Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- /urs/bin/config1.json → contains the configuration of the miner
- /proc/sys/vm/drop_caches
- /etc/systemd/system/watchdogd.service
It adds the following processes:
- /usr/bin/watchdogd
- /usr/bin/xmrigMiner
- /usr/bin/config.json
- /etc/init.d/watchdogd
- /etc/systemd/system/watchdogd.service
- systemctl --system daemon-reload
- systemctl enable watchdogd.service
- systemctl start watchdogd.service
- systemctl status watchdogd.service
- systemctl start watchdogd || service Watchdogd start
- systemctl start watchdogd || service Watchdogd status
It creates the following folders:
- /var/spool/cron/crontabs
- /etc/cron.d/
Autostart Technique
This Trojan starts the following services:
Other System Modifications
This Trojan deletes the following files:
- /usr/bin/watchdogd
- /usr/bin/xmrigMiner
- /usr/bin/config.json
- /usr/bin/rstart.sh
- /tmp/watchdogd
- /tmp/xmrigMiner
- /tmp/config.json
- /usr/bin/lo
- /usr/bin/
- /bin/hid
- /usr/bin/sysh
- /usr/bin/systemd-clean
- /usr/bin/systemd-healt
- /etc/init.d/xmrcc
- /lib/systemd/system/xmrcc.service
- /etc/systemd/system/xmrcc.service
- /etc/systemd/system/multi-user.target.wants/xmrcc.service
- .route.txt
It deletes the following folders:
- /var/spool/cron/*
- /etc/cron.d/
- /var/spool/mail/root
Process Termination
This Trojan terminates the following services if found on the affected system:
It terminates the following processes if found running in the affected system's memory:
Download Routine
This Trojan connects to the following URL(s) to download its component file(s):
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/config.json
- ftp://ftp.{BLOCKED}r.liu.se/pub/unix/pnscan/pnscan-1.11.tar.gz
It saves the files it downloads using the following names:
- /usr/bin/config1.json
- /usr/bin/config.json
Other Details
This Trojan does the following:
- Checks the existence of the following processes that contains the following strings in their command line: If it exist will download malicious files in the following URL:
- http://{BLOCKED}nt.red/load/cyo.sh
- Checks for the file "/usr/bin/64bit.tar.gz" if size is not equal to 3319957 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/64bit.tar.gz
- Checks for the file "/usr/bin/32bit.tar.gz" if size is not equal to 2269097 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/32bit.tar.gz
- Checks for the file "/usr/bin/service_files.tar.gz" if size is not equal to 1937 bytes will download file from the following URL:
- http://{BLOCKED}.{BLOCKED}.148.123/COVID19/nk/service_files.tar.gz
- Enable HugePages
- Disable Uncomplicated firewall and sets it's configuration to allow TCP connection with the following ports:
- 1982
- 3344
- 4444
- 5555
- 6666
- 7777
- 8888
- 9000
- Configure the Firewall by executing the following commands:
- firewall-cmd --add-port={Port}/tcp --permanent
- firewall-cmd --reload
- Where {Port} are the following:
- 1982
- 3344
- 4444
- 5555
- 6666
- 7777
- 8888
- 9000
- Save the all of the network information and connection in the machine in the following files:
- /etc/iptables/iptables.rules
This covers all of the connection related to the port listed. - Hides the following processes:
- Sends the following files to the URL, "http:/teamtnt.red/up/setup_upload.php":
- /root/.ssh/id_rsa
- /root/.ssh/id_rsa.pub
- /root/.ssh/known_host
- /root/.bash_history
- /etc/host