Trojan.SH.HADGLIDER.TSD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Supprime des fichiers, empêchant le fonctionnement correct de programmes et d''applications.

Précisions sur l'apparition de l'infection

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Introduit les fichiers suivants :

• /urs/bin/config1.json → contains the configuration of the miner
• /proc/sys/vm/drop_caches
• /etc/systemd/system/watchdogd.service

Ajoute les processus suivants :

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /etc/init.d/watchdogd
• /etc/systemd/system/watchdogd.service
• systemctl --system daemon-reload
• systemctl enable watchdogd.service
• systemctl start watchdogd.service
• systemctl status watchdogd.service
• systemctl start watchdogd || service Watchdogd start
• systemctl start watchdogd || service Watchdogd status

Crée les dossiers suivants :

• /var/spool/cron/crontabs
• /etc/cron.d/

Technique de démarrage automatique

Démarre les services suivants :

• watchdogd.service

Autres modifications du système

Supprime les fichiers suivants :

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /usr/bin/rstart.sh
• /tmp/watchdogd
• /tmp/xmrigMiner
• /tmp/config.json
• /usr/bin/lo
• /usr/bin/
• /bin/hid
• /usr/bin/sysh
• /usr/bin/systemd-clean
• /usr/bin/systemd-healt
• /etc/init.d/xmrcc
• /lib/systemd/system/xmrcc.service
• /etc/systemd/system/xmrcc.service
• /etc/systemd/system/multi-user.target.wants/xmrcc.service
• .route.txt

Supprime les dossiers suivants :

• /var/spool/cron/*
• /etc/cron.d/
• /var/spool/mail/root

Interruption de processus

Met fin aux services suivants détectés sur le système affecté :

• watchdogd.service

Met fin aux processus suivants exécutés au niveau de la mémoire du système affecté :

• aliyun.one
• curl
• wget
• /tmp/

Routine de téléchargement

Le programme enregistre les fichiers qu''il télécharge en utilisant les noms suivants :

• /usr/bin/config1.json
• /usr/bin/config.json

Autres précisions

Il fait ce qui suit:

• Checks the existence of the following processes that contains the following strings in their command line:
  • "3.0.192.200:10008"
  If it exist will download malicious files in the following URL:
  • http://{BLOCKED}nt.red/load/cyo.sh
• Checks for the file "/usr/bin/64bit.tar.gz" if size is not equal to 3319957 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/64bit.tar.gz
• Checks for the file "/usr/bin/32bit.tar.gz" if size is not equal to 2269097 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/32bit.tar.gz
• Checks for the file "/usr/bin/service_files.tar.gz" if size is not equal to 1937 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/service_files.tar.gz
• Enable HugePages
• Disable Uncomplicated firewall and sets it's configuration to allow TCP connection with the following ports:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Configure the Firewall by executing the following commands:
  • firewall-cmd --add-port={Port}/tcp --permanent
  • firewall-cmd --reload
  • Where {Port} are the following:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Save the all of the network information and connection in the machine in the following files:
  • /etc/iptables/iptables.rules
  This covers all of the connection related to the port listed.
• Hides the following processes:
  • watchdogd
  • xmrigMiner
• Sends the following files to the URL, "http:/teamtnt.red/up/setup_upload.php":
  • /root/.ssh/id_rsa
  • /root/.ssh/id_rsa.pub
  • /root/.ssh/known_host
  • /root/.bash_history
  • /etc/host