We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Linux/Multiverze!rfn
Aliases: No associated aliases
Summary
Trojan:Linux/Multiverze!rfn is an automated threat that affects Linux servers running accessible SSH services as its main attack vector. The threat actor launches brute-force attacks to gain access to weak credentials. Upon accessing an account, the threat actor will install a malicious shell script, which downloads and runs a Python IRC bot. This bot connects to a hard coded C2 server, placing the compromised device under the threat actor control. The main uses of this botnet are DDoS attacks and arbitrary commands on the compromised device.
- Unplug the Ethernet cable or disable Wi-Fi to prevent the malware from communicating with its C2 servers and exfiltrating your data.
- Conduct a comprehensive review of system and SSH logs to identify the breach scope and the attacking IP addresses.
- Change all account passwords for SSH, as the breach likely resulted from compromised credentials.
- Locate and permanently delete all infection-related files in /tmp/.
- Inspect the crontab and remove the malicious entry
- Identify and kill any running processes related to the malware, such as the n.py Python script.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
