Ziggystartux

ZiggyStarTux is a malicious software (malware) that has been identified as part of the arsenal of TeamTNT, a cybercriminal group. The malware, an open-source IRC bot based on the Kaiten malware, was first detailed by Lacework earlier this year. It operates as a backdoor, running a secondary payload embedded in the shell script vars.sh, which is a slightly modified version of ZiggyStarTux itself. Once deployed, it sets up persistence mechanisms on compromised systems, including registration as a systemd service. If the necessary file does not exist, the script downloads and executes the malicious binary from its file server, saving it to the directory /usr/sbin. The execution of the ZiggyStarTux binary involves decryption by a hardcoded Advanced Encryption Standard (AES) key and subsequent execution in memory. This process is designed to avoid detection by automated static analysis tools, with the ELF (Executable and Linkable Format) of ZiggyStarTux being encrypted and packed within another binary, named 'ziggy'. Moreover, it establishes communication with a remote command and control (C2) server through an IRC bot, enabling it to receive instructions and carry out tasks. Notably, ZiggyStarTux has been associated with distributed denial-of-service (DDoS) attacks and can execute bash commands issued from the C2 server. The bots connect to the IRC server and join a hidden password-protected channel named ##..## to receive commands. Communication between the ZiggyStarTux bots and the C2 happens via an IRC server hosted on various domains and IPs located in different geographical regions. One such domain, madagent[.]tm, registered in 2015, shares numerous servers over a four-year period with madagent[.]cc, one of the known C2 domains of ZiggyStarTux.