November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Expected cyber-crime techniques for 2019
November 26, 2018Rewterz Threat ADVISORY – CVE-2018-19406 & CVE-2018-19407 – Linux Kernel Denial of Service vulnerabilities
November 27, 2018Expected cyber-crime techniques for 2019
November 26, 2018Rewterz Threat ADVISORY – CVE-2018-19406 & CVE-2018-19407 – Linux Kernel Denial of Service vulnerabilities
November 27, 2018
A New Linux crypto-miner executes shell on Linux and exploits privilege escalation vulnerabilities to steal root password and disables antivirus.
IMPACT: MEDIUM
PUBLISH DATE: 26-11-2018
OVERVIEW
It has been identified that a Linux crypto-miner has the ability to steal root passwords and disable the system’s antivirus.
The trojan first identifies and kills all rival cryptocurrency-mining malware families, and then downloads and starts its own Monero-mining operation. Trojan also installs a rootkit and another strain of malware that can execute DDoS attacks.
ANALYSIS
This new malware strain doesn’t have a distinctive name and is being tracked by its generic detection name of Linux.BtcMine.174.
But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes.
The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules.
Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.
INDICATORS OF COMPROMISE
SHA1 file hashes for the trojan’s various components are available on GitHub.
https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.BtcMine.174
Here’s further analysis of the Trojan in case system admins want to scan their systems.
https://vms.drweb.com/virus/?i=17645163
AFFECTED PRODUCTS
Red Hat Virtualization 4.x Red Hat Enterprise Linux Desktop 7
Red Hat Enterprise Linux HPC Node 7
Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux Workstation 7
UPDATES
Red Hat Network provides the updated packages via the following links.
https://access.redhat.com/errata/RHSA-2018:3092
If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.