GET A DEMO

Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Dota active
First seen in Guardicore Centra       2019-03-01
Last seen in Guardicore Centra       2020-07-12

Dota is a cryptomining campaign targeting Linux machines using SSH brute force. At the time of writing, the botnet has been active for over a year. Its payload includes Monero cryptominers for different system architectures as well as a worm module, scanning the internal network and spreading the malware to additional machines. As part of its post-infection, Dota changes the root password and creates a backdoor by writing its own SSH key to authorized_keys. In addition, it reads system information such as disk space, CPU model, available memory and even installed cron jobs.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Contact Us

Indicators of Compromise

Source IPs

Connect-Back Servers

Associated Files

PathHashSize

/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz

4be3587fff7bd24fe254f2dee5c3501fd2824ec5dc7f3e4f7e1a6f1e130e8ad6

5.46 MB

/tmp/.X13-unix/.rsync/c/lib/64/tsm, /tmp/.X17-unix/.rsync/c/lib/64/tsm

0f754eab280e5ff0b65c46bdd1cc16e8aff944c834379df2632cd5f261afe3bb

158.82 KB

/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz

2d6e2e1c77c80e8d0198ae76e7bb40db524f1e699211b554a126d20802f985f3

5.46 MB

/root/.firefoxcatche/a/cron, /tmp/.X15-unix/.rsync/a/cron

4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d

1.59 MB

/home/mysql/arhiva/haiduc, /home/mysql/haiduc/haiduc.filepart, /home/mysql/md/haiduc.filepart…

6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1016.20 KB

/usr/local/bin/srsync.sh

c9bd0154342a966efc86fb700a844e596c1daaa6d7a44e73da8553edb1887a5a

109 bytes

/tmp/.X15-unix/dota2.tar.gz

45d985035e68d09deeea137ecd75ac1622e35202f411c5d0b5d51d9ee42b2a84

2.49 MB

/tmp/.X13-unix/dota.tar.gz, /var/tmp/dota.tar.gz

04c423db3fe5e95ed7f6764e0baf34c51192aee8b2e5856392dcdea3262aa5ae

6.65 MB

/tmp/.x15cache

3973940fd949ccb944d8ff160a7c7d08aa5d3f4eadd67a0e5d41fe0bffebb469

308 bytes

/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz

e14c1024248b2bc0dd71cad189c85bff0a6d27027e1840dae411ff215e7b963e

6.02 MB

/tmp/.X15-unix/dota2.tar.gz

86ab0b3a7f7a8ff5a40199289b975a91a58d2c0b1d0893cf8d8e6923b17039ee

2.49 MB

/tmp/.X13-unix/dota.tar.gz, /var/tmp/dota.tar.gz

0d3924e9570e3b7520bd563e346a09e9405bc4305c21816512d5109b02492bad

6.62 MB

/tmp/.X15-unix/dota2.tar.gz

c8cae37e3320a1c1f3079fa6d13b62e03156bb17a1a054e3a6d8509c815e8c3b

2.49 MB

/var/tmp/dota.tar.gz

b0d6de587b4fa21db9146cf17e4c4250246211043ba4b130f35c7ebcbbd603fe

60.00 KB

/tmp/lan.sh

75f5d5c5fc34ce708d91ccecb0aed9013975c143d15b4e9e6a7d15e2f0e28dc3

530 bytes

Attack Flow

Breached Services

SSH

Tags

SSH New SSH Key 21 Shell Commands Download File Successful SSH Login SFTP Superuser Operation

Incident Summary

A user logged in using SSH with the following credentials: root / ******** – Authentication policy: White List

Successful SSH Login

A possibly malicious Superuser Operation was detected 2 times

Successful SSH Login

/tmp/.X25-unix/dota3.tar.gz was downloaded

Download File

Connection was closed due to timeout

An attempt to download /root/.ssh/authorized_keys was made

New SSH Key

???? Return to Botnet Encyclopedia

Linkedin
Twitter
Facebook
Youtube

© 2021 Guardicore

Coming to Black Hat? Make sure you come say hi 👋

drop us a note