Earlier today we published our initial findings about the attacks on South Korean banks and local broadcasting organizations. We have now discovered an additional component used in this attack that is capable of wiping Linux machines.
Figure 1. Bash wiper script targeting remote Linux machines
The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat. The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager. The mRemote application keeps a configuration file for saved connections at the following path:
%UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml
Figure 2. Parsing mRemote path information
The dropper for Trojan.Jokra parses this XML file for any connection with root privileges using the SSH protocol. It then extracts the parameters used in the connection.
Figure 3. Parsing mRemote configuration file connection details
The dropper then spawns another thread, which drops a bash script to %Temp%\~pr1.tmp then uploads and executes this temporary file as /tmp/cups on the remote Linux computer with the connection information parsed from mRemote’s configuration file.
Figure 4. Remote command execution
The bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the /kernel, /usr, /etc, and /home directories.
Symantec is continuing to investigate this attack and will provide further updates as they become available.