By Augusto Remillano II
One of our honeypots detected a URL spreading a botnet with a Monero miner bundled with a Perl-based backdoor component. The routine caught our attention as the techniques employed are almost the same as those used in the Outlaw hacking group’s previous operation.
During our analysis, we also observed the use of an executable Secure Shell (SSH) backdoor, and noted that the components are now installed as a service to provide persistence to the malware. The Perl-based backdoor component is also capable of launching distributed denial-of-service (DDoS) attacks, allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.
However, we think that the cybercriminals behind this threat may still be in the testing and development phase, based on the shell script components that were included in the TAR file but left unexecuted.
As of this writing, our telemetry has detected infection attempts in China.
Routine
Our data shows that the malware gains access to the system with brute-force attacks via SSH and executes two possible command files. Components of the file and routine appear similar to those of a published entry, while our sample executed .x15cache, the bash script that downloads the malware.
Figure 1. Targeted machine using brute force via SSH
The shell script downloads, extracts, and executes the miner payload. The extracted TAR file contains folders with scripts and th ..
Support the originator by clicking the read the rest link below.
