SHA1: 2b82c715c2f1480b57e59bd7c55ef32db312e008
c05bd53f91032f2c8cae509477d760537f014621
A Trojan for Linux, also known as “TheMoon”, that is designed to download various files to the infected device. All examined samples had the “.nttpd” file name. In order to store its PID, the Trojan uses the “.nttpd” file with the following contents:
<pid>,<module_id>
In the head module, module_id equals to 17.
If it is successfully launched, the Trojan deletes its original file and updates the iptables utility with the following rules:
"INPUT -p tcp --dport 8080 -j DROP"
"INPUT -p tcp --dport 443 -j DROP"
"INPUT -p tcp --dport 80 -j DROP"
"INPUT -p tcp --dport 23 -j DROP"
"INPUT -p tcp --dport 22 -j DROP"
"INPUT -s 46.148.18.0/24 -j ACCEPT"
"INPUT -s 185.56.30.0/24 -j ACCEPT"
"INPUT -s 217.79.182.0/24 -j ACCEPT"
"INPUT -s 85.114.135.0/24 -j ACCEPT"
"INPUT -s 95.213.143.0/24 -j ACCEPT"
"INPUT -s 185.53.8.0/24 -j ACCEPT"
Thus, other Trojans will not be able to compromise a device.
After that, the following three functions that perform main malicious activity are launched by the malware program:
clk
net
dwl
clk
This function launches two child threads. The first thread calculates time of the Trojan’s continuous work in infinite loop. The second one connects to the command and control server every hour by going through all IPs of C&C servers hard coded in the Trojan’s body until it finds an active one. To send information to the server, the malware program uses a 48-byte buffer where all bytes are equal to zero, and the first byte is 0x23. Then the Trojan waits for a buffer of the same size as a response from the server. After the buffer is received, the malware program retrieves the penultimate DWORD value with 0x7C558180 added to it. The obtained number is the value of the current time.
net
A function that adds a new C&C server of the Trojan, in addition to those that are already hard coded in its body, and receives data necessary for modules updating.
The Trojan opens the 5142 port using iptables:
INPUT -p udp --dport %u -j ACCEPT
After that, it launches a thread for listening to this port and waits for a 263-byte package with the following structure:
| Offset | Data |
|---|---|
| 0x00 | Package size |
| 0x01 | The function number (0 or 1) |
| 0x02 | Determines whether a registration confirmation should be sent |
| 0x03 | 0x8E |
| 0x04+ | Package data |
First, the Trojan registers the server by receiving a package that looks as follows:
| Offset | Data |
|---|---|
| 0x00 | 0x08 |
| 0x01 | 0x00 |
| 0x02 | Determines whether a registration confirmation should be sent |
| 0x03 | 0x8E |
| 0x04 | DWORD with the 0x6D6163F3 value |
The Trojan saves the dwIp % 0x64 value and the value of the IP address from which the package was sent. If the third byte is identified, the malicious program sends the same buffer. Besides, it can forward the following control packages to the server:
| Offset | Data |
|---|---|
| 0x00 | 0x0C |
| 0x01 | 0x00 |
| 0x02 | Is ignored |
| 0x03 | 0x8E |
| 0x04 | DWORD with the 0x6D6163F3 value |
| 0x08 | Is ignored |
| 0x0C | An IP address which the package is sent to |
If the DWORD value at offset of 0x0C is not zero, the Trojan sends a registration request package to a specified IP. Otherwise, it sends the package to the server from which a command has been received.
The package looks as follows:
| Offset | Data |
|---|---|
| 0x00 | <= 0x14 |
| 0x01 | 0x01 |
| 0x02 | Is ignored |
| 0x03 | 0x8E |
| 0x04 | st_module |
The following structure is stored at offset of 0x04:
struct st_module
{
_DWORD dwip;
_DWORD module_id;
_DWORD size;
char filename[8];
};
The Trojan checks whether an IP from this structure is among the hard coded or registered server addresses. After that, it copies the structure to its memory, and the structure is then forwarded to the dwl thread.
dwl
It waits until the st_module structure is padded by the net thread. Then it generates the pid file name:
StModule->filename + ".pid"
and, depending on the presence of this file, checks whether the corresponding module is launched. At that, either the name of the module or its identifier is compared. If the module is launched, the process is then “killed”.
After that, the Trojan establishes TCP connection to StModule->dwip and sends the following line:
StModule->filename,StModule->module_id
The server, in turn, sends the module. The Trojan saves it in the StModule->filename file. Then the malicious program sets the 448 privileges and executes the module.