VirusBASH/Agent.FB70!tr
Analysis
Bash/Agent.FB70!tr is a detection for a Bash Shell Downloader/dropper trojan.
Below are some of its observed characteristics/behaviours:
- This malware usually arrives as a base64 encoded bash shell script.
- This malware attempts to download a coiminer component from the following:
- tencentxjy5kpcc[Removed].d2web.org/crn
- tencentxjy5kpcc[Removed].onion.mn/crn
- tencentxjy5kpcc[Removed].tor2web.io/crn
- tencentxjy5kpcc[Removed].tor2web.to/crn
- tencentxjy5kpcc[Removed].onion.to/crn
- tencentxjy5kpcc[Removed].onion.in.net/crn
- tencentxjy5kpcc[Removed].4tor.ml/crn
- tencentxjy5kpcc[Removed].onion.glass/crn
- tencentxjy5kpcc[Removed].civiclink.network/crn
- tencentxjy5kpcc[Removed].tor2web.su/crn
- tencentxjy5kpcc[Removed].onion.ly/crn
- tencentxjy5kpcc[Removed].onion.pet/crn
- tencentxjy5kpcc[Removed].onion.ws/crn
- For this particular variant it utilizes wget and/or curl to download whilest the filename is a concatenate of md5sum and date of the binary itself.
- The downloaded coinminer is attempted to drop:
- /tmp
- /var/tmp
- /dev/shm
- /usr/bin
- Based on our analysis this malicious script has been rehashed/modified and thus might have been altered to accomodate changes in URL hosts and/or subdomain.
- This malware has been associated with the exploit CVE-2019-7609 Kibana ElastoSearch Exploit .
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |