Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Dota
active

First seen in Guardicore Centra

2019-03-01

Last seen in Guardicore Centra

2020-07-12

Dota is a cryptomining campaign targeting Linux machines using SSH brute force. At the time of writing, the botnet has been active for over a year. Its payload includes Monero cryptominers for different system architectures as well as a worm module, scanning the internal network and spreading the malware to additional machines. As part of its post-infection, Dota changes the root password and creates a backdoor by writing its own SSH key to authorized_keys. In addition, it reads system information such as disk space, CPU model, available memory and even installed cron jobs.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathSHA256Size

/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz

4be3587fff7bd24fe254f2dee5c3501fd2824ec5dc7f3e4f7e1a6f1e130e8ad6

5.46 MB

/tmp/.X13-unix/.rsync/c/lib/64/tsm, /tmp/.X17-unix/.rsync/c/lib/64/tsm

0f754eab280e5ff0b65c46bdd1cc16e8aff944c834379df2632cd5f261afe3bb

158.82 KB

/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz

2d6e2e1c77c80e8d0198ae76e7bb40db524f1e699211b554a126d20802f985f3

5.46 MB

/root/.firefoxcatche/a/cron, /tmp/.X15-unix/.rsync/a/cron

4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d

1.59 MB

/home/mysql/arhiva/haiduc, /home/mysql/haiduc/haiduc.filepart, /home/mysql/md/haiduc.filepart…

6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1016.20 KB

/usr/local/bin/srsync.sh

c9bd0154342a966efc86fb700a844e596c1daaa6d7a44e73da8553edb1887a5a

109 bytes

/tmp/.X15-unix/dota2.tar.gz

45d985035e68d09deeea137ecd75ac1622e35202f411c5d0b5d51d9ee42b2a84

2.49 MB

/tmp/.X13-unix/dota.tar.gz, /var/tmp/dota.tar.gz

04c423db3fe5e95ed7f6764e0baf34c51192aee8b2e5856392dcdea3262aa5ae

6.65 MB

/tmp/.x15cache

3973940fd949ccb944d8ff160a7c7d08aa5d3f4eadd67a0e5d41fe0bffebb469

308 bytes

/tmp/.X17-unix/dota.tar.gz, /var/tmp/dota.tar.gz

e14c1024248b2bc0dd71cad189c85bff0a6d27027e1840dae411ff215e7b963e

6.02 MB

/tmp/.X15-unix/dota2.tar.gz

86ab0b3a7f7a8ff5a40199289b975a91a58d2c0b1d0893cf8d8e6923b17039ee

2.49 MB

/tmp/.X13-unix/dota.tar.gz, /var/tmp/dota.tar.gz

0d3924e9570e3b7520bd563e346a09e9405bc4305c21816512d5109b02492bad

6.62 MB

/tmp/.X15-unix/dota2.tar.gz

c8cae37e3320a1c1f3079fa6d13b62e03156bb17a1a054e3a6d8509c815e8c3b

2.49 MB

/var/tmp/dota.tar.gz

b0d6de587b4fa21db9146cf17e4c4250246211043ba4b130f35c7ebcbbd603fe

60.00 KB

/tmp/lan.sh

75f5d5c5fc34ce708d91ccecb0aed9013975c143d15b4e9e6a7d15e2f0e28dc3

530 bytes

Attack Flow

Breached Services

SSH

Tags

SSH

New SSH Key

21 Shell Commands

Download File

Successful SSH Login

SFTP

Superuser Operation

Incident Summary

A user logged in using SSH with the following credentials: root / ******** – Authentication policy: White List

Successful SSH Login

A possibly malicious Superuser Operation was detected 2 times

Superuser Operation

/tmp/.X25-unix/dota3.tar.gz was downloaded

Download File

Connection was closed due to timeout

An attempt to download /root/.ssh/authorized_keys was made

New SSH Key