Home / malware Backdoor:Linux/Luabot.A
First posted on 16 September 2016.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Linux/Luabot.A.
Explanation :
Installation
This threat can arrive and be installed as a final payload to provide persistent control over the compromised device or system.
When run, it creates a mutex name "bbot_mutex_202613" and it will start listening on TCP Port 11833.
Payload
This threat is a backdoor trojan designed with built-in Lua interpreter. This allows the remote malicious hacker to access features defined in the following Lua scripts:
- 00init.lua
- 10utils.lua
- 11dumper.lua
- 20re.lua
- 25list.lua
- 30cocoro.lua
- 35procutils.lua
- 40lpegr.lua
- 50lpegp.lua
- 70resolver.lua
- 80evutils.lua
- 81bsocket.lua
- 82evserver.lua
- 85killold.lua
- base64.lua
- botnet.lua
- checkanus.lua
- checkanus_sucuranus.lua
- cmdargs.lua
- exec.lua
- http.lua
- ip_iterator.lua
- lua_script_runner.lua
- proxyproto.lua
- pwaiter.lua
- socksserver.lua
- subjson.lua
- telnet.lua
- udp.lua
- v7.lua
It also includes a backdoor command table that can easily be run by the remote malicious hacker:
- bot_daemonize
- rsa_verify
- sha1
- fork
- kill
- exec
- wait_pid
- getpid
- pipe
- evsocket
- buffer
- ed25519
- mssl
- dnsparser
- struct
- lpeg
- evserver
- evtimer
- evio
- evsignal
- lfs
Last update 16 September 2016
