

Rewterz Threat Alert – APT-C-23 aka AridViper Active Again
November 25, 2020
Rewterz Threat Alert – Russian APT Gamaredon Using Template Injection
November 26, 2020
Rewterz Threat Alert – APT-C-23 aka AridViper Active Again
November 25, 2020
Rewterz Threat Alert – Russian APT Gamaredon Using Template Injection
November 26, 2020Severity
Medium
Analysis Summary
A new version of Linux proxy trojan related to the Stantinko group is found. It’s a group known for targeting Windows operating systems. This version of the Linux proxy trojan is masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2*. The group’s malware mainly consists of coin-miners and adware botnets. This malware seems to be a part of a broader campaign that takes advantage of compromised Linux servers. The sample is an unstripped 64-bit ELF binary. Upon execution, the malware will validate a configuration file which is delivered together with the malware on the infected machine. The malware expects the configuration file to be located at “/etc/pd.d/proxy.conf”. If the configuration file does not exist, or if it lacks the required structure, the malware exits without conducting any additional malicious activity.
This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network. Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.

Impact
- Detection Evasion
- System Compromise
- Privilege Escalation
- Unauthorized Code Execution
- Unauthorized Resource Consumption
Indicators of Compromise
MD5
- 7d2a840048f32e487f8a61d7fc1a0c39
- d6c385303306e2f66705ec675c48ab4d
- 9aa864bd5530c6834c5ff368aff46eaa
- 22ebfdf8ee203efe3e5f2126788bd6ee
- 728a60d9a07c15371496a82dcb3ecd56
SHA-256
- 1de81bf6ee490b6bebe9f27d5386a48700e8431f902f4f17d64ddc5d8509ca7a
- 889aa5a740a3c7441cdf7759d4b1c41c98fd048f4cf7e18fcdda49ea3911d5e5
- 43a6894d5953b37f92940d5c783c9977690f358b5e25bba8c096fa54657bb2e5
- 968b41b6ca0e12ea86e51e0d9414860d13599cd127ad860e1c52c2678f4f2cb9
- a305d488733d50ea92a2794cb6e0aa9d1d176e2c8906305ea48ff503fc2eb276
SHA1
- 3d1d360fc8977e4a1d88073030043681afd55d28
- 0ada56cb148d37ae0144f0fb483720b974211bce
- 2e46b5db7b864efb95002702f46f3a810b6c9911
- 12dcc053841f9b4f4a96b2da92dc9ffcafdd4fda
- c55918adc6d2e74809777b306e361ea01a35fc05
Remediation
- Block the threat indicators at their respective controls.