Dateien:

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /usr/bin/rstart.sh
• /tmp/watchdogd
• /tmp/xmrigMiner
• /tmp/config.json
• /usr/bin/lo
• /usr/bin/
• /bin/hid
• /usr/bin/sysh
• /usr/bin/systemd-clean
• /usr/bin/systemd-healt
• /etc/init.d/xmrcc
• /lib/systemd/system/xmrcc.service
• /etc/systemd/system/xmrcc.service
• /etc/systemd/system/multi-user.target.wants/xmrcc.service
• .route.txt

Löscht die folgenden Ordner:

• /var/spool/cron/*
• /etc/cron.d/
• /var/spool/mail/root

Prozessbeendigung

Beendet die folgenden Dienste, wenn sie auf dem betroffenen System gefunden werden:

• watchdogd.service

Beendet die folgenden Prozesse, wenn sie im Speicher des betroffenen Systems ausgeführt werden:

• aliyun.one
• curl
• wget
• /tmp/

Download-Routine

Speichert die heruntergeladenen Dateien unter den folgenden Namen:

• /usr/bin/config1.json
• /usr/bin/config.json

Andere Details

Es macht Folgendes:

• Checks the existence of the following processes that contains the following strings in their command line:
  • "3.0.192.200:10008"
  If it exist will download malicious files in the following URL:
  • http://{BLOCKED}nt.red/load/cyo.sh
• Checks for the file "/usr/bin/64bit.tar.gz" if size is not equal to 3319957 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/64bit.tar.gz
• Checks for the file "/usr/bin/32bit.tar.gz" if size is not equal to 2269097 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/32bit.tar.gz
• Checks for the file "/usr/bin/service_files.tar.gz" if size is not equal to 1937 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/service_files.tar.gz
• Enable HugePages
• Disable Uncomplicated firewall and sets it's configuration to allow TCP connection with the following ports:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Configure the Firewall by executing the following commands:
  • firewall-cmd --add-port={Port}/tcp --permanent
  • firewall-cmd --reload
  • Where {Port} are the following:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Save the all of the network information and connection in the machine in the following files:
  • /etc/iptables/iptables.rules
  This covers all of the connection related to the port listed.
• Hides the following processes:
  • watchdogd
  • xmrigMiner
• Sends the following files to the URL, "http:/teamtnt.red/up/setup_upload.php":
  • /root/.ssh/id_rsa
  • /root/.ssh/id_rsa.pub
  • /root/.ssh/known_host
  • /root/.bash_history
  • /etc/host