El 2023-10-25 a las 15:34 -0300, JavierDebian escribió:
Buenas tardes.
Hace un par de años fui víctima de Outlaw's
https://www.trendmicro.com/en_us/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html
(...)
¿Alguien tiene idea de dónde se esconde el maldito gusano?
Porque he revisado TODO (bashrc y los etcéteras que se les ocurran) y no
encuentro un script o algo que lo lance.
Y a nivel WEB, no encuentro nada nuevo, todo del 2020/2021.
En la página que mandas de Trendmicro algo dicen:
****
Routine
Our data shows that the malware gains access to the system with
brute-force attacks via SSH and executes two possible command files.
Components of the file and routine appear similar to those of a
published entry, while our sample executed .x15cache, the bash script
that downloads the malware.
(...)
The shell script downloads, extracts, and executes the miner payload.
The extracted TAR file contains folders with scripts and the miner and
backdoor components.
****
También en esta otra de Microsoft que enlazan desde la anterior:
https://www.microsoft.com/en-us/security/blog/2019/05/23/uncovering-linux-based-cyberattack-using-azure-security-center/
****
After the initial successful SSH brute force compromise, the attacker
proceeds to download a first stage ‘tddwrt7s.sh’ script using utilities
like ‘wget’ that delivers further payload to the host. Azure Security
Center surfaces this behavior via a “Detected suspicious file
download” alert.
Post stage 1 download, the attacker executed the script to find
‘dota.tar.gz’ by enumerating multiple hosting URLs. Once a live hosting
IP was found, the second stage file gets delivered in directory
‘/tmp/.mountfs.’ Most of these exploitation and persistence techniques
are observed from the /tmp folder. In this case all activities were
tracked under /tmp/.mountfs and /tmp/.mountfs/.rsync directories.
Creating directories with a dot keeps the activity hidden from the user
interface, a common technique used by attackers.
****
Saludos,