- ssh1:e19a33ad9aac046cffc806cd80280854588b879a
Description
A trojan dropper for Linux written in C and packed using UPX. It is used to deliver a variety of malware to a compromised system, including the Linux.Rootkit.400 (LKM) rootkit, the Linux.BtcMine.815 miner, and the Linux.BackDoor.Pam.8/9 and Linux.BackDoor.SSH.425/426 backdoors. It is quite large, as it contains rootkits for different distributions and kernel versions (about 60 modifications).
MITRE matrix
Stage | Tactic |
---|---|
Execution (TA0002) | Unix Shell (T1059.004) |
Persistence (TA0003) | Kernel Modules and Extensions (T1547.006) |
Privilege Escalation (TA0004) | Kernel Modules and Extensions (T1547.006) |
Defense Evasion (TA0005) | Software Packing (T1027.002) File and Directory Permissions Modification (T1222.002) File deletion (T1070.004) Rootkit (T1014) Disable or Modify Tools (T1562.001) Match Legitimate Name or Location (T1036.005) Timestomp (T1070.006) |
Operating routine
-
The dropper accesses the following files and, using the chattr system utility, removes a number of attributes:
Files Attributes /usr/bin /usr/bin/ssh /usr/bin/scp /lib/udev /etc /etc/pam.d /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-session /etc/pam.d/common-session-noninteractive
a – only allows information to be added to the file
i - prohibits the file from being renamed or deleted
e - indicates the use of extents* by the file*This is an attacker's mistake since this attribute cannot be removed with chattr.
-
Using the uname command, the dropper determines the Linux kernel version. Based on this information, it selects compatible rootkits and places them in the following paths:
/lib/udev/collectd/kmeminfo.ko — a malicious kernel module that installs a network filter to bypass the firewall.
/lib/udev/collectd/mcpuinfo.ko — Linux.Rootkit.400, a rootkit that hides the activity of the CPU, kernel modules, processes, and network ports. -
Checks the hashes of sshd and scp executables. If they don't match the values stored in the dropper, the specified files are replaced with malicious versions.:
/usr/bin/ssh — Linux.BackDoor.SSH.425 collects SSH credentials and stores them in the olog.h file
/usr/bin/scp — sends the olog.h file to the attackers -
If no compatible rootkit is found as part of the dropper, the server logs are cleared and the server is rebooted. If the rootkit is successfully installed, the /etc/reviews directory is created. It contains the following files, which are patched versions of system diagnostic utilities that have been modified to work with the mcpuinfo.ko rootkit:
Legitimate tool Patched version conntrack /etc/reviews/cn ifconfig /etc/reviews/ig ip /etc/reviews/ip iftop /etc/reviews/it netstat /etc/reviews/nt route /etc/reviews/rt unhide-tcp /etc/reviews/up unhide-linux /etc/reviews/uu unhide-posix /etc/reviews/ux tcpdump /etc/mountinfo busybox /etc/dhclientd telnet /etc/dhclientdx ping /etc/dhclientdd - 4.1 Additionally, the following files are created:
/usr/bin/biosdecoded — contains malicious versions of pam_echo.so and pam_sftp.so, and ensures that they are loaded on a system call
/usr/bin/devlinked — Linux.MulDrop.151, is a dropper for the Linux.BtcMine.815 miner (xmrig)
/usr/bin/matchpathcond — Linux.BackDoor.SSH.426 (SSH backdoor)
/usr/bin/postcated — Linux.Stealer.8, like scp, performs the function of sending the olog.h file to intruders
/usr/bin/postmaped — Linux.Siggen.7907 removes artifacts created during infection
/usr/bin/telinited — Linux.BackDoor.RCTL.2, a remote access and control trojan (https://github.com/ycsunjane/rctl/blob/github/client/rctl.c)
- 4.1 Additionally, the following files are created:
- Before loading rootkits, the modprobe utility loads the inet_diag, tcp_diag, and udp_diag modules and unloads the sysdig_probe_probe. If these commands are successful, it redirects the output of echo 8 to the file /tmp/8.txt. It then runs the insmod command to load mcpuinfo.ko and kmeminfo.ko. If the modules were not loaded successfully, the logs are cleared and the server is restarted.
-
The following binaries are launched:
/usr/bin/biosdecoded /usr/bin/devlinked /usr/bin/matchpathcond /usr/bin/postcated /usr/bin/postmaped /usr/bin/telinited
In addition, before launching each of the above files, the rootkit interacts with /proc/sys/kernel/ns_last_pid and /proc/sys/kernel/pid_max, where information about the ID of the last malicious file launched is recorded. In addition, numbered files such as 1.txt, 2.txt, and so on are stored in the /tmp directory, the appearance of which is determined by the successful execution of a particular stage of the attack.
- It performs a log cleanup and deletes temporary files.