Analysis by: Ryan Paolo Maglaque
 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Canal de infección Dropped by other malware, Downloaded from the Internet

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

  TECHNICAL DETAILS

Tamaño del archivo 557,323 bytes
Tipo de archivo Script
Residente en memoria No
Fecha de recepción de las muestras iniciales 03 Jun 2017
Carga útil Drops files, Executes files, Terminates processes

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • /tmp/minerd ← coinminer

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

  • bins.sh
  • minerd
  • node
  • nodejs
  • ktx-armv4l
  • ktx-i586
  • ktx-m68k
  • ktx-mips
  • ktx-mipsel
  • ktx-powerpc
  • ktx-sh4
  • ktx-sparc
  • arm5
  • zmap

Dropping Routine

This Trojan executes the dropped file. As a result, malicious routines of the dropped file are exhibited on the affected system.

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

  • {BLOCKED}.{BLOCKED}.0.1 bins.{BLOCKED}hland-zahlung.eu

Other Details

This Trojan does the following:

  • Execute the following command to download libraries needed:
    • apt-get install libcurl4-openssl-dev libjansson-dev openssl libssl-dev zmap sshpass -y
  • Execute the dropped file with the following argument: -a cryptonight -o stratum+tcp://xmr.{BLOCKED}-pool.fr:443 -u 45hgMAs1sNdMs7H9aCQm8oMCG5HGg37nv9Ab5r8u4R9gcWkSteobyt6faTuV8tnzhSUH3WFmStG1YXtsvSkSo5sz2ugxSW4
    • -a sets the algorithm
    • -o sets the url for mining server
    • -u sets username for mining server
  • Changes the password for user pi, using the following command:
    • usermod -p \$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1 pi
  • Scan for networks with open port 22 (with username:pi and password:raspberry) and try to drop a copy and execute it

  SOLUTION

Motor de exploración mínimo 9.850
Primer archivo de patrones de VSAPI 13.468.01
Primera fecha de publicación de patrones de VSAPI 12 Jun 2017
Versión de patrones OPR de VSAPI 13.469.00
Fecha de publicación de patrones OPR de VSAPI 13 Jun 2017

Step 1

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 2

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • /tmp/minerd

Step 3

Remove these strings added by the malware/grayware/spyware in the HOSTS file

[ Learn More ]
    • 127.0.0.1 bins.deutschland-zahlung.eu

Step 4

Scan your computer with your Trend Micro product to delete files detected as UNIX_PIMINE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.