Trojan.Linux.GOSCAN.AA
Linux
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware from remote sites.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be downloaded by the following malware/grayware from remote sites:
Download Routine
This Trojan connects to the following URL(s) to download its component file(s):
- https://{BLOCKED}ra.in/api/download/-7A5aP - list of passwords to use in brute forcing MSSQL database
- https://{BLOCKED}ra.in/api/download/I9RRye - list of IP addresses
Other Details
This Trojan does the following:
- It scans either randomly-generated or specific IP addresses over the Internet to try and exploit vulnerable devices
- It takes advantage of the following vulnerabilities to remotely execute commands on exploited devices:
- CVE-2014-3120
- CVE-2015-1427
- CVE-2017-10271
- CVE-2018-7600
- CVE-2018-1273
- CCTV-DVR remote code execution
- Hadoop remote code execution
- ThinkPHP exploit
- It also tries to brute force the following databases to execute commands:
- MSSQL
- Redis
SOLUTION
Scan your computer with your Trend Micro product to delete files detected as Trojan.Linux.GOSCAN.AA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.