Example Analysis of finding APT attacks using ZoomEye 02/21 Update SLTechnology News&Howtos

Example Analysis of finding APT attacks using ZoomEye

2025-02-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on the example analysis of using ZoomEye to find APT attacks. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

The data on the ZoomEye line covers the updated mode, that is, if the data is not scanned in the second scan, the updated data will not be overwritten, and the data on ZoomEye will retain the banner data obtained by the first scan. This mechanism actually has a good fit in the scenario in tracing the source of this malicious attack: download servers used by malicious attacks such as Botnet and APT are generally disabled and abandoned directly after they are found. Of course, there are also some targets who are hacked, but also very violent direct referrals! So many attack scenes are likely to be cached online by ZoomEye.

Of course, the data provided in the ZoomEye history api can query the banner data obtained from each scan regardless of whether you overwrite it or not, but the ZoomEye history API currently provided can only be queried through IP, not by keyword matching search, so we need to use it in conjunction with the ZoomEye online cache data search location mentioned above.

Case 1: Darkhotel APT

In fact, I mentioned it on cool techs knowledge Planet a few days ago, but a "bug" needs to be fixed: the IE 0day used by Darkhotel this time should be CVE-2019-1367 instead of CVE-2020-0674 (thanks for diced pork @ Qianxin). Of course, this "bug" does not affect the topic of this article.

From the image above, we can see that we located the IP at the scene of a Darkhotel puddle attack through ZoomEye online data. We use ZoomEye SDK to query the history of this IP:

╭─ heige@404Team ~ ╰─ $python Python 2.7.16 (default, Mar 15 2019, 21:13:51) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)] on darwinType "help", "copyright" "credits" or "license" for more information. Import zoomeye zm = zoomeye.ZoomEye (username= "xxxxx", password= "xxxx") zm.login () upright JhbGciOiJI I1NiIsInR5cCI6IkpX..' Data = zm.history_ip ("202.x.x.x") 22

List the time nodes and corresponding port services that include the IP data in the ZoomEye historical data.

For i in data ['data']:... Print (I ['timestamp'], I [' portinfo'] ['port']). ) (upright 2019-11-25T05GV 27 VOV 58, 80) (upright 2019-11-02T16 VLV 1040, 80) (ugg 2019-10-31T11 UBG 392V, 80) (upright 2019-10-06T05RT 244V, 80) (ugg 2019-08-02T09Mv 52m 27') 80) (upright 2019-07-27T19-27T19-22-11), 80) (upright 2019-05-18T10-38-59), 8181) (upright 2019-05-02-T19-02-T19-37-20) (8181) (upright 2019-05-01T0048) 05a, 8009) (ugg 2019-04-09T16-2958, 8181) (upright 2019-03-24T20-24T20-46, 31), 8181) (upright 2018-05-18T1822 22) 8181) (upright 2017-03-13T03-13T03-13T03-13T03-13T03-13T03-13T03-13T03-13T03-13T03-12T16 4354), 8181) (upright 2017-02-25T09purge 5628mm, 8181) (upright 2016-11-01T00 purge 2230mm, 8181) 8080) (upright 2015-03-13T19 purge 3315mm, 21)

Let's take a look at the time node and port of the puddle attack implanted into the IE 0day:

For i in data ['data']:... If "164.js" in I ['raw_data']:... Print (I ['timestamp'], I [' portinfo'] ['port']). ) (upright 2019-11-25T05 Vuitt27 Vista 58, 80) (upright 2019-11-02T16 1040, 80) (ugg 2019-10-31 T11-31T11, 80) (upright 2019-10-06T05RT 2444, 80)

Obviously, the approximate time range of this puddle attack is from 2019-10-06 05:24:44 to 2020-01-28 10:58:02, and this IP is obviously not the VPS purchased by the attacker, but directly attacked a specific website as a "puddle" attack. It is certain that this IP site has been invaded as early as 2019-10-06! From the nature of this puddle, we can basically infer that the main target of Darkhotel's attack is the users who visit this site!

Let's continue to list which port services have been opened for this IP in 2019 to help us analyze possible intrusion points:

For i in data ['data']:... If "2019" in I ['timestamp']:... Print (I ['timestamp'], I [' portinfo'] ['port'], I [' portinfo'] ['service'], I [' portinfo'] ['product']) (upright 2019-11-25T05VR 27VR 58, 80, upright http, upright nginx') (upright 2019-11-02T16, upright 40, 80, upright http, upright nginx') (upright 2019-10-31T11, 3939, upright, 80, utennginx') (upright 2019-10-06T05 purge 2444, 80, upright http, ugg nginx') (upright 2019-08-02T09rig 5227mm, 80, upright http') ) (upright 2019-07-27T19 purge 22 11, 80, upright http, upright nginxx) (upright 2019-05-18T10 38 veg 59, 8181, upright http, u'Apache Tomcat/Coyote JSP engine') (upright 2019-05-02 T19337, u'Apache Tomcat/Coyote JSP engine') (upright 2019-05-01T00 48, 8009, upriajp13' U'Apache Jserv') (upright 2019-04-09T16 u'Apache Tomcat/Coyote JSP engine' 2951, 8181, upright httppers, u'Apache httpd') (upright 2019-03-24T20 purge 461mm, 8181, upright httppers, u'Apache Tomcat/Coyote JSP engine')

In a typical JSP operating environment, port 8009 was opened in May 2019, and problems such as weak passwords in Tomcat background management have always been common means of infiltration.

By the way, this attack actually involves another IP, because the IP-related port banner has been overwritten, so it is impossible to search directly through ZoomEye online search. However, if you know that this IP can also use ZoomEye historical data API to query the historical data of this IP, we will not expand here in detail.

Case 2: poison cloud vine (APT-C-01)

For a detailed report on APT-C-01, please refer to https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf. We will directly focus on

"http://updateinfo.servegame.org", a control domain used by poison cloud ivy to control and distribute attack payloads.

"and then from

Hxxp://updateinfo.servegame.org/tiny1detvghrt.tmp

Download payload "

On URL, we first try to find the IP corresponding to this domain name. Obviously, we haven't gained much so far:

╭─ heige@404Team ~ ╰─ $ping updateinfo.servegame.orgping: cannot resolve updateinfo.servegame.org: Unknown host

In Qianxin's report, we can see that the download server WEB service directory used can be traversed.

So we should be able to directly try to search for the file name "tiny1detvghrt.tmp", and we found it.

Here we can basically determine that the IP corresponding to updateinfo.servegame.org is 165.227.220.223, so we start the old routine of querying historical data:

> data = zm.history_ip ("165.227.220.223") > 9 > for i in data ['data']:. Print (I ['timestamp'], I [' portinfo'] ['port']). 22) (ugg 2018-07-31T05-31T05-58D, 22)-- 2018-05-20T0055-48mm, 80) (ugg 2018-05-16T20T2022, 22) (upright 2018-04-08T0715-5315, 80) (upright 2018-02-22T19-0429') 22) (upright 2017-11-21T19-09-14-14-80) (upright 2017-10-04-T05-15-17-38)

Continue to look at this time frame for tiny1detvghrt.tmp deployment:

For i in data ['data']:... If "tiny1detvghrt.tmp" in I ['raw_data']:... Print (I ['timestamp'], I [' portinfo'] ['port']). (upright 2018-05-20T00 purse 55-48mm, 80) (upright 2018-04-08T07-53-530) (upright 2017-11-21T19-0914)

It is at least certain that attacks have been deployed since the end of November 2017, so there is a time node before this time node at 05:17:38 on 2017-10-04. Let's take a look at his banner data:

For i in data ['data']:... If "2017-10-04" in I ['timestamp']:. Print (I ['raw_data']). HTTP/1.1 200 OK Date: Tue, 03 Oct 2017 21:17:37 GMT Server: Apache Vary: Accept-Encoding Content-Length: 1757 Connection: close Content-Type: text/html;charset=UTF-8 Index of / Index of /

< img src="/icons/blank.gif" alt="[ICO]">

< a href=" ">

Name

< a href="?C=M;O=A">

Last modified

< a href="?C=S;O=A">

Size

< a href="?C=D;O=A">

Description