This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
This Trojan drops the following files:
- /lib64/security/pam_unix.so -> if 64-bit, compromised pam_unix.so file
- /lib/x86_64-linux-gnu/security/pam_unix.so -> if 32-bit, compromised pam_unix.so file
Other System Modifications
This Trojan deletes the following files:
This Trojan terminates the following processes if found running in the affected system's memory:
This Trojan connects to the following website(s) to download and execute a malicious file:
It saves the files it downloads using the following names:
This Trojan does the following:
- Checks if OS is centos or redhat, if not it will connect and download from the following URL(s):
It will save and execute the downloaded file as:
- It creates a copy of "/usr/bin/pamdicks.org" and saves it as "tmp/mmm" and "/usr/bin/mmm"
- It changes the file attribute of "/etc/cron.d" to remove immutable and append only
- Adds the following lines to "/etc/cron.d/watch":
0 1 * * * root /bin/cp /usr/bin/mmm /tmp/mmm && /tmp/mmm
- It changes the file attribute of every file in "/etc/cron.d" to include immutable
- It checks for "usr/bin/chattr" or "/bin/chattr", if not accessible it will execute the following commands:
/bin/mv /usr/bin/chattr /usr/bin/t
/usr/bin/t +i /root/.ssh/authorized_keys
- It checks for the presence of the following files:
If present, it will replace it with a malicious copy of "pam_unix.so", otherwise it will create its own "pam_unix.so"
- It checks if setenforce is running, if found running it will execute the following command:
execute (setenforce 0)
- It checks for /root/.ssh, if present it will change the file attribute to remove immutable and append only in all the files under that directory.
If not present, it will create its own "/root/.ssh"
- It sets the following configurations:
SELINUXTYPE=targeted, to disabled setenforce