A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name
Dota
| |
|
First seen in Guardicore Centra |
2019-03-01 |
|
Last seen in Guardicore Centra |
2020-07-12 |
|
Dota is a cryptomining campaign targeting Linux machines using SSH brute force. At the time of writing, the botnet has been active for over a year. Its payload includes Monero cryptominers for different system architectures as well as a worm module, scanning the internal network and spreading the malware to additional machines. As part of its post-infection, Dota changes the root password and creates a backdoor by writing its own SSH key to authorized_keys. In addition, it reads system information such as disk space, CPU model, available memory and even installed cron jobs. |
|
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Connect-Back Servers
- 5.255.86.129
- 54.37.70.249
- 146.185.171.227
- 107.191.99.221
- 206.189.239.103
- 165.227.104.253
- 188.128.43.28
- 50.255.64.233
- 60.249.188.118
- 134.209.226.157
- 189.8.68.56
- 112.215.113.10
- 1.245.61.144
- 51.254.32.102
- 103.28.52.84
- ip-54-37-70.eu
- autocasion.com
- ip-213-32-91.eu
- amazonaws.com
- linode.com
- rr.com
- unifiedlayer.com
Associated Files
| Path | Hash | Size |
|---|---|---|
|
/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz |
4be3587fff7bd24fe254f2dee5c3501fd2824ec5dc7f3e4f7e1a6f1e130e8ad6 |
5.46 MB |
|
/tmp/.X13-unix/.rsync/c/lib/64/tsm, /tmp/.X17-unix/.rsync/c/lib/64/tsm |
0f754eab280e5ff0b65c46bdd1cc16e8aff944c834379df2632cd5f261afe3bb |
158.82 KB |
|
/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz |
2d6e2e1c77c80e8d0198ae76e7bb40db524f1e699211b554a126d20802f985f3 |
5.46 MB |
|
/root/.firefoxcatche/a/cron, /tmp/.X15-unix/.rsync/a/cron |
4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d |
1.59 MB |
|
/home/mysql/arhiva/haiduc, /home/mysql/haiduc/haiduc.filepart, /home/mysql/md/haiduc.filepart… |
6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4 |
1016.20 KB |
|
/usr/local/bin/srsync.sh |
c9bd0154342a966efc86fb700a844e596c1daaa6d7a44e73da8553edb1887a5a |
109 bytes |
|
/tmp/.X15-unix/dota2.tar.gz |
45d985035e68d09deeea137ecd75ac1622e35202f411c5d0b5d51d9ee42b2a84 |
2.49 MB |
|
/tmp/.X13-unix/dota.tar.gz, /var/tmp/dota.tar.gz |
04c423db3fe5e95ed7f6764e0baf34c51192aee8b2e5856392dcdea3262aa5ae |
6.65 MB |
|
/tmp/.x15cache |
3973940fd949ccb944d8ff160a7c7d08aa5d3f4eadd67a0e5d41fe0bffebb469 |
308 bytes |
|
/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz |
e14c1024248b2bc0dd71cad189c85bff0a6d27027e1840dae411ff215e7b963e |
6.02 MB |
|
/tmp/.X15-unix/dota2.tar.gz |
86ab0b3a7f7a8ff5a40199289b975a91a58d2c0b1d0893cf8d8e6923b17039ee |
2.49 MB |
|
/tmp/.X13-unix/dota.tar.gz, /var/tmp/dota.tar.gz |
0d3924e9570e3b7520bd563e346a09e9405bc4305c21816512d5109b02492bad |
6.62 MB |
|
/tmp/.X15-unix/dota2.tar.gz |
c8cae37e3320a1c1f3079fa6d13b62e03156bb17a1a054e3a6d8509c815e8c3b |
2.49 MB |
|
/var/tmp/dota.tar.gz |
b0d6de587b4fa21db9146cf17e4c4250246211043ba4b130f35c7ebcbbd603fe |
60.00 KB |
|
/tmp/lan.sh |
75f5d5c5fc34ce708d91ccecb0aed9013975c143d15b4e9e6a7d15e2f0e28dc3 |
530 bytes |
Attack Flow
|
Breached Services |
SSH |
|
Tags |
SSH New SSH Key 21 Shell Commands Download File Successful SSH Login SFTP Superuser Operation |
Incident Summary
|
A user logged in using SSH with the following credentials: root / ******** – Authentication policy: White List |
Successful SSH Login |
|
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
|
/tmp/.X25-unix/dota3.tar.gz was downloaded |
Download File |
|
Connection was closed due to timeout |
|
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |