Linux/TheMoon

#27739 by K_Mikhail
Mon Jan 25, 2016 5:52 pm

Threat Actors Use Sketchy Dating Website to Launch New Home Router Attacks: https://www.damballa.com/threat-actors- ... r-attacks/

Hashes from article:
2b82c715c2f1480b57e59bd7c55ef32db312e008
c05bd53f91032f2c8cae509477d760537f014621
9b22373e8cd7c6b087ca62d1b154faa04d684549
7f168f8f17774feb5f3fe35d39c41564645afa24
92632bd26fb2828ddf5a86687c837ca734d0fbbf
9e61bb2da5e3b9760d992d052d824ffdd584e2ff
ea24cded99b27ff44d2ed2688dea93e3ca0214c2

Samples with hashes:
c05bd53f91032f2c8cae509477d760537f014621
fd6ca22baf5ba8025b5a2ce1aa750553a8d48640
92632bd26fb2828ddf5a86687c837ca734d0fbbf

are in attach.

Attachments

TheMoon.7z

pw:infected
(24.73 KiB) Downloaded 66 times

Username

K_Mikhail

Posts

41

Joined

Tue Apr 13, 2010 4:13 pm

Re: Linux (TheMoon)

#27743 by tWiCe
Tue Jan 26, 2016 9:21 am

In a nutshell, it's a modular trojan. ".nttpd" is a head module, designed for basic installation, blocking of network connections (except for C&C communication) and installing of modules.

I'll appreciate if somebody post hashes for modules of this trojan.

Username

tWiCe

Posts

49

Joined

Sat Jul 18, 2015 8:56 am

Re: Linux (TheMoon)

#27758 by tWiCe
Wed Jan 27, 2016 9:36 am

If somebody is interested, there are tech details regarding the head module (.nttpd): http://vms.drweb.com/virus/?i=7936862

clk - clock, call home
net - probably peer-to-peer communication
dwl - install new modules

Username

tWiCe

Posts

49

Joined

Sat Jul 18, 2015 8:56 am