Rewterz Threat Alert – DDG Mining Trojan and Botnet Attacking Linux Systems

Severity

High

Description

Password blast attacks on SSH server are being initiated by the large mining botnet DDGMiner to mine Monero, consuming excessive system resources and disabling some security products.

Analysis Summary

Recently, a weak password blast attack on the SSH server was detected by a security researcher. It was an attack initiated by the large mining botnet DDGMiner. It is characterized by scanning and attacking SSH service, Redis database, OrientDB database and other servers, and implanting a mining Trojan on the compromised server to mine Monero for profit. DDGMiner’s main propagation method is still SSH blasting. Hackers first download the shell script i.sh after being hacked through weak passwords or exploits, and install it as a crontab scheduled task to be executed every 15 minutes.The DDG botnet mainly scans the SSH service and the Redis service for violent invasion of the LINUX system to dig Monero for profit. The mining Trojan is continuously being updated by attackers, as 9 new versions were released in the past month alone. After the DDG mining trojan is executed, it will request a configuration file to be downloaded. According to the configuration file, the mining trojan wordpress and virus script i.sh will be executed. In addition, the latest version of the DDG mining trojan will download the uninstall.sh , quartz_uninstall script . sh uninstalls security protection products such as Tencent Yunyun Mirror and Ali Yunan Knight to enhance the survival time of mining Trojans on the server. Virus mining behavior will greatly affect server performance. Additionally, the trojan modifies the hosts file to map the URLs of competing Trojans such as trumpzwlvlyrvlss.onion to the IP address 0.0.0.0 to achieve the purpose of shielding competitors’ Trojan horses from monopolizing system resources. The Monero Mining Trojan wordpress is compiled by the open source mining program XMRig. 

Impact

• Consumption of system resources
• Possible denial of service
• Disabling of some security products

Indicators of Compromise

MD5

• f84a0180ebf1596df4e8e8b8cfcedf63
• 14fcb1d3a0f6ecea9e18eff2016bc271
• d146612bed765ba32200e0f97d0330c8
• e64b247d4cd9f8c58aedc708c822e84b
• 682f839c1097af5fae75e0c5c39fa054
• 495dfc4ba85fac2a93e7b3f19d12ea7d
• dc87e9c91503cc8f2e8e3249cd0b52d7

SHA-256

• feb6e520d901c2bf56a87b1dda9144e7a534d11ed0269a43146e18d926844662
• a30d73e25d83117b372494b65c289e6be41f68999d53843970f1d5d7bcab9497
• 1309a879002171c6fc080ed7f2d63341576a9b1168d7d6f6125968bb5b8840b7
• 471713ed425d7b7b0ef8a188218e0fa79b06ba5f1174e2193d6d08d14d114118
• 49c1c3eb642ab70fcdda73a20cb82cc64cf617872e3130190d09a94edf954dff
• 306e23b30a282b5d58c82fd267ba3bc8c292c2ee48384f976c3513437182f9be
• c7b43e209df939969c9ad3c8d6d1dbeeb87e3abd85f5a87f4d1cb74127065067

Source IP

• 67[.]205[.]168[.]20

Remediation

• Block the threat indicators at their respective controls.
• Prioritize the patching of security vulnerabilities of the relevant components of the enterprise server. 
• Use high-strength Redis login password and SSH login password.
• Add firewall rules if necessary to avoid IP access from other untrusted sources.