Trojan.SH.MALXMR.UWEJJ

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Trojan modifies the following file(s):

• /root/.ssh/authorized_keys → appends the attacker's SSH public-key (creates the file instead, if it does not exist)

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• biosetjenkins
• Loopback
• apaceha
• cryptonight
• stratum
• mixnerdx
• performedl
• JnKihGjn
• irqba2anc1
• irqba5xnc1
• irqbnc1
• ir29xc1
• conns
• irqbalance
• crypto-pool
• minexmr
• XJnRj
• mgwsl
• pythno
• jweri
• lx26
• NXLAi
• BI5zj
• askdljlqw
• minerd
• minergate
• Guard.sh
• ysaydh
• bonns
• donns
• kxjd
• Duck.sh
• bonn.sh
• conn.sh
• kworker34
• kw.sh
• pro.sh
• polkitd
• acpid
• icb5o
• nopxi
• irqbalanc1
• minerd
• i586
• gddr
• mstxmr
• ddg.2011
• wnTKYg
• deamon
• disk_genius
• sourplum
• polkitd
• nanoWatch
• zigw
• devtool
• systemctI
• WmiPrwSe
• sysguard
• sysupdate
• networkservice
• Process that contains the following strings in its commandline:
  • {BLOCKED}e.{BLOCKED}eropool.com
  • {BLOCKED}l.{BLOCKED}ls.ru
  • {BLOCKED}r.{BLOCKED}to-pool.fr:8080
  • {BLOCKED}r.{BLOCKED}to-pool.fr:3333
  • {BLOCKED}n@yahoo.com
  • {BLOCKED}hash.com
  • /tmp/a7b104c270
  • {BLOCKED}r.{BLOCKED}to-pool.fr:6666
  • {BLOCKED}r.{BLOCKED}to-pool.fr:7777
  • {BLOCKED}r.{BLOCKED}to-pool.fr:443
  • {BLOCKED}m.f2pool.com:8888
  • {BLOCKED}l.eu
  • xiaoyao
  • xiaoxue
  • var, lib, jenkins and "\-c", without httPort and headless
  • ./{numbers} -c
  • stratum

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}rain.com/api/download/Y0o4foA1
• http://{BLOCKED}.{BLOCKED}.42.229:8667/6HqJB0SPQqbFbHJD/sysupdate
• http://{BLOCKED}.{BLOCKED}.42.229:8667/6HqJB0SPQqbFbHJD/update.sh
• https://{BLOCKED}rain.com/api/download/OMKMU5Td
• http://{BLOCKED}.{BLOCKED}.42.229:8667/6HqJB0SPQqbFbHJD/networkservice
• https://{BLOCKED}rain.com/api/download/heQcwPs3
• http://{BLOCKED}.{BLOCKED}.42.229:8667/6HqJB0SPQqbFbHJD/sysguard

It connects to the following URL(s) to download its configuration file:

• http://{BLOCKED}.{BLOCKED}.42.229:8667/6HqJB0SPQqbFbHJD/config.json

It saves the files it downloads using the following names:

• {directory}/sysupdate → detected as Coinminer.Linux.MALXMR.UWEJJ
• {directory}/update.sh → copy of itself
• {directory}/config.json → coinminer configuration file
• {directory}/networkservice → detected as HackTool.Linux.ExploitScan.AA
• {directory}/sysguard → detected as Trojan.Linux.WATCHGO.AA

Other Details

This Trojan does the following:

• It puts SELinux in permissive mode and disables SELinux by appending "SELINUX=disabled" to /etc/sysconfig/selinux..
• It clears PageCache, dentries and inodes.
• It clears the following objects:
  • history
  • /var/spool/mail/root
  • /var/log/wtmp
  • /var/log/secure
  • /root/.bash_history
• It write protects the following files:
  • {directory}/sysupdate
  • {directory}/networkservice
  • {directory}/sysguard
  • {directory}/update.sh
  • {directory}/config.json
• It creates the following cron job to enable automatic execution of update.sh:
  • Path: '/var/spool/cron/crontabs/'"$USER"
    Schedule: Every 30 minutes
    Command: */30 * * * * sh {directory}/update.sh >/dev/null 2>&1
• It resets the IP policy table.
• It adds rules to block outgoing connections via ports 3333, 5555, 7777, 9999.
• It adds a rule to block incoming connections from 43.245.222.57.
• If /etc/sysupdates is found, {directory} will be set to /etc, /tmp otherwise.