Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
- /root/.ssh/id_rsa
- /root/.ssh/id_rsa/.ssh/id_ed25519
- /root/.ssh/id_rsa/.ssh/id_ed25519/.ssh/id_dsa
- /home/user/.ssh/id_rsa
- /home/user/.ssh/id_rsa/.ssh/id_ed25519
- /home/user/.ssh/id_rsa/.ssh/id_ed25519/.ssh/id_dsa
Substitutes application name for:
- ttgdgoco
- sssogoty
Launches processes:
- ufw allow 41297
- firewall-cmd --permanent --add-port 41297/tcp
- lscpu
- /usr/sbin/xtables-nft-multi iptables -I OUTPUT -p tcp --dport 41297 -j ACCEPT
- iptables -I INPUT -p tcp --dport 41297 -j ACCEPT
- crontab -
- /usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --dport 41297 -j ACCEPT
- (crontab -l; printf \x27@reboot <SAMPLE_FULL_PATH> noa\x0a\x27) | crontab -
- iptables -I OUTPUT -p tcp --dport 41297 -j ACCEPT
- crontab -l
Kills the following processes:
- ttgdgoco
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.K4nQqc
Creates or modifies files:
- /var/spool/cron/crontabs/tmp.K4nQqc
Changes time of creation/access/modification of files:
- /var/spool/cron/crontabs
Network activity:
Awaits incoming connections on ports:
- 0.0.0.0:41297
Establishes connection:
- 8.#.8.8:53
Attacks using a special dictionary (brute-force technique) via the SSH protocol
Other:
Collects OS information
Collects CPU information