- sha1:ee78829b7057233643abc5fd685b46d3ef040a0347bb4569ac252984760eea2f
- sha1:94f4eee7f986699699cd38eba68bf8adda1037eafbd0590c0d9b77b3133d0bfa
Description
A trojan dropper for Linux written in C and packed using UPX. It is used to deliver the Linux.BackDoor.Pam.8/9 PAM backdoors to a compromised system.
MITRE matrix
| Stage | Tactic |
|---|---|
| Execution (TA0002) | Unix Shell (T1059.004) |
| Defense Evasion (TA0005) |
Software Packing (T1027.002) Unix Shell (T1059.004) File Deletion (T1070.004) Timestomp (T1070.006) Linux and Mac File and Directory Permissions Modification (T1222.002) |
Operating routine
-
The dropper accesses the following files and, using the chattr system utility, removes a number of attributes:
Files Attributes /etc/pam.d/
/etc/pam.d/sshd
/lib/x86_64-linux-gnu/security or /lib64/security/security
/lib/x86_64-linux-gnu/security/pam_sftp.so or /lib64/security/security/pam_sftp.soa – only allows information to be added to a file
i – prohibits a file from being renamed or deleted
e – indicates the use of extents* by the file*This is an attacker's mistake, since this attribute cannot be removed with chattr.
-
It checks the hash of the pam_sftp.so file, and if its value does not match the string embedded in the dropper body, it replaces the file with the patched pam_sftp.so (Linux.BackDoor.Pam.8/9) and executes the touch command to copy the timestamp from the system file for cloaking purposes:
for RHEL:
touch /lib64/security/pam_sftp.so -r /lib64/security/pam_userdb,for Debian:
touch /lib/x86_64-linux-gnu/security/pam_sftp.so -r /lib/x86_64-linux-gnu/security/pam_userdb.so.
