Back in August, I wrote an article about XMR crypto mining software targeting x86/I686 systems. This is a follow-up to that original malware analysis. Previously, I discussed an attacker who, using known default login credentials, targets enterprise systems to mine the XMR cryptocurrency.
There is another interesting feature of that malware that I did not cover in my prior post. The software I examined can be dynamically updated with IP lists and logins to try for infection. This dynamic update is done by requesting the list from a remote HTTP server.
The Go script downloads and sorts a list of passwords and IP addresses to feed to the TSM script. The TSM script simply determines which TSM binary to pass the lists to, depending on system architecture tsm32 or tsm64.
The Go script:
The TSM binaries will scan for vulnerable hosts based on IP lists and password combinations. Once a valid login is determined, it will infect the host with the crypto mining malware and Perl script that uses IRC for command and control.
Supplying a -H 1 switch to the TSM binary we get a second help message:
The script appears to be tailored in such a way that it enables the user to seek out systems worthy of installing crypto-mining software onto. It skips resource-limited Linux and Windows machines, routers, busybox, and honeypots. Ironically, this piece of malware was caught in a honeypot, so I'm not sure how effective their detection methods are.
The software is missing some basic error checks, in regard to file existence. If the binary is unable to read the file, it will crash with a segmentation fault because it attempted to open a null filehandle. The same problem exists when it attempts to copy out dotar.tar.gz to a vulnerable host if the file dotar.tar.gz in ../../ it will again segmentation fault.
I've set up a test host 10.0.0.3 with the default login credentials of www/www and added that IP and login combination to the TSM configuration files.
Once completed the host 10.0.0.3 has the XMR miner running named anacron and an instance of the TSM scanner running as well.
An entry is also added to the www accounts crontab in order to establish some persistence after a reboot or an attempt to kill the malware processes.
With the availability of botnet source code for free and purchase from underground forums, we will continue to see Frankenstein-like mutations of malware. Bolt-on features that allow malware authors to dynamically update the lists of passwords and target systems will become more commonplace, along with the use of conventional methods like default login credentials, IoT, Enterprise System, and Web application vulnerabilities as infection vectors.