UNIX_PIMINE.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• /tmp/minerd ← coinminer

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• bins.sh
• minerd
• node
• nodejs
• ktx-armv4l
• ktx-i586
• ktx-m68k
• ktx-mips
• ktx-mipsel
• ktx-powerpc
• ktx-sh4
• ktx-sparc
• arm5
• zmap

Dropping Routine

This Trojan executes the dropped file. As a result, malicious routines of the dropped file are exhibited on the affected system.

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

• {BLOCKED}.{BLOCKED}.0.1 bins.{BLOCKED}hland-zahlung.eu

Other Details

This Trojan does the following:

• Execute the following command to download libraries needed:
  • apt-get install libcurl4-openssl-dev libjansson-dev openssl libssl-dev zmap sshpass -y
• Execute the dropped file with the following argument: -a cryptonight -o stratum+tcp://xmr.{BLOCKED}-pool.fr:443 -u 45hgMAs1sNdMs7H9aCQm8oMCG5HGg37nv9Ab5r8u4R9gcWkSteobyt6faTuV8tnzhSUH3WFmStG1YXtsvSkSo5sz2ugxSW4
  • -a sets the algorithm
  • -o sets the url for mining server
  • -u sets username for mining server
• Changes the password for user pi, using the following command:
  • usermod -p \$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1 pi
• Scan for networks with open port 22 (with username:pi and password:raspberry) and try to drop a copy and execute it