- sha1: 4fb9519aaa4173314582ed336a7d307f0ea49a84
Description
A trojan for Linux with a wide range of functions and the ability to be remotely controlled via a Telegram bot. The source code is written in Go and encrypted with RSA. The binary is packed using the UPX packer. The trojan is delivered to the compromised system by the Linux.MulDrop.135 dropper. This trojan is a modification of similar malware for Windows operating systems.
Operating routine
When initialized, the trojan checks the hash of the name of the host it is running on against the hardcoded value embedded in the trojan body. If the values do not match, the trojan terminates its process. If the check is successful, the trojan contacts its C2 server—the Telegram bot to which the trojan connects via an embedded proxy.
The following are the artifacts of the malware activity:
| Artifact | Value |
|---|---|
| Telegram bot token | 6397562704:AAEt1UAWUcWcJb3Q5MQo8ZYF0NvJAUTk7S0 |
| Chat ID | -1001913285180 |
| Proxy server address | hххp://172.24.173[.]28:3128 |
Once connected, the trojan accepts the following commands from C2, preceded by a forward slash:
| Command | Parameters | Description |
|---|---|---|
| v | none |
Returns a string in the following format "Version: [%s]\\nHostname: [%s]\\nExeName: [%s]\\nExepath: [%s]\\nParams: [%s]\\nExeDir: [%s]\\nWD: [%s" "]\\nArch: [%s]\\nPID: [%d]\\nChatId: [%d]" |
| bind | chat_ID | Adds the bot to a group |
| isbind | Checks if the bot has been added to a group | |
| kill | PID | Terminates a trojan session with the corresponding PID |
| kill_except | PID | Terminates all Trojan sessions except the one whose PID is specified as an argument |
| dwl | file_name | Downloads a file from the compromised PC |
| update | none |
Updates itself by replacing the binary with the file new.bak and saving the previous version to old- |
| cr | command | Executes a command in a separate thread and appends "& exit" to it |
| cpr | command | Executes a command in a separate thread |
| cpri | <PID> <command> | Executes a command for a trojan with the corresponding PID in a separate thread |
| sleep | <PID> <number_of_seconds> | Suspends a trojan with the corresponding PID |
| sleep_except | <PID> <number_of_seconds> | Suspends all trojan sessions except the one whose PID is specified |
| restart | PID | Restarts the Telegram bot for a trojan session with the corresponding PID |
| wget | <URL> <file_name> | Downloads a file available at the specified URL and saves it under the specified name. |
| token | <api_token> <group_ID> [PID] | Replaces a token for trojan sessions with the specified PID |
| screenshot | PID | Takes a screenshot of a trojan session with the specified PID and sends it to the Telegram group with the name in the following format: "display-<PID>_<COUNT>_<HEIGHT>x<WIDTH>.png" |
| start | none | Creates shell context for the /c and /ci commands |
| c | command | Executes a command |
| ci | <PID> <command> | Executes a command for a session with the specified PID |
| reset | none | Re-creates shell context for the /c and /ci commands |
The trojan also supports the sending of files to a compromised host via Telegram chat attachments. Files are saved on the remote host under their original names. So that a file can be saved in a specific directory, the path to it is specified in the message body.
