# An Analysis of Linux.Ngioweb Botnet **[blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/](https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/)** Alex.Turing June 21, 2019 ### 21 June 2019 / Botnet ## Background ### On May 27, 2019, Our Unknown Threat Detect System highlighted a suspicious ELF file, and till this day, the detection rate on VT is still only one with a very generic name. We determined that this is a Proxy Botnet, and it is a Linux version variant of the Win32.Ngioweb[1] malware. We named it Linux.Ngioweb. It shares a lot of code with Win32.Ngioweb, except that it has DGA features. We registered one of the DGA C2 domain names (enutofish-pronadimoful-multihitision.org) and was able to observe the Bot connections. In addition, we have observed that Linux.Ngioweb malware has been implanted into a large number of WordPress Web servers. Although the Bot program is loaded with the privilege of the user group corresponding to the Web container, it still works and runs as Rotating Proxy node[2]. We don’t know why the attacker runs this proxy botnet, but it is possible that everything goes through the proxy is being recorded by the attacker. ## Overview of Linux.Ngioweb ### The main functionality of the Linux.Ngioweb Bot sample is to implement Back-Connect Proxy[3].on the victim's machine. The attacker builds multiple Bots into a Proxies Pool and controls it through a two-tier C2 protocol, then provides a Rotating Proxy Service. ----- ## Reverse engineering on Linux.Ngioweb ### Basic information MD5: 827ecf99001fa66de513fe5281ce064d ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped Anti-reverse engineering technique Uses a niche library named musl libc ----- ### Stores its functions in the function table in advance Uses Stack Strings Obfuscation Generates constant table used by CRC and AES Uses a two-tier C2 protocol, where Stage-2 C2 is determined by the CONNECT instruction of Stage-1 C2 Stage-2 C2 uses a two-layer encrypted communication protocol ----- ### Stage-1 C2 protocol analysis At this stage, the main behavior of the sample is to establish communication with Stage-1 C2, and proceed to the next step according to the instructions returned by C2. Communication attempt ### Try to establish communication with the following hardcoded C2 IP every 60 seconds 169.239.128.166:443 185.244.149.73:443 Try to establish communication with the domain name generated by DGA (Domain Generation Algorithm) every 73 seconds. When the number of DGA domain names reaches 300, the Seed will be reset. So the total number of DGA domain names is 300. DGA implementation ----- ``` uint64_t GenSeed(uint32_t& seed, uint32_t mod) { uint32_t tmp = 0x41C64E6D * seed + 0x3039; seed = tmp; return tmp % mod; } string dga(uint32_t& seed) { char* HeadBuf[] = { "un", "under", "re", "in", "im", "il", "ir", "en", "em", "over", "mis", "dis", "pre", "post", "anti","inter", "sub", "ultra", "non", "de","pro", "trans", "ex", "macro", "micro", "mini","mono", "multi", "semi", "co" }; char* BodyBufA[] = {"able","ant","ate","age","ance","ancy","an","ary", "al","en","ency","er","etn", "ed", "ese","ern","ize", "ify","ing","ish","ity","ion","ian","ism","ist","ic","ical", "ible","ive","ite","ish","ian","or","ous","ure" }; char* BodyBufB[] = {"dom","hood","less","like","ly","fy","ful","ness", "ment","sion","ssion","ship","ty","th","tion","ward" }; char* TailBuf[] = { ".net",".info",".com",".biz",".org",".name" }; string BlockBufA = "aeiou"; string BlockBufB = "bcdfghklmnprstvxz"; string domain; uint32_t dashloop = GenSeed(seed, 3) + 1; while (dashloop--) { domain += HeadBuf[GenSeed(seed, 0x1e)]; int flag = 0; int i = 0; if (BlockBufA.find(domain.back()) == string::npos) flag = 1; int fillcnt = GenSeed(seed, 0x3) + 4; while (fillcnt > i) { if (flag + i & 1) domain += BlockBufA[GenSeed(seed, 0x5)]; else domain += BlockBufB[GenSeed(seed, 0x11)]; i++; } if (BlockBufA.find(domain.back()) == string::npos) domain += BodyBufA[GenSeed(seed, 0x23)]; else domain += BodyBufB[GenSeed(seed, 0x10)]; if (dashloop != 0) domain += "-"; } return domain += TailBuf[GenSeed(seed, 0x6)]; } ``` ----- Communication Protocol ### This phase of communication is based on the HTTP protocol and the parameters are Base64 encoded. Packets overview Sent Packets decode ### After decoded the parameter content by Base64, we get the following information. id=machine-id[0:15] v=x86_64, hardcoded, architecture sv=5003, hardcoded, version number &qlohmzalwdepupwf, random 16-byte data, the algorithm is as follows User-Agent, hardcoded ``` Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 ``` ----- Received Packets decode ### Command Supported WAIT CONNECT DISCONNECT CERT Stage-2 C2 protocol analysis At this stage, the main action of the sample is to establish communication with the C2 of Stage-2 and enable the Back-Connect Proxy function. C2 of stage-2 is specified by the CONNECT command. Communication Protocol ### At this stage, the communication is combined by double-layer encryption. The inner layer is XOR and the outer layer is AES. Packets overview Encryption Algorithm ### The XOR key is generated by a random algorithm: ----- ### The algorithm is: AES uses ECB mode, no padding. The key is:qwerasdfzxcqwerasdftyuirfdsdsdss Packet Structure ### The packet consists of two parts: “header” and “msg”. “header” structure: ``` #le->little endian #be->big endian struct header { uint32_le xorkey; uint32_be msgcrc32; uint32_be len; uint16_be msgcode uint16_be magic }; “msg” consists of chunks, and the chunks supported by the sample are as follows: ``` ### Chunk Type ### Chunk Length Description ### 1 1 BYTE 2 2 WORD big endian 3 4 DWORD big endian 4 8 QWORD big endian 5 N+4 Bytes array.The first 4 bytes of chunk are the big endian-encoded length (N) of the array A “msg” can have one or more chunks, and different “msg”s are made up by different chunks . The “msg” types uses by this sample are “recv” and “send”. ----- ### recv ----- ### send See the table below for a summary of different “msg”s: msgcode Driection Description Fromat ### 0x1010 recv set channel id 0x1011 recv start proxy request 0x1012 recv close connection ### 3 chunks:(QWORD ConnId, Array IPAddr,WORD Port) 5 chunks:(QWORD RequestId, BYTE reason,BYTE AddrType,Array Addr, WORD port) 1 chunk:(QWORD ConnId) ### 0x10 send check-in 1 chunk:(QWORD BotId) ### 0x11 send set-channel ack 0x14 send tcp server started ### 1 chunk:(DWORD VersionId) 5 chunks:(DWORD ConnectionId, QWORD RequestId, BYTE AddrType, Array Addr, WORD Port) ### 0x15 send error 2 chunks:(DWORD RequestId,BYTE reason ) ### 0x16 send udp server started Sent packets sample analysis ### 5 chunks:(DWORD ConnectionId, QWORD RequestId, BYTE AddrType, Array Addr, WORD Port) ----- ### Raw data ``` packet[0:31]: 6c 52 8c 08 3e 80 a9 3c 00 00 00 10 00 10 fa 51 04 dd b0 b4 9d 10 ec 42 c3 00 00 00 00 00 00 00 header --->packet[0:15] xorkey --->0x088c526c msgcrc32 --->0x3e80a93c msglen --->0x00000010 msgcode --->0x0010,check-in magic --->0xfa51 msg --->packet[16:31] 1st chunk chunktype --->0x4 content --->0xddb0b49d10ec42c3 After XOR encryption 6c 52 8c 08 36 0c fb 50 08 8c 52 7c 08 9c a8 3d 0c 51 e2 d8 95 9c be 2e cb 8c 52 6c 08 8c 52 6c After AES encryption c1 d3 78 71 2d f6 5b bb 16 ca ff 8b ef 69 bb 26 3b 01 f0 22 70 09 38 dc e7 06 89 de 2b 55 eb 8e ``` Received packets sample analysis ### Raw data ``` c5 ad 4a bf 30 C2 3a 43 9b 6e 22 08 73 e0 b9 5d 3c e6 b7 f0 74 76 53 43 3a 79 0e 82 80 1a c3 84 ba a4 85 05 4a 63 b1 d6 d1 94 ad 53 be 7a 9a 88 After AES decryption 59 8b e5 6d 4a ee bf ef 6d e5 8b 79 7d f5 71 08 69 b8 81 aa 92 ed 65 fb 29 e0 8b 59 6d e1 51 47 19 e1 89 d8 29 e5 8b 59 6d e5 8b 59 6d e5 8b 59 ``` ----- ### After XOR decryption ``` packet[0:47] 59 8b e5 6d 27 0b 34 b6 00 00 00 20 10 10 fa 51 04 5d 0a f3 ff 08 ee a2 44 05 00 00 00 04 da 1e 74 04 02 81 44 00 00 00 00 00 00 00 00 00 00 00 header --->packet[0:15] xorkey --->0x6de58b59 msgcrc32 --->0x270b34b6 msglen --->0x00000020 msgcode --->0x1010,set channel id magic --->0xfa51 msg --->packet[16:47] 1st chunk chunktype --->0x04 content --->0x5d0af3ff08eea244 2nt chunk chunktype --->0x05 content --->len:0x00000004 buf:0xda1e7404 3rd chunk chunktype --->0x02 content --->0x8144 ## Stage-2 C2 association analysis ### We obtained the following 6 Stage-2 C2 addresses by visiting the Stage-1 C2 URL (http://185.244.149.73:443/min.js). 5.135.58.119 5.135.58.121 5.135.58.123 5.135.58.124 91.134.157.11 193.70.73.115 We looked up this md5 (9017804333c820e3b4249130fc989e00) in our GraphicQuery platform and was able to find more IPs which host the same file, we then sent specific crafted packets to these IPs and was able to ID another 18 Stage-2 C2s. ``` ----- ``` 5.135.35.160 5.196.194.209 51.254.57.83 54.36.244.84 54.36.244.85 54.36.244.91 91.121.36.212 91.121.236.219 92.222.151.63 145.239.108.241 163.172.201.184 163.172.202.116 178.33.101.176 178.33.101.177 178.33.101.178 178.33.101.182 188.165.5.123 188.165.163.20 ### We found that these Stage-2 C2 IP address are providing Socks5 proxy service by looking them up on free-socks.in As we tested, all these Socks5 proxy IPs are properly functioning. Also, they accessed the C2 domain we own(enutofish-pronadimoful-multihitision.org) via the Stage-1 C2 protocol, so it can be said that they are all Linux.Ngioweb Bots. ``` ----- ``` root@localhost: # curl socks5 91.134.157.11:50880 ifconfig.me 31.170.123.49 root@localhost:~# curl --socks5 91.134.157.11:62012 ifconfig.me 208.113.197.88 root@localhost:~# curl --socks5 91.134.157.11:18278 ifconfig.me 45.58.190.100 root@localhost:~# curl --socks5 91.134.157.11:64380 ifconfig.me 72.29.64.29 root@localhost:~# curl --socks5 91.134.157.11:47067 ifconfig.me 54.38.101.17 root@localhost:~# curl --socks5 91.134.157.11:63862 ifconfig.me 88.99.212.97 root@localhost:~# curl --socks5 91.134.157.11:49475 ifconfig.me 23.91.65.240 ## Infected IPs information ### By listening on C2 domain (enutofish-pronadimoful-multihitision.org), we have observed a total of 2692 Bot IPs. The following is a detailed list of countries/regions with number of infected IPs: ``` ----- ``` US 1306 BR 156 RU 152 DE 133 FR 102 SG 98 NL 80 GB 66 CA 66 IT 64 VN 42 AU 36 PL 31 TR 28 JP 26 IN 26 ZA 21 ID 19 ES 18 UA 15 ### By probing the infected IPs, we found out that almost all Bot IPs are web servers and have WordPress programs deployed. We did not look into how the attacker took control of these WordPress sites though. We contacted some infected users and found multiple WebShells on their Web servers. These WebShells are highly obscured, but the techniques, encryption, and code share similar characters. Combined with the accessing characteristics (such as time, order) the infected IPs made to the our sinkhole DGA domain, we speculate that the attacker will periodically issue commands to the WebShells on the victim websites, as well as running the Linux.Ngioweb program. ## Solutions and Suggestions ### We recommend that readers do not use the Socks5 proxy service provided by these Stage-2 C2 IP. We recommend that WordPress users back up the website article database (delete backdoor users such as wp.service.controller.*), reinstall the latest version of WordPress program, enhance user password complexity, enhance WebShell detection capabilities, and disable PHP commands to execute related functions; Contact us Relevant security and law enforcement agencies are welcomed to contact netlab[at]360.cn for a list of infected IP addresses. ``` ----- ### Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn. IoC list Sample MD5 ``` 827ecf99001fa66de513fe5281ce064d Stage-1 C2 (Hardcoded IP) 169.239.128.166 South Africa ASN 61138 Zappie Host LLC 185.244.149.73 Romania ASN 60117 Host Sailor Ltd. Stage-2 C2 163.172.201.184 France ASN 12876 Online S.a.s. 163.172.202.116 France ASN 12876 Online S.a.s. 5.135.35.160 France ASN 16276 OVH SAS 5.135.58.119 France ASN 16276 OVH SAS 5.135.58.121 France ASN 16276 OVH SAS 5.135.58.123 France ASN 16276 OVH SAS 5.135.58.124 France ASN 16276 OVH SAS 5.196.194.209 France ASN 16276 OVH SAS 51.254.57.83 France ASN 16276 OVH SAS 54.36.244.84 France ASN 16276 OVH SAS 54.36.244.85 France ASN 16276 OVH SAS 54.36.244.91 France ASN 16276 OVH SAS 91.121.36.212 France ASN 16276 OVH SAS 91.121.236.219 France ASN 16276 OVH SAS 91.134.157.11 France ASN 16276 OVH SAS 92.222.151.63 France ASN 16276 OVH SAS 145.239.108.241 Germany ASN 16276 OVH SAS 178.33.101.176 Ireland ASN 16276 OVH SAS 178.33.101.177 Ireland ASN 16276 OVH SAS 178.33.101.178 Ireland ASN 16276 OVH SAS 178.33.101.182 Ireland ASN 16276 OVH SAS 188.165.5.123 Ireland ASN 16276 OVH SAS 188.165.163.20 France ASN 16276 OVH SAS 193.70.73.115 France ASN 16276 OVH SAS Stage-1 C2 (DGA) ``` ----- ``` enutofish pronadimoful multihitision.org exaraxexese-macrobacaward-exafosuness.net nonafudazage.name demigelike.net emuvufehood.net subolukobese.biz inogepicor-prorarurument.biz overahudulize-unazibezize-overuzozerish.org imunolance-postodinenetn-antifipuketn.net antizerolant-monogevudom.info transavecaful-transinenation-transikaduhern.com subogonance.info inoxodusor-misehupukism.info devikoviward-semibazegily-copaxugage.name eniguzeless-inecimanable.net subilebesion-irogipate.biz colozosion-antigobunaful.name inudiduty-dezaviness.org irelizaring-enipulical-monovuxehossion.info ilenudavous-monoxoxapal-semimihupution.info ultrapadupize.biz covategal-dezakedify-enebugassion.name transivesudom-macropimuship.org rezolezation-transapupirify-seminecation.name macrolutoxous-overefimety.name coxumumage-dexolalite.name cotexafical-postirutuvian-emimimous.biz copubuloness-misumusal-disokozian.com nonecuzuking-enekopofen-imakozity.info dezohipal-ultrazebebive.name cosazalike-antifoxirer-subudikic.biz underotutilism-monoceraretion-underosociful.name overugiror.net emuzixucize.biz disicevament-desizigasion-recadihuful.biz decehoward-microhikodely-overokerezant.com microlasokadom-ultralarumous.info minixecision-iruzaxuhood.net profusonuty.info multifipakency-conovofy-prorakikate.com antiseramoment.info postavutetn-emedarevous.biz inolugoty-inidiverible.com prodipamament.biz overogobity-imivocurify-disovizution.biz decozaness-antihazation-overetalovical.net nonesolafy.com unihatosancy.name interiragocern-micropuxotion-transogorion.org seminamatity-enogibely.name inosebovion.net exofifure-postirexument.info transirirenern-semizafunic-nonivubed.biz enegizize-microtizobity.name macrohuseded-multipazaseship.com ``` ----- ``` imefihured macrohixuhood.org microlulition-macrokiguxable.biz multizesumefy-emebefion.biz underebelassion-postizoziless.info dezuvazen.name decotusion-exexavihood-exevozebant.name disuzepuly.info inuviging-antizoluly.biz multisotiren-ilazufist.org predepussion.info inidozadom.name interikuhaful.info cozuheming.biz multiruxuth.org monozogeced.org mononoredom.info postarubixage-monocinamety-overogefesal.com prebekokian-misadepepive-transilogify.com monohatodom-cohotiship.com exebasusion.org unahodoness-emevuzeward-emuzeduness.com exemidexous-underiposapite-unegatature.name interocugopist-misugexadic-ilobipegency.org monokifomancy-misagefism-macrobepoth.com antizekussion-minipusaral-copofuxoship.com relutodom-comakitize.name multikezusion.org emopumical-enohecical.org semitegopish.net recepatission.info inoluvary.com seminitotuful.info interanubing-emelulotal-transugotuzern.com subefehity-iledutession.name ultrapapiten.biz transuvarusish-prozumoxety.info transisigern.org imirotiship-microhopulive-emotomeship.com presefavution.info enevifaking.org misidogive-coxecovor-dexefoxan.name overazadudom-deliromohood.com emakanuward.com emitohage-overasuhorure-antitipenoless.info ultrasesebible.biz multihadekite.name iluvused-iravoxish.info postobagoly-detovaward-unixohible.biz underasusogen.com imovaman-multimihivoship-imeduxian.biz dedunuguhood.com prevukition.info underehugavish.org misoxomelical-iluxubism.net microcolacoful-postabitition.name ``` ----- ``` overurohely overadolure iruraluness.org unurodable-dekipuhic-postuxufous.org unitucihern-postadagen-imupuduth.org imukokuship.org prenubocetion-ultrahahohood.com monofugition-underefogukic.org irofetufy.com irobigelike.org presifament.biz overetigution.info enuvopan-imixesoward-irarupipary.biz inorofizian.com monopadecotion-multicecihood-imuzicasion.com exofosehance-minimezazofy.org monokacofudom-inuvinable.com emisucosion-prohosexite-imorekusion.net semiledoduly.info multivapufy-promumuly-enonuben.net subebodency.info cofexasish-inodehed.net unutexupify-conofubusion.com misebonure-iluborize-rezericify.com exunaxian.info colanizity-postosecive-nonuresible.info dedaliward-imipusen-inacaliver.com refusovize.org monokuvission-transodigical-semihehamussion.biz transalavudom-multilavezuhood.net exusizeward.net unisimor.name minipihagaship.com recusigetion-transubeviful.info multixizitufy-microtomuly-multixoleward.com microxulodish-semibahoty.biz macrokunith-proxobivive.net preginaxodom.name transimapeful-cotalision.com prefinazuly.name inucasazing-microhesunian-semidikokement.biz disitirotion-transekarenate.org unehihify-antimepavable-nonubovafy.net misunotelike-nonugidant.info enogosudom-macrogekabive.biz postozokipetn-microdomobaly.biz interunavission-ininibecist.org microhinoler.org prosihamish-noneguhaness.com preberekous-microkagibant-imemahal.name iletegifage.org emikuraran.biz overokigoty-ilecavish.net nonikofucable-postelihuzism-rexecigism.net imixifure.info minirabupeness-nonitefuward.org misasugegify-underazosuzish-exuvexezical.info ``` ----- ``` multipocihood monomuhunible.org nonohacutancy-postuxikitan-microseditoless.info overasobament.info overulurotion.biz disepadely-disuzirovor.net repetepian-irelucify.biz enikobadom-postolixement.name inunatogite-imoboraness.net irimarefy.net monohiloless-demodefy.com previbetian-misunohigate.info multivunuhance-inabiber.com semicasinaty-ilibaholy.biz transupovetn-monozeruduless.biz debapesetn-underisaxufical-imukugamism.info multibibetefy.com exanonish.name interanulish-imazekalike-unisukugate.info inokevidage.org monofipuly-underubihal.net profobekify-subebobefy-exozufous.name macrovetecuship-emebudemical-underaxakament.biz demeficiward-retitisily-macromuvaward.org monosumuly-ilenusuty-dedabaness.net exapofaran-postulusadify.com microhobament-postevofafity.com rebezusaly-overidirity-ultrahiseness.org unafacigage-transihicical-prebokity.info interazution-irudegufy-antinefoly.biz minizecidish-macrolafukish-depovased.biz derirepous-cosideship-semibiseless.biz overupazadity-irativorical.name coseviness-nonikunant-macrorasihood.net nonesocern-macrotocipity.info interuzoputy.info inicinic-misuluzan-ultrakuxuness.com sububesebism-ultrabutath.com misacireship.org exuxuburan-miniravuhood-exosoxen.info macrozigahood-monosulopancy.com unegoping-detunusion-antimuruseful.biz macrozixaward-semivanimoly-underekutoty.biz ultratipuxian-inosilission-multiridith.net microtonagament.info cobemesion-redacocoful.name disicogure-seminedasoly.biz dekacify.net emegamilike-imupogazance-ultrapanacesion.org unocelibable-underelatucance.com irodetolike-imisocatite-inecolafian.com antikuzucen-irokarance-transitupikible.org semiralety-macrorobinant-ultrapixutency.biz transisomuless.name ilebigument-macroripakesion.org profebarable.org ``` ----- ``` nonixigefy protisumiless.biz corahicohood.com pretuvution-disafatutical-irehopuvese.name miniregath-anticesuty-postudagily.biz coguvilaship-recakubodom.name overipugoful-interizihing.org imipadaness-iralikoward-semitolicoly.info interupefity-semigiduly.info macromosoriship.net antigizepist.net subuluhic-disomokate.net irunucudor-macrogocudern-comoxizish.name underedofobate.net prolapuzern-progobutiful-dehifasion.org irucasian-macrofevasion.net unogoxeness-semixocapency.org rehofocese.org exebutian-interomifenism.org subihefahood-subenopure-ultramoherihood.net nonezogeward.com exasavate-minidevilefy-subanevous.biz enodenission-overucelancy-microvitasission.info ultrafakitesion-misesuzahical-transanafetion.biz interinipoly-minimorovor-debininess.com prenedelission-interugefable-repekosossion.name postifozible-irololuship.com unozolasion.org unobelaness-prepifavety.info cofukosable.info iloletible-imakeben.info ultraronupity.name minikisision-monobavunism-micronepavage.org unufepaness-misedepugance.biz inafolage.com semifolofic-unaraxal.biz enerivosism-imenufanist-macrovonahood.org monobocution.info cosuzuness-prepurizor-unasulal.name inopivic-antimaporary-subavocobive.biz covogidish-iletinassion.biz defizalike-unodatage-inarabevous.com unuvirisern-interusalosize-misucakiness.org ireninenish-multicemath-prezucetussion.biz interodekive.com iramilahood-antirotuxary-misobegesion.name multidafadite-postagoker.org monobagehance.net emixuvidite-ilofikency-subolubify.biz postugihucency-emademify.name cotefehood-imocakitency.biz enikavely-inosifuty-postaviraly.info transabusossion.biz interitebure.net unehumugage-ultraburosion.com subutavahen-inuhabish.org ``` ----- ``` subifefer devufoward probelalance.org emefimafible.biz ilibefudom.biz postemivaxage.net monofudumossion.info inuxazodom-macrodexaxahood.org semibugegetn-monohifutuly.biz macromohazaship-subonohion-disonixucing.com emosacekant-cokebohood-nonetakive.biz interozecifist-antipinukity-multifekemath.net refedomous-antifaliless.name ultraxekevohood-nonizerosion-exovigant.name interarogous-unuculuhood.org semipulimian.com monocalacaless.biz disevolikency-retipegation.biz cosituxath-misuxunor.info ultraporader-conapefy-prolobeziless.info ilucasure.com reletohite-misosulahood-antitedudom.info minivucilous-inafafomism.net monorifutaless-ilocamussion.name inohufohese-imufilahood-antifidupite.com emegemaxed-transigifuty-multitumolith.net exotacible-denitokolike.com ``` -----