Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Linux.BackDoor.TgRat.2

Added to the Dr.Web virus database: 2024-05-06

Virus description added:

  • sha1: 4fb9519aaa4173314582ed336a7d307f0ea49a84

Description

A trojan for Linux with a wide range of functions and the ability to be remotely controlled via a Telegram bot. The source code is written in Go and encrypted with RSA. The binary is packed using the UPX packer. The trojan is delivered to the compromised system by the Linux.MulDrop.135 dropper. This trojan is a modification of similar malware for Windows operating systems.

Operating routine

When initialized, the trojan checks the hash of the name of the host it is running on against the hardcoded value embedded in the trojan body. If the values do not match, the trojan terminates its process. If the check is successful, the trojan contacts its C2 server—the Telegram bot to which the trojan connects via an embedded proxy.

The following are the artifacts of the malware activity:

Artifact Value
Telegram bot token 6397562704:AAEt1UAWUcWcJb3Q5MQo8ZYF0NvJAUTk7S0
Chat ID -1001913285180
Proxy server address hххp://172.24.173[.]28:3128

Once connected, the trojan accepts the following commands from C2, preceded by a forward slash:

Command Parameters Description
v none Returns a string in the following format
"Version: [%s]\\nHostname: [%s]\\nExeName: [%s]\\nExepath: [%s]\\nParams: [%s]\\nExeDir: [%s]\\nWD: [%s" "]\\nArch: [%s]\\nPID: [%d]\\nChatId: [%d]"
bind chat_ID Adds the bot to a group
isbind Checks if the bot has been added to a group
kill PID Terminates a trojan session with the corresponding PID
kill_except PID Terminates all Trojan sessions except the one whose PID is specified as an argument
dwl file_name Downloads a file from the compromised PC
update none Updates itself by replacing the binary with the file new.bak and saving the previous version to old-.bak
cr command Executes a command in a separate thread and appends "& exit" to it
cpr command Executes a command in a separate thread
cpri <PID> <command> Executes a command for a trojan with the corresponding PID in a separate thread
sleep <PID> <number_of_seconds> Suspends a trojan with the corresponding PID
sleep_except <PID> <number_of_seconds> Suspends all trojan sessions except the one whose PID is specified
restart PID Restarts the Telegram bot for a trojan session with the corresponding PID
wget <URL> <file_name> Downloads a file available at the specified URL and saves it under the specified name.
token <api_token> <group_ID> [PID] Replaces a token for trojan sessions with the specified PID
screenshot PID Takes a screenshot of a trojan session with the specified PID and sends it to the Telegram group with the name in the following format: "display-<PID>_<COUNT>_<HEIGHT>x<WIDTH>.png"
start none Creates shell context for the /c and /ci commands
c command Executes a command
ci <PID> <command> Executes a command for a session with the specified PID
reset none Re-creates shell context for the /c and /ci commands

The trojan also supports the sending of files to a compromised host via Telegram chat attachments. Files are saved on the remote host under their original names. So that a file can be saved in a specific directory, the path to it is specified in the message body.

Индикаторы компрометации

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number