From Honeypot to Hacker Toolkit – a Threat Intelligence Story
This is a joint investigation with Mihai Vasilescu, also of the Application and Threat Intelligence (ATI) team.
One of the first things we do every morning as part of our threat intelligence work is take a deep dive into the latest attacks that hit our honeypots. Most of the time it’s the same automated scanners over and over. This morning, however, one request caught my eye:
POST /phpMyAdmin/scripts/setup.php HTTP/1.1
This is a very old and documented vulnerability for PhpMyAdmin known as CVE-2009-1151 – if you’re not familiar with CVE syntax, the “2009” stands for the year 2009. An eight-year-old vulnerability should be something that’s no longer relevant today, but the fact that such an attack still appears got me thinking, so I tried to download the payload. Decoding the uploaded URL results in:
So the attacker is trying to get PHPMyAdmin to download a PHP file and execute it on the vulnerable server. The remote server hosting the payload is located in the US. This is the contents of “bine.php”:
What the attacker is now trying to do is download a file called “maxx.txt” from a different server, now hosted in Poland.
Maxx.txt is actually a Perl-based bot. A quick search for some of the keywords in the file lead to this GitHub Gist of a Perl bot also caught in the wild three years ago. The source code is mostly similar, with some modifications from place to place. The purpose is the same – the bot is able to:
- Connect to an IRC server (C&C)
- Receive commands that allow the attacker to:
- Direct the bot to another IRC server and execute different types of floods
- Execute shell commands on the infected box
The remote IRC server was specified when the “maxx.txt” script was called.
If this all seems very old to you, it’s the same for us. We did not believe these types of bots still exist. So we tried connecting to the IRC server, also hosted in Poland, and got a response:
The server is not some random IRC server since it only seems to accept nicknames that correspond to the way the Perl bot assigns them. The channel and authentication key, however, no longer seem to work. This is unfortunate, but there’s more stuff to investigate.
The payload was downloaded from an FTP server, so there’s a good chance more files might be hosted there:
Black.exe is a Windows executable that was compiled on September 15th and has 14 detections on VirusTotal. When run in the sandbox, the binary communicates with the same servers that appear in the VirusTotal behavior section – they contact a domain registered in Mali and hosted on a web server in Amsterdam. We were able to trace the execution chain and determine that its final purpose is Monero mining.
The “pub” folder is even richer in interesting material:
The files we downloaded from here are mostly PHP-based webshells that also communicate via the IRC C&C server. The “xxxxx.tgz” file is a 1.7GB archive containing a scan for open ports 22 – complete with banners, where possible. The “infect.tgz” file is another very rich archive containing the malicious party’s tools and a lot of different dumps of scans for targets:
The archive contains JexBoss, a tool for JBoss and Java deserialization vulnerability detection and exploitation. After the server has been infected, the following commands get executed:
The attacker pulls fingerprinting information – Linux kernel version, Linux distribution, the user account under which the server is running – and downloads the “j1.txt” file. This seems to be the same “j1.txt” file in the above dump that is another copy of the Perl IRC bot. Most likely, the fingerprinting information will be used to determine if privilege escalation is required and what type of payload will be delivered to the system.
CGIScan is a tool that attempts to exploit HTTP servers vulnerable to remote code execution via the Shellshock bug:
“Brute” and “ss“ are ELF files that are detected as malicious by AV scanners on VirusTotal – a tool for bruteforce attacks and a helper for port scanning and, possibly, other types of reconnaissance or lateral movement.
The rest of the files are either copies of the tools, files from the original JexBoss tool or simply dumps containing IP addresses that have been identified as vulnerable.
There are 21 million lines in scan.txt, each belonging to a successful identification of an open SSH port. Most of them are unique, so we can assume the attacker has identified 21 million hosts of interest for SSH brute force attacks. There are more than 10,000 IP addresses in the dump files in the archives – all of them hosts that might have been or will be attacked at some point. The “asd.output” file, which we assume is a log of infected hosts connecting to the C&C servers, has 199 entries inside. This is the size of the operation of just one attacker on the Internet, leveraging a limited set of old vulnerabilities.
Understanding how attackers operate and what tools they leverage is one of the most important parts of threat intelligence research. This investigation pointed out that older vulnerabilities are still being actively sought out and that attackers will reuse whatever tools they find and are able to repurpose for their intentions – in this case, the use of an old IRC bot removes the need that they implement their own C&C protocols. It’s never good to assume that something is no longer a threat just because of old age or commonality.
The Application and Threat Intelligence team currently tracks IP addresses involved in attacks similar to those in this toolkit. Users of ThreatARMOR are protected from such attackers as a result. Additionally, BreakingPoint users can validate a network’s security stance against such an attack.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.