Trojan.SH.HADGLIDER.TSD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• /urs/bin/config1.json → contains the configuration of the miner
• /proc/sys/vm/drop_caches
• /etc/systemd/system/watchdogd.service

Agrega los procesos siguientes:

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /etc/init.d/watchdogd
• /etc/systemd/system/watchdogd.service
• systemctl --system daemon-reload
• systemctl enable watchdogd.service
• systemctl start watchdogd.service
• systemctl status watchdogd.service
• systemctl start watchdogd || service Watchdogd start
• systemctl start watchdogd || service Watchdogd status

Crea las carpetas siguientes:

• /var/spool/cron/crontabs
• /etc/cron.d/

Técnica de inicio automático

Inicia los servicios siguientes:

• watchdogd.service

Otras modificaciones del sistema

Elimina los archivos siguientes:

• /usr/bin/watchdogd
• /usr/bin/xmrigMiner
• /usr/bin/config.json
• /usr/bin/rstart.sh
• /tmp/watchdogd
• /tmp/xmrigMiner
• /tmp/config.json
• /usr/bin/lo
• /usr/bin/
• /bin/hid
• /usr/bin/sysh
• /usr/bin/systemd-clean
• /usr/bin/systemd-healt
• /etc/init.d/xmrcc
• /lib/systemd/system/xmrcc.service
• /etc/systemd/system/xmrcc.service
• /etc/systemd/system/multi-user.target.wants/xmrcc.service
• .route.txt

Elimina las carpetas siguientes:

• /var/spool/cron/*
• /etc/cron.d/
• /var/spool/mail/root

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• watchdogd.service

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• aliyun.one
• curl
• wget
• /tmp/

Rutina de descarga

Guarda los archivos que descarga con los nombres siguientes:

• /usr/bin/config1.json
• /usr/bin/config.json

Otros detalles

Hace lo siguiente:

• Checks the existence of the following processes that contains the following strings in their command line:
  • "3.0.192.200:10008"
  If it exist will download malicious files in the following URL:
  • http://{BLOCKED}nt.red/load/cyo.sh
• Checks for the file "/usr/bin/64bit.tar.gz" if size is not equal to 3319957 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/64bit.tar.gz
• Checks for the file "/usr/bin/32bit.tar.gz" if size is not equal to 2269097 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/32bit.tar.gz
• Checks for the file "/usr/bin/service_files.tar.gz" if size is not equal to 1937 bytes will download file from the following URL:
  • http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/service_files.tar.gz
• Enable HugePages
• Disable Uncomplicated firewall and sets it's configuration to allow TCP connection with the following ports:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Configure the Firewall by executing the following commands:
  • firewall-cmd --add-port={Port}/tcp --permanent
  • firewall-cmd --reload
  • Where {Port} are the following:
  • 1982
  • 3344
  • 4444
  • 5555
  • 6666
  • 7777
  • 8888
  • 9000
• Save the all of the network information and connection in the machine in the following files:
  • /etc/iptables/iptables.rules
  This covers all of the connection related to the port listed.
• Hides the following processes:
  • watchdogd
  • xmrigMiner
• Sends the following files to the URL, "http:/teamtnt.red/up/setup_upload.php":
  • /root/.ssh/id_rsa
  • /root/.ssh/id_rsa.pub
  • /root/.ssh/known_host
  • /root/.bash_history
  • /etc/host