Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Linux.MulDrop.135

Added to the Dr.Web virus database: 2024-05-22

Virus description added:

  • sha1:2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378

Description

A malware dropper written in Go and designed to run on Linux. The binary is packed using the UPX packer. The dropper can be used to simultaneously deliver a number of payloads to a compromised computer.

Operating routine

The dropper can be launched with the following three parameters:

Parameter Description
-install By default, the value of this parameter is set to true; if the value is set to false, the dropper launches the payload without installing it in the system
-merge Accepts the name of the file that is to be merged with the dropper and later run on the compromised system. This parameter must be used in conjunction with the -params parameter
-params Accepts a list of arguments with which the payload is to be run

Persistence

If the -install parameter is set to true, then the dropper can be installed in two ways. The first is through systemd if the dropper is run as root. If the dropper only has standard user rights, it can secure itself by editing the .profile file in the $HOME directory.

Via systemd

The dropper copies itself into the /usr/sbin directory and then creates a .service file in the /etc/systemd/system directory with the following contents:

[Unit]
Description=dropper
After=network.target
[Service]
PrivateTmp=true
Type=forking
ExecStart=/usr/sbin/dropper -install=false
Restart=always
[Install]
WantedBy=multi-user.target

The -install=false flag allows the dropper to initialize the payload as soon as the service is started. If the dropper is launched with superuser privileges, the payload will inherit them.

Via the .profile file

The dropper looks for the home directory of the user who initialized its process and adds the following string to the .profile file: "nohup %s>/dev/null 2>/dev/null &", where the placeholder stands for the path to the dropper.

Initializing the payload

When the dropper is run with the -install=false flag, it extracts an encrypted payload, decrypts it and places it in the /tmp directory and executes it.

Storing the payload

When integrated into the dropper, the payload is encrypted together with a randomly generated key and an initialization vector using the AES-256 CTR cipher. The payload is then added to the overlay.

The file name is prefixed with "-A:M" and is delimited by the postfix "##", after which the parameters passed to the payload may follow. The key and initialization vector are prefixed with "--A:D". At startup, the dropper dynamically decrypts strings using the RSA-PKCS1_v1_5 scheme.

Indicators of compromise

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number