Trojan.Linux.HMAN.WGL

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• {BLOCKED}.{BLOCKED}.158.42
• {BLOCKED}.{BLOCKED}.39.198
• {BLOCKED}.{BLOCKED}.61.164:80
• http://{BLOCKED}.{BLOCKED}.237.177/bins/mips.handymanny

It takes advantage of the following software vulnerabilities to download possibly malicious files:

• MVPower DVR TV-7104HE 1.8.4 115215B9
• CVE-2014-8361
• CVE-2017-17215
• Linksys E-series - Remote Code Execution

Other Details

This Trojan connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.82.89

It does the following:

• It terminates processes not under root or itself.
• It does the following commands in bricker function:
  • Deletes all files
  • Sets the cylinders, heads, and sectors of removable drives to 1
  • Removes connection traces
  • Removes IP table content
  • Denies read, write, and execution of /root/ and /tmp/
  • Stops and reboots the machine
• It replaces the following with /dev/urandom in bricker function:
  • /dev/mtdblock
  • /dev/mtblock(0-7)
  • /dev/sda
  • /dev/sda(1-4)
  • /dev/ram0
  • /dev/mmc0
  • /dev/sdb
  • /dev/mtd(0-3)
  • /dev/hda1
  • /dev/hdb1
  • /dev/root
  • /dev/ram9
  • /dev/mmcblk0
  • /dev/mmcblk0p1
• It uses the following credentials to brute-force a telnet connection:
  • "default","default
  • "root","taZz@23495859"
  • "root","linuxshell
  • "user","user
  • "admin","admin
  • "daemon","daemon
  • "guest","12345
  • "support","support
  • "admin","54321
  • "root","default
  • "root","vizxv
  • "root","zlxx.7"
  • "root","Zte521"
  • "root","anko"
  • "root","zsun1188"
  • "root","xc3511"
  • "root","xmhdipc"
  • "root","xm"
  • "guest","admin"
  • "default","0"
  • "vstarcam2015","20150602"
  • "admin","12345678"
  • "guest","123456"
  • "root","12345"
  • "root","jvbzd"
  • "root","hi3518"
  • "root","hunt5759"
  • "root","20080826"
  • "service","service"
  • "root","svgodie"
  • "admin","zhone"
  • "cisco","cisco"
  • "root","2011vsta"
  • "root","klv1234"
  • "root","klv123"
  • "root","huigu309"
  • "telnetadmin","telnetadmin"
  • "root","3ep5w2u"
  • "root","1q2w3e4r5"
  • "e8telnet","e8telnet"
  • "e8ehome","e8ehome"
  • "admintelecom","admintelecom"
  • "root","root"
  • "root","hadoop"
  • "telecomadmin","admintelecom"
  • "default","OxhlwSG8"
  • "mg3500","merlin"
  • "root","anni2013"
  • "root","GM8182"
  • "root","uClinux"
  • "root","5up"
  • "root","jvc"
  • "admin","epicrouter"
  • "root","1001chin"
  • "admin","aquario"
  • "admin","gpon"
  • "supervisor","zyad1234"
  • "root","7ujMko0vizxv"
  • "root","7ujMko0admin"
  • "admin","7ujMko0admin"
  • "root","oelinux123"
  • "root","changeme"
  • "root","LSiuY7pOmZG2s"
  • "root","vertex25ektks123"
  • "root","tsgoingon"
  • "root","solokey"
  • "root","666666"
  • "root","888888"
  • "root","88888888"
  • "root","grouter"
  • "root","telnet"
  • "root","tl789"
  • "root","telecomadmin"
  • "root","twe8ehome"
  • "root","h3c"
  • "root","nmgx_wapia"
  • "root","private"
  • "root","abc123"
  • "root","ROOT500"
  • "root","ahetzip8"
  • "root","ascend"
  • "root","blender"
  • "root","cat1029"
  • "root","iDirect"
  • "root","inflection"
  • "root","ipcam_rt5350"
  • "root","swsbzkgn"
  • "root","juantech"
  • "root","t0talc0ntr0l4!"
  • "root","zhongxing"
  • "root","dreambox"
  • "root","ikwb"
  • "root","realtek"
  • "root","00000000"
  • "root","12341234"
  • "root","antslq"
  • "adm","0"
  • "root","admin"
  • "ftp","ftp"
  • "guest","guest"
  • "root","1111"
  • "root","1234"
  • "root","123456"
  • "root","54321"
  • "root","hg2x0"
  • "root","pass"
  • "root","password"
  • "root","svgodie"
  • "root","zlxx."
  • "root","system"
  • "root","user"
  • "root","win1dows"
  • "root","0"
  • "admin","password"
  • "admin","0"
  • "admin","admin1234"
  • "admin","smcadmin"
  • "admin","1111"
  • "Administrator","admin"
  • "supervisor","supervisor"
  • "admin1","password"
  • "administrator","1234"
  • "666666","666666"
  • "888888","888888"
  • "ubnt","ubnt"
  • "admin","1111111"
  • "admin","1234"
  • "admin","12345"
  • "admin","54321"
  • "admin","123456"
  • "admin","pass"
  • "admin","meinsm"
  • "tech","tech"
  • "mother","fucker"
  • "root","ivdev"
  • "root","annie2012"
  • "root","annie2013"
  • "root","annie2014"
  • "root","annie2015"
  • "root","annie2016"
  • "root","zlxx"
  • "root","calvin"
  • "root","fidel123"
  • "default","tlJwpbo6"
  • "default","S2fGqNFs"
  • "admin","ZmqVfoSIP"
  • "admin","motorola"
  • "admin","cisco"
  • "administrator","123"
  • "root","123"
  • "operator","operator"
  • "root","iwkb"
  • "root","hg2x0"
  • "admin","diamond"
  • "support","1234"
  • "admin","JVC"
  • "bin","0"
  • "root","tech"
  • "administrator","password"
  • "1234","1234"
  • "admin","ubnt"
  • "root","fucker"
  • "root","1001chin"
  • "admin","ironport"
  • "service","ipdongle"
  • "default","lJwpbo6"
  • "smcadmin","0"
  • "admin","ho4uku6at"
  • "admin","dvr258022"
  • "admin","true"
  • "admin","adminadmin"
  • "admin","changeme"
  • "user","changeme"
  • "admin","QwestM0dem"
  • "root","LZE326business"
  • "admin","microbusiness"
  • "admin","smallbusiness"
  • "www2","9311"
  • "www","9311"
  • "admin","smallbusiness"
  • "admin","conexant"
  • "admin","2601hx"
  • "admin","extendnet"
  • "admin","zhongxing"
  • "admin","nCwMnJVGag"
  • "root","D13hh["
  • "admin","synnet"
  • "admin","ADMIN"
  • "admin","radius"
  • "shell","sh"
  • "admin","comcomcom"
  • "admin","Uq-4GIt3M"
  • "admin","xad#12"
  • "root","1"
  • "root","1@"
  • "temp","temp"
  • "admin","0"
  • "admin","1988"
  • "admin","0"
  • "root","taZz@23"
  • "root","root123"
  • "root","qwerty"
  • "admin","Admin"
  • "Admin","admin"
  • "patrol","patrol"
  • "installer","installer"
  • "root","fivranne"
  • "webadmin","webadmin"
  • "netrangr","attack"
  • "cmaker","cmaker"
  • "bbsd-client","changeme2database"
  • "bbsd-client","NULL"
  • "root","attack"
  • "offshore","offshore"
  • "hsa","hsasdb"
  • "wlse","wlsedb"
  • "wlseuser","wlsepassword"
  • "citel","password"
  • "admin","system"
  • "default","system"
  • "epicrouter","epicrouter"
  • "epicrouter","admin"
  • "minecraft","minecraft"
  • "davox","davox"
  • "userario","userario"
  • "admin","my_DEMARC"
  • "server","server"
  • "MDaemon","MServer"
  • "vps","vps"
  • "dedi","dedi"
  • "dedicated","dedicated"
  • "PBX","PBX"
  • "NETWORK","NETWORK"
  • "none","BRIDGE"
  • "admin","michaelangelo"
  • "Alphanetworks","wrgg15_di52"
  • "Alphanetworks","firmware"
  • "draytek","1234Admin"
  • "edimax","software01"
  • "admin","su@psir"
  • "login","admin"
  • "login","password"
  • "none","4getme2"
  • "tiger","tiger123"
  • "MD110","help"
  • "anonymous","Exabyte"
  • "none","Posterie"
  • "manage","!manage"
  • "netadmin","nimdaten"
  • "admin","isee"
  • "Factory","56789Admin"
  • "storwatch","specialist"
  • "vt100","public"
  • "superadmin","secret"
  • "hsc","abc123"
  • "admin","P@55w0rd!"
  • "Administrator","pilou"
  • "susAdmin","Administrator"
  • "superuser","superuser"
  • "superuser","123456special"
  • "superuser","123456"
  • "none","admin00"
  • "root","orion99"
  • "user","tivonpw"
  • "admin","Ascend"
  • "super","super"
  • "readwrite","lucenttech1"
  • "admin","AitbISP4eCiG"
  • "service","smile"
  • "cablecom","router"
  • "sysadm","sysadm"
  • "SYSADM","sysadm"
  • "router","router"
  • "vcr","NetVCR"
  • "none","xdfk9874t3"
  • "disttech","4tas"
  • "maint","maint"
  • "m1122","m1122"
  • "maint","ntacdmax"
  • "supervisor","PlsChgMe"
  • "write","private"
  • "admin","pfsense"
  • "admin","superuser"
  • "engmode","hawk201"
  • "support","h179350"
  • "lp","lp"
  • "radware","radware"
  • "1","1"
  • "12","12"
  • "123","123"
  • "1234","1234"
  • "12345","12345"
  • "123456","123456"
  • "124567","124567"
  • "1245678","1245678"
  • "12456789","12456789"
  • "1234567890","1234567890"
  • "no","no"
  • "none","none"
  • "wradmin","trancell"
  • "none","Col2ogro2"
  • "sysadmin","password"
  • "teacher","password"
  • "integrator","integrator"
  • "integrator","p1nacate"
  • "operator","col1ma"
  • "administrator","d1scovery"
  • "admin","d1scovery"
  • "root","1234User"
  • "admin","w2402"
  • "admin","Sharp"
  • "poll","tech"
  • "eng","engineer"
  • "Administrator","smcadmin"
  • "smc","smcadmin"
  • "admin","smcadmin"
  • "admin","barricade"
  • "cusadmin","highspeed"
  • "mso","w0rkplac3rul3s"
  • "stratacom","stratauser"
  • "Symbol","Admin"
  • "target","password"
  • "sweex","mysweex"
  • "admin","symbol"
  • "operator","mercury"
  • "guest","truetime"
  • "admin","12345Admin"
  • "super.super","master"
  • "xbox","xbox"
  • "tellabs","tellabs#1"
  • "root","admin_1"
  • "superman","talent"
  • "Admin","123456Admin"
  • "admin","imss7.0"
  • "admin","detmond"
  • "admin","1111Admin"
  • "admin","22222Admin"
  • "admin","x-admin"
  • "11111","x-admin"
  • "diag","switch"
  • "admin","switch"
  • "admin","zoomads"
  • "ADSL","expert03"
  • "root","alpine"
  • "root","maxided"
  • "pi","raspberry"
  • "vagrant","vagrant"
  • "telnet","telnet"
  • "guest","xc3511"
  • "111111","111111"
  • "admin","bayandsl"
  • "adminpldt","12345676890"
  • "root","1234567890"
  • "root","comcom"
  • "root","zte9x15"
  • "ZXDSL","ZXDSL"
  • "D-Link","D-Link"
  • "cnc","cnc"
  • "dlink","dlink"
  • "DLink","DLink"
  • "ftpuser","asteriskftp"
  • "openlgtv","openlgtv"
  • "root","696969"
  • "root","pa55w0rd"
  • "root","123123",
  • "root","b120root"
  • "root","PASSWORD",
  • "netgearnetgear","ibmpassword"
  • "vyattavyatta","Adminatc456"
  • "microsmicros","comcastcomcast"
  • "pos","pos"
  • "www","www"
  • "2800","2800"
  • "UBNT","UBNT"
  • "aDMIN","1111"
  • "admin","utstar"
  • "Administratorpublic","Administratorbuh"
  • "Administratoradmin","adminadmin00"
  • "adminip20","adminip3000"
  • "adminip400","admintsunami"
  • "adminpublic","admin2601hx"
  • "adminsynnet","quserquser"
  • "ManagerManager","dlinkdefault"
  • "loginuser","loginpass"
  • "aDMIN","1111"
  • "aDMIN","123456"
  • "admin","utstar"
  • "Administrator","public"
  • "Administrator","buh"
  • "Administrator","admin"
  • "admin","admin00"
  • "admin","ip20"
  • "admin","ip3000"
  • "admin","ip400"
  • "admin","tsunami"
  • "admin","public"
  • "admin","2601hx"
  • "admin","synnet"
  • "quser","quser"
  • "Manager","Manager"
  • "dlink","default"
  • "login","user"
  • "login","pass"
  • "netopia","netopia"
  • "sysadm","sysadm"
  • "sysadm","anicust"
  • "debug","d.e.b.u.g"
  • "debug","synnet"
  • "echo","echo"
  • "demo","demo"
  • "arris","admin"
  • "Linksys","admin"
  • "client","client"
  • "cisco","CISCO"
  • "7654321","7654321"
  • "adsl","adsl1234"
  • "root","toor"
  • "dm","telnet"
  • "adminttd","adminttd"
  • "mountsys","mountsys"
  • "memotec","supervisor"
  • "museadmin","Muse!Admin"
  • "adminpldt","1234567890"
  • "bbsd-client","changeme2"