(1) The usage of US infrastructure used for this malware infection (attacker IP from US host, one IP of panel used for infection, two servers for CNC, with the abuse of. The important highlight of this incident and the malware used are: The main function of this malware ELF is for a stealth DDoS attacker botnet. They are using XOR'ed encryption communication, processes are sent with md5 encoded beforehand. This is the Linux/XorDDOS malware we posted before->, the post-infection of this malware made the infected machine to act as bot, remotely controlled for malicious process, config, deny IP, daemon and configurations. This is just unbelievably irritating, isn't it? The reason for faking these archives is simply to avoid the filename blocking from several firewall/IDS filtration. So the bad actor is making a pair of installer and faked it as zip and downloading the exactly same filename of ELF faked as rar. Rule number 1 in MMD is : Always check under the hood :) I examined further the infection source, what it seems is not what it is at all, what looks like zip archives are ELF malware, and what looks like zips are a shell script malware installers, to be clear, see the illustration below: Infection method, camouflages and overall summary 3596 IN NS is more proof of the domain's used, a check mate: The attacker used web server's (domain: 44ro4.cn) panel screenshot taken at the time the attack was in progress:Ĥ4ro4.cn. and then the malware initiation commands was executed on the compromised system: to then executing a one liner shell (sh) command line below: The attacker was compromising a Linux host via ssh password bruting as per below evidence: This post is an actual malware infection incident of the"Linux/XOR.DDoS" malware (please see previous post as reference->) and malware was in attempt to infect a real Linux server.Īn attack was coming from 107.182.141.40 with the below GeoIP details:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |