SHA1: 98172e49c3d5d70ffdcefd071f9762c58430a393
A multifunctional self-replicating Trojan for Linux written in Go. The Trojan implements the ВРЕ protocol to share data with other P2P botnet’s nodes and is launched as a node that receives and processes RPC messages. Probably, this malware program’s modification is still under development because it generates a large number of debugging messages recorded to the /dev/null device.
Once the -debug input parameter is received, the Trojan runs an HTTP server on port 6061. In addition, it executes the following commands:
| Command | Description |
|---|---|
| scan | Launch rpc provider that receives instructions for scanning |
| elevate | Search passwords and keys and elevate the privileges using sudo, su or SSH connection |
| stress | Launch rpc provider that receives instructions to carry out a DDoS attack |
| -wait <num> | Wait for the process termination with a specified PID |
When the elevate command is received, the Trojan tries to obtain user information and write it to the structure that looks as follows:
Files are scanned for private SSH keys. PHP files are parsed in order to get login credentials. A separate function retrieves user accounts from drupalSettingsDatabases. The module tries to relaunch itself using su, sudo, and via SSH.
Once launched, the Trojan receives directives from a P2P network over HTTPS on port 5099 and transmits them to local nodes. To transmit instructions to a descendent node, the Trojan uses interprocess communication over RPC.
Several RPC plug-ins are launched on an infected node. The Scan plug-in is implemented for resource network search by a specified parameter and uses the library https://github.com/natefinch/pie. The plug-in applies scanners names as follows:
- Drupal scanner
- DrupalRESTWS scanner
- Wordpress
- magento
- airos
- Jetspeed
- kerner
- exagrid
- ContactScanner
- RansomScanner
The scan module
Some structures used by this module (a pseudo code similar to the Go syntax):
struct SetBinaryRequest{
platform string,
Binary rex.Binary
}
struct SetBinaryResponse{
}
struct scanRequest{
target *scanner.Target;
}
struct scanResponse{
result *scanner.Result;
}
struct scanner.Target{
host string,
port Int,
Username string,
password string,
isHTTP bool,
isTLS bool,
Via string,
Err error, //string
DisableRansom bool,
done *chan struct {}
}
struct scanner.Result{
_ *scanner.Target,
mu sync.Mutex,
Username string
Password string
Domain string
isHTTP Bool
isTLS Bool
Via string
Err err
Emansipated bool
Contacts []scanner.Contact
Ransom *struct { Deadline time.Time; Address string; Amount int;
Step int; Stressed bool }
}
rex.Binary{
SHA1 [20]uint8,
Data []uint8,
}
struct scanner.Service{
nm scanner.networkMapper,
scanner *scanner.ConnScanner,
targets *chan *scanner.Target,
resultsMU sync.Mutex,
results []scanner.Target
}
iface scanner.Dialer{
func Dial;
func DialContext;
}
iface scanner.Scanner{
func Scan;
}
iface scanner.PHPExecutor{
func ExecPHP;
}
struct scanner.ConnScanner {
dialer scanner.Dialer{},<-interface with Dial, DialContext methods
scanners []scanner.Scanner, <-interface with Scan method
binariesMu sync.Mutex,
binaries *map[string]*rex.Binary,
}
struct scanner.HttpScanner{
dialer scanner.Dialer,
http *scanner.HTTP,
payloadfn *func(string) (io.Reader, error),
scanners []scanner.Scanner
}
struct scanner.HTTP {
client *http.Client,
UserAgent string
}
struct scanner.Drupal{
_ *scanner.HTTP,
dialer scanner.Dialer,
payloadfn *func(string) (io.Reader, error)
}
struct scanner.Wordpress {
_ *scanner.HTTP
payloadfn *func(string) (io.Reader, error)
revslider *scanner.PHP
showbiz *scanner.PHP
wpo *scanner.PHP
}
struct scanner.PHP{
_ scanner.PHPExecutor
_ scanner.Dialer
}
...
Drupal scanner
The Trojan first checks whether the Drupal CMS is installed on a website by searching the Changelog.TXT file and an index page. Then it parses them. It also checks the system for the CVE-2014-3704 vulnerability and performs an SQL injection into an input form in order to execute the following request:
update users set name='%s',pass='%s',status='1' where uid='1';
Then it executes the request
UPDATE filter_format SET status='1' WHERE format='php_core';
After that, the following command is performed:
kill `grep -l \^/tmp/x /proc/*/cmdline|sed s,/proc/,,|sed s,/cmdline,,`
Linux.Rex.1 loads its copy into an infected server and runs it:
nohup %s >/tmp/l 2>&1
DrupalRESTWS scanner
Checks a website for the vulnerability https://www.exploit-db.com/exploits/40130/. No other actions are performed.
Wordpress scanner
Checks whether a website uses Wordpress and has vulnerabilities specific for this CMS.
ContactScanner scanner
Requests an HTML page from a specified node, parses it and extracts email addresses from this page.
Magento scanner
Searches for RCE (remote code execution) vulnerabilities in Magento.
Kerner scanner
Attacks a remote node using shellshock vulnerability.
Airos scanner
Searches for devices that run AirOS and tries to detect the Ubiquiti airOS Arbitrary File Upload vulnerability.
Exagrid scanner
Checks a version of Exagrid (an application designed to manage data storage systems) in order to get public keys.
Jetspeed scanner
Checks for the CVE-2016-0712 vulnerability (Reflected Cross Site Scripting in URI path).
RansomScanner scanner
Tries to obtain all domains from the requested website and returns those ones that do not correspond to a transmitted IP.
Stress module
Like the scanner module, it launches an RPC server named "Stresser”. This module is responsible for performing DDoS attacks and spam email messaging. The following DDoS attacks can be carried out:
- HttpFlood;
- HttpPost;
- slowLoris;
- tlsThc;
- DnsAmp.
In addition, the Trojan sends out email messages composed using the following template:
We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format
"Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will
increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name,
instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap
protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you.
AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
Or:
We are Anonymous.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format
"Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP {{ .IP }}.
It will not be hard, we will not crash it at the moment to try to minimize eventual damage,
which we want to avoid at this moment.
It's just to prove that this is not a hoax. Check your logs!
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will
increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name,
instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second.
So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you.
AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
Each message has the following line in the beginning:
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
Some structures used by this module (a pseudo code similar to the Go syntax):
struct stresser.Stresser {
ua *scanner.HTTP,
nworkers Int,
jobsch *chan ransom.Jobs
token *chan struct {}
}
typedef ransom.Jobs map[string]*ransom.Job
struct ransom.Job{
IP net.IP,
DeadLine time.Time,
Address string,
Amount Int,
Step Int,
Stressed Bool
}
struct rpc.StressArgs{
IP net.IP,
Duration time.Time,
Message string,
Yield Bool
}
struct rpc.StressReply{
}
iface stresser.Runner{
func Run;
}
struct rpc.SetRansomJobsArgs{
Jobs ransom.Jobs
}
struct rpc.SetRansomJobsReply{
}
If the Trojan is launched without parameters, it works as a new node of DHT network and monitors requests to port 5099. It also tries to identify an external IP address by requesting to the following resources:
https://ipv4.icanhazip.com
https://ipinfo.io/ip
http://www.trackip.net/ip?json
The Trojan can implement the DHT protocol. For data sharing, the https://github.com/gorilla/rpc library is used.
The following structures are used:
struct node.Node{
ProxyAddr string,
cfg *node.Config,
mu sync.Mutex,
epoch time.Time,
dialer node.Dialer,
ip *net.IP,
targets *chan *scanner.Target,
jobsMu sync.Mutex,
jobs *map[string]chan string,
resultsMu sync.Mutex,
results []*scanner.Result,
key *rsa.PrivateKey,
mcp *rsa.PublicKey,
metrics *map[string]*node.Counter,
nodeMetricsMu sync.Mutex,
nodeMetrics *map[string]map[string]interface {},
report Bool,
safe Bool,
selfUpdate Bool,
ipWhitelist []net.Ip,
public Bool,
binariesMu sync.Mutex,
binaries *map[string]*rex.Binary,
myBinaryHash hash.Hash, <-интерфейс
dht *dht.Node,
stress *chan *node.stressJob,
ransomjobsch *chan ransom.Jobs,
ua *scanner.HTTP
}
struct node.Config {
disableScanner Bool,
disableStresser Bool,
disableRansom Bool,
_ *scanner.ConnScannerConfig
}
struct dht.Node{
cfg dht.NodeConfig,
ContactDir string,
rtMu sync.Mutex,
rt dht.RoutingTable,
s *dht.Store,
addr *net.TCPAddr,
client *dht.Client,
wkeys []*rsa.PublicKey
}
struct dht.NodeConfig {
Bootstrap []string,
SaveContacts string
}
struct dht.Store{
mu sync.Mutex,
m *map[dht.NodeID]*dht.Value
}
typedef dht.NodeID [0x14]uint8
struct dht.Client{
node *dht.Node,
rpc *rpc.Client
}
struct dht.RoutingTable {
_ dht.NodeID,
buckets [160]dht.Bucket
}
typedef dht.Bucket [0x14]dht.Contact
struct dht.Contact {
_ dht.NodeID,
addr string,
time time.Time
}
struct dht.Value{
_ dht.NodeID,
bytes []uint8,
sha1 []uint8,
expires time.Time,
PSS []uint8
}
The Trojan stores a list of botnet’s node addresses for connection. If an external IP coincides with one from the list, the connection will not be established.
