Ziggystartux

Malware updated 3 months ago (2024-06-06T09:17:30.616Z)
Download STIX
Preview STIX
ZiggyStarTux is a malicious software (malware) that has been identified as part of the arsenal of TeamTNT, a cybercriminal group. The malware, an open-source IRC bot based on the Kaiten malware, was first detailed by Lacework earlier this year. It operates as a backdoor, running a secondary payload embedded in the shell script vars.sh, which is a slightly modified version of ZiggyStarTux itself. Once deployed, it sets up persistence mechanisms on compromised systems, including registration as a systemd service. If the necessary file does not exist, the script downloads and executes the malicious binary from its file server, saving it to the directory /usr/sbin. The execution of the ZiggyStarTux binary involves decryption by a hardcoded Advanced Encryption Standard (AES) key and subsequent execution in memory. This process is designed to avoid detection by automated static analysis tools, with the ELF (Executable and Linkable Format) of ZiggyStarTux being encrypted and packed within another binary, named 'ziggy'. Moreover, it establishes communication with a remote command and control (C2) server through an IRC bot, enabling it to receive instructions and carry out tasks. Notably, ZiggyStarTux has been associated with distributed denial-of-service (DDoS) attacks and can execute bash commands issued from the C2 server. The bots connect to the IRC server and join a hidden password-protected channel named ##..## to receive commands. Communication between the ZiggyStarTux bots and the C2 happens via an IRC server hosted on various domains and IPs located in different geographical regions. One such domain, madagent[.]tm, registered in 2015, shares numerous servers over a four-year period with madagent[.]cc, one of the known C2 domains of ZiggyStarTux.
Description last updated: 2024-06-06T09:16:29.258Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Kaiten
2
Kaiten, also known as Tsunami, is a malware variant that operates as a Distributed Denial of Service (DDoS) bot and an IRC bot. It targets vulnerable Internet of Things (IoT) devices and poorly protected Linux SSH servers, often being distributed alongside other DDoS bots like Mirai and Gafgyt. The
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bot
Ddos
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Ziggystartux Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Trend Micro
3 months ago
Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers
MITRE
2 years ago
Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes
CERT-EU
a year ago
Trojanized OpenSSH used in Linux, IoT device compromise
CERT-EU
a year ago
New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices
InfoSecurity-magazine
a year ago
OpenSSH Trojan Campaign Targets IoT and Linux Systems
CERT-EU
a year ago
IoT devices and Linux-based systems targeted by OpenSSH trojan campaign | Microsoft Security Blog
CERT-EU
a year ago
Patched OpenSSH Exploited for IoT, Linux Cryptomining
BankInfoSecurity
a year ago
Hackers Targeting Linux and IoT Devices for Crytomining
MITRE
2 years ago
TeamTNT with new campaign aka “Chimaera”