Re: OT: Criptominador Outlaw en cuenta de usuario

To: debian-user-spanish@lists.debian.org
Subject: Re: OT: Criptominador Outlaw en cuenta de usuario
From: Camaleón <noelamac@gmail.com>
Date: Thu, 26 Oct 2023 10:36:23 +0200
Message-id: <ZTolB5/wBLzT+fAs@stt008.linux.site>
Mail-followup-to: debian-user-spanish@lists.debian.org
In-reply-to: <[🔎] 12659e3e-b686-4259-b973-81dc3dbec8fb@gmail.com>
References: <[🔎] 12659e3e-b686-4259-b973-81dc3dbec8fb@gmail.com>

El 2023-10-25 a las 15:34 -0300, JavierDebian escribió:

> Buenas tardes.
> 
> Hace un par de años fui víctima de Outlaw's
> 
> https://www.trendmicro.com/en_us/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html

(...)

> ¿Alguien tiene idea de dónde se esconde el maldito gusano?
> 
> Porque he revisado TODO (bashrc y los etcéteras que se les ocurran) y no
> encuentro un script o algo que lo lance.
> Y a nivel WEB, no encuentro nada nuevo, todo del 2020/2021.

En la página que mandas de Trendmicro algo dicen:

****
Routine

Our data shows that the malware gains access to the system with 
brute-force attacks via SSH and executes two possible command files. 
Components of the file and routine appear similar to those of a 
published entry, while our sample executed .x15cache, the bash script 
that downloads the malware.

(...) 

The shell script downloads, extracts, and executes the miner payload. 
The extracted TAR file contains folders with scripts and the miner and 
backdoor components.
****

También en esta otra de Microsoft que enlazan desde la anterior:

https://www.microsoft.com/en-us/security/blog/2019/05/23/uncovering-linux-based-cyberattack-using-azure-security-center/

****
After the initial successful SSH brute force compromise, the attacker 
proceeds to download a first stage ‘tddwrt7s.sh’ script using utilities 
like ‘wget’ that delivers further payload to the host. Azure Security 
Center surfaces this behavior via a “Detected suspicious file 
download” alert.

Post stage 1 download, the attacker executed the script to find 
‘dota.tar.gz’ by enumerating multiple hosting URLs. Once a live hosting 
IP was found, the second stage file gets delivered in directory 
‘/tmp/.mountfs.’ Most of these exploitation and persistence techniques 
are observed from the /tmp folder. In this case all activities were 
tracked under /tmp/.mountfs and /tmp/.mountfs/.rsync directories. 
Creating directories with a dot keeps the activity hidden from the user 
interface, a common technique used by attackers.
****

Saludos,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: OT: Criptominador Outlaw en cuenta de usuario
  - From: JavierDebian <javier.debian.bb.ar@gmail.com>

References:
- OT: Criptominador Outlaw en cuenta de usuario
  - From: JavierDebian <javier.debian.bb.ar@gmail.com>

Prev by Date: Re: faillock ante ataques de fuerza bruta
Next by Date: Re: Vulnerabilidad CVE-2021-25216 (libdns-export1104 y libisc-export1100)
Previous by thread: Re: OT: Criptominador Outlaw en cuenta de usuario
Next by thread: Re: OT: Criptominador Outlaw en cuenta de usuario
Index(es):
- Date
- Thread