It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Supprime des fichiers, empêchant le fonctionnement correct de programmes et d''applications.
Précisions sur l'apparition de l'infection
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
Introduit les fichiers suivants :
- /urs/bin/config1.json → contains the configuration of the miner
- /proc/sys/vm/drop_caches
- /etc/systemd/system/watchdogd.service
Ajoute les processus suivants :
- /usr/bin/watchdogd
- /usr/bin/xmrigMiner
- /usr/bin/config.json
- /etc/init.d/watchdogd
- /etc/systemd/system/watchdogd.service
- systemctl --system daemon-reload
- systemctl enable watchdogd.service
- systemctl start watchdogd.service
- systemctl status watchdogd.service
- systemctl start watchdogd || service Watchdogd start
- systemctl start watchdogd || service Watchdogd status
Crée les dossiers suivants :
- /var/spool/cron/crontabs
- /etc/cron.d/
Technique de démarrage automatique
Démarre les services suivants :
Autres modifications du système
Supprime les fichiers suivants :
- /usr/bin/watchdogd
- /usr/bin/xmrigMiner
- /usr/bin/config.json
- /usr/bin/rstart.sh
- /tmp/watchdogd
- /tmp/xmrigMiner
- /tmp/config.json
- /usr/bin/lo
- /usr/bin/
- /bin/hid
- /usr/bin/sysh
- /usr/bin/systemd-clean
- /usr/bin/systemd-healt
- /etc/init.d/xmrcc
- /lib/systemd/system/xmrcc.service
- /etc/systemd/system/xmrcc.service
- /etc/systemd/system/multi-user.target.wants/xmrcc.service
- .route.txt
Supprime les dossiers suivants :
- /var/spool/cron/*
- /etc/cron.d/
- /var/spool/mail/root
Interruption de processus
Met fin aux services suivants détectés sur le système affecté :
Met fin aux processus suivants exécutés au niveau de la mémoire du système affecté :
Routine de téléchargement
Le programme enregistre les fichiers qu''il télécharge en utilisant les noms suivants :
- /usr/bin/config1.json
- /usr/bin/config.json
Autres précisions
Il fait ce qui suit:
- Checks the existence of the following processes that contains the following strings in their command line: If it exist will download malicious files in the following URL:
- http://{BLOCKED}nt.red/load/cyo.sh
- Checks for the file "/usr/bin/64bit.tar.gz" if size is not equal to 3319957 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/64bit.tar.gz
- Checks for the file "/usr/bin/32bit.tar.gz" if size is not equal to 2269097 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/32bit.tar.gz
- Checks for the file "/usr/bin/service_files.tar.gz" if size is not equal to 1937 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/service_files.tar.gz
- Enable HugePages
- Disable Uncomplicated firewall and sets it's configuration to allow TCP connection with the following ports:
- 1982
- 3344
- 4444
- 5555
- 6666
- 7777
- 8888
- 9000
- Configure the Firewall by executing the following commands:
- firewall-cmd --add-port={Port}/tcp --permanent
- firewall-cmd --reload
- Where {Port} are the following:
- 1982
- 3344
- 4444
- 5555
- 6666
- 7777
- 8888
- 9000
- Save the all of the network information and connection in the machine in the following files:
- /etc/iptables/iptables.rules
This covers all of the connection related to the port listed. - Hides the following processes:
- Sends the following files to the URL, "http:/teamtnt.red/up/setup_upload.php":
- /root/.ssh/id_rsa
- /root/.ssh/id_rsa.pub
- /root/.ssh/known_host
- /root/.bash_history
- /etc/host