- sha1:2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378
Description
A malware dropper written in Go and designed to run on Linux. The binary is packed using the UPX packer. The dropper can be used to simultaneously deliver a number of payloads to a compromised computer.
Operating routine
The dropper can be launched with the following three parameters:
| Parameter | Description |
|---|---|
| -install | By default, the value of this parameter is set to true; if the value is set to false, the dropper launches the payload without installing it in the system |
| -merge | Accepts the name of the file that is to be merged with the dropper and later run on the compromised system. This parameter must be used in conjunction with the -params parameter |
| -params | Accepts a list of arguments with which the payload is to be run |
Persistence
If the -install parameter is set to true, then the dropper can be installed in two ways. The first is through systemd if the dropper is run as root. If the dropper only has standard user rights, it can secure itself by editing the .profile file in the $HOME directory.
Via systemd
The dropper copies itself into the /usr/sbin directory and then creates a .service file in the /etc/systemd/system directory with the following contents:
[Unit]
Description=dropper
After=network.target
[Service]
PrivateTmp=true
Type=forking
ExecStart=/usr/sbin/dropper -install=false
Restart=always
[Install]
WantedBy=multi-user.target
The -install=false flag allows the dropper to initialize the payload as soon as the service is started. If the dropper is launched with superuser privileges, the payload will inherit them.
Via the .profile file
The dropper looks for the home directory of the user who initialized its process and adds the following string to the .profile file: "nohup %s>/dev/null 2>/dev/null &", where the placeholder stands for the path to the dropper.
Initializing the payload
When the dropper is run with the -install=false flag, it extracts an encrypted payload, decrypts it and places it in the /tmp directory and executes it.
Storing the payload
When integrated into the dropper, the payload is encrypted together with a randomly generated key and an initialization vector using the AES-256 CTR cipher. The payload is then added to the overlay.
The file name is prefixed with "-A:M" and is delimited by the postfix "##", after which the parameters passed to the payload may follow. The key and initialization vector are prefixed with "--A:D". At startup, the dropper dynamically decrypts strings using the RSA-PKCS1_v1_5 scheme.
