Trojan.Linux.SSHBRUTE.UWEJS
APPL/lnx.SSHBrute.kpgwm (ANTIVIR); HTool-SSHBrute (NAI)
Linux
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Dropped by other malware
This Trojan may be downloaded by other malware/grayware from remote sites.
It requires its main component to successfully perform its intended routine. It deletes itself after execution.
TECHNICAL DETAILS
1,041,231 bytes
Other
No
06 Jan 2020
Connects to URLs/IPs, Steals information
Arrival Details
This Trojan may be downloaded by the following malware/grayware from remote sites:
Process Termination
This Trojan terminates the following processes if found running in the affected system's memory:
- perl
- sparky.sh
- pscan2
Information Theft
This Trojan gathers the following account information:
- User Name
- System Date and Time
- Current Working Directory
- Number of Processing Units
- List of Graphic Processors
Stolen Information
This Trojan sends the gathered information via HTTP POST to the following URL:
- http://{BLOCKED}ter.com/assets/.style/remote/info.php
Other Details
This Trojan connects to the following URL(s) to get the affected system's IP address:
- http://{BLOCKED}ter.com/assets/.style/remote/info.php
It requires its main component to successfully perform its intended routine.
It does the following:
- It uses Haiduc scanner to try to infect the following:
- Devices in the private IP range {BLOCKED}.{BLOCKED}.0.0/16 using the credentials listed in .sslm/pass
- Devices in the public IP range {random number from 0-216}.0.0.0/8 using the credentials listed in .sslm/.pass
- It contains the following folder:
- .sslm/
- It contains the following files:
- .sslm/.pass → contains short list of credentials
- .sslm/a.pl → executes start and uses {random number from 0-216}.0.0.0/8 as argument
- .sslm/libssl → detected as HackTool.Linux.SSHBRUTE.GA
- .sslm/pass → contains long list of credentials
- .sslm/sparky.sh → detected as Trojan.SH.SSHBRUTE.UWEJS
- .sslm/start → detected as Trojan.SH.SSHBRUTE.UWEJS
- .sslm/start.pl → executes start.sh
- .sslm/start.sh → detected as Trojan.SH.SSHBRUTE.UWEJS
It deletes itself after execution.
SOLUTION
9.850
15.608.03
08 Jan 2020
15.609.00
09 Jan 2020
Scan your computer with your Trend Micro product to delete files detected as Trojan.Linux.SSHBRUTE.UWEJS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.