Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte
Soporte 24 horas | Normas de contactar

Sus solicitudes

Perfil

Linux.MulDrop.142

Added to the Dr.Web virus database: 2024-06-20

Virus description added:

  • ssh1:e19a33ad9aac046cffc806cd80280854588b879a

Description

A trojan dropper for Linux written in C and packed using UPX. It is used to deliver a variety of malware to a compromised system, including the Linux.Rootkit.400 (LKM) rootkit, the Linux.BtcMine.815 miner, and the Linux.BackDoor.Pam.8/9 and Linux.BackDoor.SSH.425/426 backdoors. It is quite large, as it contains rootkits for different distributions and kernel versions (about 60 modifications).

MITRE matrix

Stage Tactic
Execution (TA0002) Unix Shell (T1059.004)
Persistence (TA0003) Kernel Modules and Extensions (T1547.006)
Privilege Escalation (TA0004) Kernel Modules and Extensions (T1547.006)
Defense Evasion (TA0005) Software Packing (T1027.002)
File and Directory Permissions Modification (T1222.002)
File deletion (T1070.004)
Rootkit (T1014)
Disable or Modify Tools (T1562.001)
Match Legitimate Name or Location (T1036.005)
Timestomp (T1070.006)

Operating routine

  1. The dropper accesses the following files and, using the chattr system utility, removes a number of attributes:
    Files Attributes
    
    /usr/bin
    /usr/bin/ssh
    /usr/bin/scp
    /lib/udev
    /etc /etc/pam.d
    /etc/pam.d/common-account
    /etc/pam.d/common-password
    /etc/pam.d/common-session
    /etc/pam.d/common-session-noninteractive
    
    a – only allows information to be added to the file
    i - prohibits the file from being renamed or deleted
    e - indicates the use of extents* by the file

    *This is an attacker's mistake since this attribute cannot be removed with chattr.

  2. Using the uname command, the dropper determines the Linux kernel version. Based on this information, it selects compatible rootkits and places them in the following paths:
    /lib/udev/collectd/kmeminfo.ko — a malicious kernel module that installs a network filter to bypass the firewall.
    /lib/udev/collectd/mcpuinfo.koLinux.Rootkit.400, a rootkit that hides the activity of the CPU, kernel modules, processes, and network ports.
  3. Checks the hashes of sshd and scp executables. If they don't match the values stored in the dropper, the specified files are replaced with malicious versions.:
    /usr/bin/sshLinux.BackDoor.SSH.425 collects SSH credentials and stores them in the olog.h file
    /usr/bin/scp — sends the olog.h file to the attackers
  4. If no compatible rootkit is found as part of the dropper, the server logs are cleared and the server is rebooted. If the rootkit is successfully installed, the /etc/reviews directory is created. It contains the following files, which are patched versions of system diagnostic utilities that have been modified to work with the mcpuinfo.ko rootkit:
    Legitimate tool Patched version
    conntrack /etc/reviews/cn
    ifconfig /etc/reviews/ig
    ip /etc/reviews/ip
    iftop /etc/reviews/it
    netstat /etc/reviews/nt
    route /etc/reviews/rt
    unhide-tcp /etc/reviews/up
    unhide-linux /etc/reviews/uu
    unhide-posix /etc/reviews/ux
    tcpdump /etc/mountinfo
    busybox /etc/dhclientd
    telnet /etc/dhclientdx
    ping /etc/dhclientdd
    1. 4.1 Additionally, the following files are created:
      /usr/bin/biosdecoded — contains malicious versions of pam_echo.so and pam_sftp.so, and ensures that they are loaded on a system call
      /usr/bin/devlinkedLinux.MulDrop.151, is a dropper for the Linux.BtcMine.815 miner (xmrig)
      /usr/bin/matchpathcondLinux.BackDoor.SSH.426 (SSH backdoor)
      /usr/bin/postcatedLinux.Stealer.8, like scp, performs the function of sending the olog.h file to intruders
      /usr/bin/postmapedLinux.Siggen.7907 removes artifacts created during infection
      /usr/bin/telinitedLinux.BackDoor.RCTL.2, a remote access and control trojan (https://github.com/ycsunjane/rctl/blob/github/client/rctl.c)
  5. Before loading rootkits, the modprobe utility loads the inet_diag, tcp_diag, and udp_diag modules and unloads the sysdig_probe_probe. If these commands are successful, it redirects the output of echo 8 to the file /tmp/8.txt. It then runs the insmod command to load mcpuinfo.ko and kmeminfo.ko. If the modules were not loaded successfully, the logs are cleared and the server is restarted.
  6. The following binaries are launched:
    
    /usr/bin/biosdecoded
    /usr/bin/devlinked
    /usr/bin/matchpathcond
    /usr/bin/postcated
    /usr/bin/postmaped
    /usr/bin/telinited
    

    In addition, before launching each of the above files, the rootkit interacts with /proc/sys/kernel/ns_last_pid and /proc/sys/kernel/pid_max, where information about the ID of the last malicious file launched is recorded. In addition, numbered files such as 1.txt, 2.txt, and so on are stored in the /tmp directory, the appearance of which is determined by the successful execution of a particular stage of the attack.

  7. It performs a log cleanup and deletes temporary files.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number