Technical Information
Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
- iptables -I INPUT -p tcp --destination-port 23 -j ACCEPT
- iptables -I INPUT -p tcp --destination-port 80 -j DROP
- iptables -I INPUT -p tcp --destination-port 8080 -j DROP
Launches processes:
- sh -c echo 3 > /proc/sys/vm/drop_caches
- sh -c killall telnetd utelnetd scfgmgr
- sh -c iptables -I INPUT -p tcp --destination-port 23 -j ACCEPT
- sh -c iptables -I INPUT -p tcp --destination-port 8080 -j DROP
Attempts to kill the following processes:
- killall telnetd utelnetd scfgmgr
Kills the following processes:
- <SAMPLE>
Performs operations with the file system:
Deletes folders:
- <SAMPLE_FULL_PATH>
Creates or modifies files:
- /proc/sys/vm/drop_caches
- /root/catrunv1.2.pid
Deletes files:
- <SAMPLE_FULL_PATH>
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:12399
- 0.0.0.0:23
Establishes connection:
- 8.#.8.8:53
- <LOCAL_DNS_SERVER>
- 19#.##2.241.236:123
- 91.###.89.199:123
- 85.##.78.23:123
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
- nt#.#buntu.com
- po##.ntp.org
Sends data to the following servers:
- 85.##.78.23:123
Receives data from the following servers:
- 85.##.78.23:123