Pour les utilisateurs

Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Recherche
Recherche

Contacter-nous !
Support 24/24 | Rules regarding submitting

Envoyer un message

Requête à l'aide du formulaire

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -
Créer une nouvelle requête

Nous téléphoner

0 825 300 230

Profil

FR

RU CN DE EN ES FR IT JP KZ UZ PL BY
Fermer
Services support
Scanners
Dr.Web vxCube
Démo
Bibliothèque virale
Base documentaire

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Actualités

Linux.MulDrop.135

Added to the Dr.Web virus database: 2024-05-22

Virus description added:

  • sha1:2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378

Description

A malware dropper written in Go and designed to run on Linux. The binary is packed using the UPX packer. The dropper can be used to simultaneously deliver a number of payloads to a compromised computer.

Operating routine

The dropper can be launched with the following three parameters:

Parameter Description
-install By default, the value of this parameter is set to true; if the value is set to false, the dropper launches the payload without installing it in the system
-merge Accepts the name of the file that is to be merged with the dropper and later run on the compromised system. This parameter must be used in conjunction with the -params parameter
-params Accepts a list of arguments with which the payload is to be run

Persistence

If the -install parameter is set to true, then the dropper can be installed in two ways. The first is through systemd if the dropper is run as root. If the dropper only has standard user rights, it can secure itself by editing the .profile file in the $HOME directory.

Via systemd

The dropper copies itself into the /usr/sbin directory and then creates a .service file in the /etc/systemd/system directory with the following contents:

[Unit]
Description=dropper
After=network.target
[Service]
PrivateTmp=true
Type=forking
ExecStart=/usr/sbin/dropper -install=false
Restart=always
[Install]
WantedBy=multi-user.target

The -install=false flag allows the dropper to initialize the payload as soon as the service is started. If the dropper is launched with superuser privileges, the payload will inherit them.

Via the .profile file

The dropper looks for the home directory of the user who initialized its process and adds the following string to the .profile file: "nohup %s>/dev/null 2>/dev/null &", where the placeholder stands for the path to the dropper.

Initializing the payload

When the dropper is run with the -install=false flag, it extracts an encrypted payload, decrypts it and places it in the /tmp directory and executes it.

Storing the payload

When integrated into the dropper, the payload is encrypted together with a randomly generated key and an initialization vector using the AES-256 CTR cipher. The payload is then added to the overlay.

The file name is prefixed with "-A:M" and is delimited by the postfix "##", after which the parameters passed to the payload may follow. The key and initialization vector are prefixed with "--A:D". At startup, the dropper dynamically decrypts strings using the RSA-PKCS1_v1_5 scheme.

Indicators of compromise

Recommandations pour le traitement

Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série