Trojan.Linux.SSHBRUTE.UWEJS

 Analysis by: Jemimah Mae Molina

 ALIASES:

APPL/lnx.SSHBrute.kpgwm (ANTIVIR); HTool-SSHBrute (NAI)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware

This Trojan may be downloaded by other malware/grayware from remote sites.

It requires its main component to successfully perform its intended routine. It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

1,041,231 bytes

File Type:

Other

Memory Resident:

No

Initial Samples Received Date:

06 Jan 2020

Payload:

Connects to URLs/IPs, Steals information

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

  • perl
  • sparky.sh
  • pscan2

Information Theft

This Trojan gathers the following account information:

  • User Name
  • System Date and Time
  • Current Working Directory
  • Number of Processing Units
  • List of Graphic Processors

Stolen Information

This Trojan sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}ter.com/assets/.style/remote/info.php

    Other Details

    This Trojan connects to the following URL(s) to get the affected system's IP address:

    • http://{BLOCKED}ter.com/assets/.style/remote/info.php

    It requires its main component to successfully perform its intended routine.

    It does the following:

    • It uses Haiduc scanner to try to infect the following:
      • Devices in the private IP range {BLOCKED}.{BLOCKED}.0.0/16 using the credentials listed in .sslm/pass
      • Devices in the public IP range {random number from 0-216}.0.0.0/8 using the credentials listed in .sslm/.pass
    • It contains the following folder:
      • .sslm/
    • It contains the following files:
      • .sslm/.pass → contains short list of credentials
      • .sslm/a.pl → executes start and uses {random number from 0-216}.0.0.0/8 as argument
      • .sslm/libssl → detected as HackTool.Linux.SSHBRUTE.GA
      • .sslm/pass → contains long list of credentials
      • .sslm/sparky.sh → detected as Trojan.SH.SSHBRUTE.UWEJS
      • .sslm/start → detected as Trojan.SH.SSHBRUTE.UWEJS
      • .sslm/start.pl → executes start.sh
      • .sslm/start.sh → detected as Trojan.SH.SSHBRUTE.UWEJS

    It deletes itself after execution.

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

15.608.03

FIRST VSAPI PATTERN DATE:

08 Jan 2020

VSAPI OPR PATTERN File:

15.609.00

VSAPI OPR PATTERN Date:

09 Jan 2020

Scan your computer with your Trend Micro product to delete files detected as Trojan.Linux.SSHBRUTE.UWEJS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.