Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/cron.d/bmcontrol
Malicious functions:
Gains root privileges
Launches itself as a daemon
Substitutes application name for:
- tmux: client
Launches processes:
- /bin/sh -c ps -e
- sysctl -w rk_print_dump=0
- /bin/bash /root/run.sh
- ping -c1 <LOCAL_GATE>
- ps -e
- base64 --decode
- sysctl -w rk_enabled=1
- chmod +x /root/stub.sh
- sysctl -w rk_port=31337
- sysctl -w rk_timeout=60
- ntpdate 0.ru.pool.ntp.org
- sysctl -w rk_ip=<LOCAL_GATE>
- sysctl -w rk_packed=1
- sysctl -w rk_hex_path=2f726f6f742f66666534303661326236643537306437386538636633316261313631343634396137303961366430
- chmod +x <SAMPLE_FULL_PATH>
- sleep 60s
- tmux new-session -d -s main /root/stub.sh
Performs operations with the file system:
Modifies file access rights:
- /root/run.sh
- <SAMPLE_FULL_PATH>
- /root/stub.sh
Creates or modifies files:
- /root/bm.json
- /proc/sys/kernel/printk
- /root/stub.sh
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- <LOCAL_GATE>:1025
DNS ASK:
- bm##ps.org
- 0.##.#ool.ntp.org
Sends data to the following servers:
- <LOCAL_GATE>
Other:
Collects OS information
Collects CPU information
Collects RAM information