1. Overview of miner mining trojan
Recently, Antiy CERT has captured a batch of active mining Trojan horse samples through the wind-catching honeypot system [1], which mainly uses SSH and Redis weak password brute force to attack the Linux platform. Since the name of the mining file downloaded in its initial script is "aminer.gz", Antiy CERT named the mining Trojan "aminer".
Table 1‑1 Overview of miner mining
It has been verified that the Linux version of Antiy Intelligent Endpoint Protection System (IEP for short) can effectively detect and kill the mining Trojan.
2 sample function and technical combing
The initial attack script of the miner mining Trojan actually consists of a series of instructions, including writing to the specified DNS server address, using the yum package manager to install a series of tools and libraries, downloading the install. Execute in memory, download the miner.gz file and decompress it, then execute the start script to mine.
The install.tgz file contains many malicious files with the same name as the system files, such as top and so on. These files are invoked by the install script, and their main functions include adding SSH public keys, replacing system files such as top, netstat, and crontab, executing the irc client to create a backdoor, and filtering network connections with port numbers 20 and 43, etc.
ns2.jpg is actually a script file written in Perl language, which is used to realize the ShellBot function. After running, it will connect to the irc server, and the port number is 20. The miner.gz compressed package contains mining programs for two operating system architectures. After the start script is executed, it will decide which mining program to use according to the current victim’s operating system architecture, create a service for persistence, and finally execute the mining program Do mining.
2.1oto (initial attack script)
The overall process and core technology of the sample initial attack script are as follows: 1. Write the DNS server address, including "114.114.114", "114.114.115.115", "8.8.8.8", and "1.1.1.1". 2. Install a series of tools and libraries, including gcc, cmake, wget, curl, nano, etc. 3. Execute jpg in memory. The file is actually a script file. ShellBot written in Perl language will connect to the irc server (irc.tung-shu.cf) after running. The port number is 20 and the channel is #ROOT. 4. Use the start script to execute the mining program for mining. The address of the mining pool is xiao.my.id:3389.
2.2install.tgz (persistence)
The install.tgz compressed package contains many files, and the functions of each file are shown in the following table:
Table 2‑1 Functions of each file in install.tgz
3 Mining Trojan landing investigation and removal plan
3.1 Recognition of landing Trojans
3.2 Clearance scheme
4Protection suggestions
For mining attacks, Antiy recommends that enterprises take the following protective measures: 1. Install terminal protection: install anti-virus software, and it is recommended to install Antiy Smart Terminal Defense System Windows/Linux version for different platforms; 2. Strengthen SSH password strength: avoid using Weak passwords, it is recommended to use 16-digit or longer passwords, including a combination of uppercase and lowercase letters, numbers and symbols, and avoid multiple servers using the same password; 3. Update patches in time: It is recommended to enable the automatic update function to install system patches, The server should update system patches in time; 4. Update third-party application patches in time: it is recommended to update application patches in third-party applications such as Redis in time; 5. Enable logs: enable key log collection functions (security logs, system logs, error logs, access log, transmission log, and cookie log) to provide a basis for tracing the source of security events; 6. Host hardening: conduct penetration testing and security hardening of the system; 7. Deploy an intrusion detection system (IDS): deploy traffic monitoring software or equipment, It is convenient to discover and trace the source of malicious code. Antiy Threat Detection System (PTD) takes network traffic as the detection and analysis object, can accurately detect known massive malicious codes and network attack activities, and effectively discover suspicious network behaviors, assets and various unknown threats; 8. Antiy Services : If attacked by malicious software, it is recommended to isolate the attacked host in time, and protect the site to wait for the security engineer to check the computer; Antiy 7*24 hours service hotline: 400-840-9234.
It has been verified that Antiy Intelligent Endpoint Defense System (IEP for short ) can effectively detect and kill the mining Trojan.
Figure 4‑1 Antiy Smart Arm can effectively detect and kill the mining Trojan
ATT&CK mapping map corresponding to 5 events
For the complete process of attackers launching mining Trojans, Antiy sorted out the ATT&CK mapping map corresponding to this attack event, as shown in the figure below.
Figure 5-1 ATT&CK mapping map corresponding to the event
The technical points used by the attackers are shown in the table below:
Table 5-1 ATT&CK technical behavior description table corresponding to the event
6IoCs
References* Antiy Product Tour (Series 5) - Catch the Wind Honeypot System
https://www.antiy.cn/About/news/20200312.html
Antiy Product Tour (Series 5) - Catch the Wind Honeypot System
https://www.antiy.cn/About/news/20200312.html
Network security engineer enterprise-level learning route
At this time, of course you need a systematic learning route
If the picture is too large and compressed by the platform, you can download it at the end of the article (free of charge), and you can also learn and communicate together.
Some of my collection of self-study primers on cyber security
Some good video tutorials I got for free:
The above information [click the card below] can be received, free to share