Technical Information
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
- /root/.ssh/authorized_keys
Launches processes:
- chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json
- mkdir .ssh
- chattr -ia /root/.xmrig.json
- chattr -ia /root/.config/xmrig.json
- chmod -R go= /root/.ssh
- rm -rf /root/.config/xmrig.json
- rm -rf .ssh
- rm -rf /root/.xmrig.json
- cd ~ && rm -rf .ssh && mkdir .ssh && echo \x22ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJA
Performs operations with the file system:
Modifies file access rights:
- /root/.ssh
- /root/.ssh/authorized_keys
Creates folders:
- /root/.ssh
Creates or modifies files:
- /root/cert_key.pem
- /root/cert.pem
- /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
Network activity:
Establishes connection:
- 17#.##.139.84:80
Sends data to the following servers:
- 17#.##.139.84:80
Receives data from the following servers:
- 17#.##.139.84:80
Other:
Collects CPU information
Collects RAM information
