Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence
(www.cadosecurity.com)
from kid@sh.itjust.works to cybersecurity@sh.itjust.works on 07 Mar 2024 13:27
https://sh.itjust.works/post/15842790
from kid@sh.itjust.works to cybersecurity@sh.itjust.works on 07 Mar 2024 13:27
https://sh.itjust.works/post/15842790
Indicators of Compromise
Filename SHA256 cronb.sh d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e ar.sh 64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5 fkoths afddbaec28b040bcbaa13decdc03c1b994d57de244befbdf2de9fe975cae50c4 s.sh 251501255693122e818cadc28ced1ddb0e6bf4a720fd36dbb39bc7dedface8e5 bioset 0c7579294124ddc32775d7cf6b28af21b908123e9ea6ec2d6af01a948caf8b87 d.sh 0c3fe24490cc86e332095ef66fe455d17f859e070cb41cbe67d2a9efe93d7ce5 h.sh d45aca9ee44e1e510e951033f7ac72c137fc90129a7d5cd383296b6bd1e3ddb5 w.sh e71975a72f93b134476c8183051fee827ea509b4e888e19d551a8ced6087e15c c.sh 5a816806784f9ae4cb1564a3e07e5b5ef0aa3d568bd3d2af9bc1a0937841d174 Paths /usr/bin/vurl /etc/cron.d/zzh /bin/zzhcht /usr/bin/zzhcht /var/tmp/.11/sshd /var/tmp/.11/bioset /var/tmp/.11/..lph /var/tmp/.dog /etc/systemd/system/sshm.service /etc/systemd/system/sshb.service /etc/systemd/system/zzhr.service /etc/systemd/system/zzhd.service /etc/systemd/system/zzhw.service /etc/systemd/system/zzhh.service /etc/…/.ice-unix/ /etc/…/.ice-unix/.watch /etc/.httpd/…/httpd /etc/.httpd/…/httpd /var/.httpd/…./httpd /var/.httpd/…../httpd IP Addresses 47[.]96[.]69[.]71 107[.]189[.]31[.]172 209[.]141[.]37[.]110 Domains/URLs http[:]//b[.]9-9-8[.]com http[:]//b[.]9-9-8[.]com/brysj/cronb.sh http[:]//b[.]9-9-8[.]com/brysj/d/ar.sh http[:]//b[.]9-9-8[.]com/brysj/d/c.sh http[:]//b[.]9-9-8[.]com/brysj/d/h.sh http[:]//b[.]9-9-8[.]com/brysj/d/d.sh http[:]//b[.]9-9-8[.]com/brysj/d/enbio.tar
threaded - newest