• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – APT-C-23 aka AridViper Active Again
November 25, 2020
Rewterz Threat Alert – Russian APT Gamaredon Using Template Injection
November 26, 2020

Rewterz Threat Alert – New Version of Stantinko Group Linux Proxy Trojan Masquerades as httpd

November 25, 2020

Severity

Medium

Analysis Summary

A new version of Linux proxy trojan related to the Stantinko group is found. It’s a group known for targeting Windows operating systems. This version of the Linux proxy trojan is masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2*. The group’s malware mainly consists of coin-miners and adware botnets. This malware seems to be a part of a broader campaign that takes advantage of compromised Linux servers. The sample is an unstripped 64-bit ELF binary. Upon execution, the malware will validate a configuration file which is delivered together with the malware on the infected machine. The malware expects the configuration file to be located at “/etc/pd.d/proxy.conf”. If the configuration file does not exist, or if it lacks the required structure, the malware exits without conducting any additional malicious activity.

This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network. Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.

pasted image 0 9

Impact

  • Detection Evasion
  • System Compromise
  • Privilege Escalation
  • Unauthorized Code Execution
  • Unauthorized Resource Consumption

Indicators of Compromise

MD5

  • 7d2a840048f32e487f8a61d7fc1a0c39
  • d6c385303306e2f66705ec675c48ab4d
  • 9aa864bd5530c6834c5ff368aff46eaa
  • 22ebfdf8ee203efe3e5f2126788bd6ee
  • 728a60d9a07c15371496a82dcb3ecd56

SHA-256

  • 1de81bf6ee490b6bebe9f27d5386a48700e8431f902f4f17d64ddc5d8509ca7a
  • 889aa5a740a3c7441cdf7759d4b1c41c98fd048f4cf7e18fcdda49ea3911d5e5
  • 43a6894d5953b37f92940d5c783c9977690f358b5e25bba8c096fa54657bb2e5
  • 968b41b6ca0e12ea86e51e0d9414860d13599cd127ad860e1c52c2678f4f2cb9
  • a305d488733d50ea92a2794cb6e0aa9d1d176e2c8906305ea48ff503fc2eb276

SHA1

  • 3d1d360fc8977e4a1d88073030043681afd55d28
  • 0ada56cb148d37ae0144f0fb483720b974211bce
  • 2e46b5db7b864efb95002702f46f3a810b6c9911
  • 12dcc053841f9b4f4a96b2da92dc9ffcafdd4fda
  • c55918adc6d2e74809777b306e361ea01a35fc05

Remediation

  • Block the threat indicators at their respective controls.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.