Trojan.Linux.WATCHGO.AA

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware from remote sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded by the following malware/grayware from remote sites:

• Trojan.SH.MALXMR.UWEJJ

Other Details

This Trojan does the following:

• Checks connection to the download URL http://{BLOCKED}.{BLOCKED}.42.229:8667/6HqJB0SPQqbFbHJD. If connection fails, it updates the download URL then proceeds to connect to it to download a copy of the dropper component (detected as Trojan.SH.MALXMR.UWEJJ).
• Checks if the miner component (detected as Coinminer.Linux.MALXMR.UWEJJ) is running in the system. If not, it checks for its existence in the machine. It executes the miner if found. Otherwise, it downloads the miner from the URL and executes it.
• Checks if the scanner component (detected as HackTool.Linux.ExploitScan.AA) is running in the system. If not, it checks for its existence in the machine. It executes the scanner if found. Otherwise, it downloads the scanner from the URL and executes it.
• It lists its crontab tasks to check if the dropper component is being run via cron job. If not found, it creates the following cron job to enable automatic execution of the dropper component:
  • Path: /var/spool/cron/crontab/root
    Trigger: Every 10 minutes
    Action: */10 * * * * sh {dropper component} >/dev/null 2>&1