Trojan.Linux.SSHBRUTE.B

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

• sleep 15s && cd /var/tmp; echo {base-64 encoded commands} | base64 --decode | bash

Other Details

This Trojan does the following:

• It performs SSH brute force to the list of IP addresses from the [IPs/IPs Port FILE] input file and uses the credentials given by the [[USER PASS] FILE] input file.
• It acts as a spreader by downloading and executing the main module of the malware from the following FTP sites:
  • {BLOCKED}.{BLOCKED}.148.129:22
  • {BLOCKED}.{BLOCKED}.148.125:22
• The downloaded file is saved using the following name:
  • dota3.tar.gz → detected as Trojan.Linux.DITERTAG.USELVLA19

It accepts the following parameters:

• Usage: scan [OPTIONS] [[USER PASS]] FILE] [IPs/IPs Port FILE]
  Options:
  • -t [NUMTHREADS] → specifies the number of threads to be used
  • -m [MODE] → indicates scan mode
  • -f [FINAL SCAN] → performs a final scan on found servers
  • -i [IP SCAN] → scans specific IP range
  • -P [PASSWORD] → changes password
  • -s [TIMEOUT] → changes timeout
  • -S [2ndTIMEOUT] → changes second timeout
  • -p [PORT] → specifies port to connect to
  • -c [REMOTE-COMMAND] → executes arbitrary commands on connect
  • -h → shows this help
  • -H 1 → shows extra help