We previously blogged about how we uncovered the operations of the hacking group we namedOutlaw that uses an Internet Relay Chat (IRC) bot. This follow-up post covers a host part of the botnet operated by the group, which we found attempting to run a script on our IoT honeypot. The attacking bot used a tool called haiduc to search the internet for systems to attack, which it does by taking advantage of a common command injection vulnerability . If successful, it attempts to run the script min.sh (detected by Trend Micro as Coinminer.SH.MALXMR.ATNJ) on targeted hosts.
This time we spotted two variants of activities from Outlaw. The script used in the first version of its bot has two functionalities: the miner and Haiduc-based dropper. The code for the mining part also has two forms. One is in plain text bash/Perl script and the other is an obfuscated Perl script variant that avoids detection by content-inspecting intrusion prevention system (IPS)/firewalls.
The second variant of the code, distributed by the bot, was mainly designed to brute force and further exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel in order to escalate the privileges. This intention of further exploitation is supported by the discovery of the list of servers, which run a vulnerable library libc.so.6 with a known vulnerability .Overview of the first variant
The miner downloads and starts mining for Monero cryptocurrency, using the binary that is capable of running on both linux and Android. This variant of the miner first checks for other running miners present on systems. If it finds a “foreign” miner in the target system, the script kills the related mining processes of previous miners and starts to run its own binaries. This means that the bot here is capable of hijacking the mining activities of other bots from unrelated botnets. Do note that some Mirai variants have the same capability, but unlike certain Mirai variants, this bot does not patch the victims to protect them from further infection/reinfection.
After the mining has started, the bot has a function that checks the process list if the miner is actually running. If not, it downloads the malicious files again from the source and restarts the mining process, including the check for the presence of other miners.
This process allows the attacker to steal the already compromised mining hosts from other attackers and reinfect already “owned” hosts with an updated version of the miner, thus continuing the operation even after the attackers’ XMR wallets have been hijacked.
Once the mining operation is established, the miner reports back to its owner through a compromised website that hosts a php script with a randomly generated name.
The other part of the script takes care of bot propagation. It uses the haiduc tool, which we previously noted to be a tool that the Outlaw group primarily uses. In this variant of the haiduc toolset, it is used to first brute force vulnerable hosts running an SSH service. For that, it takes variable lists hosted in a compromised website in the form of PHP scripts. Once the brute-force is successful, it then runs the command that spreads the bot. This is done by running the commands to install the initial min.sh script from compromised websites. It then scans various targets, as set by commanding PHP script, and sends results to the botnet administrator via email, hardcoded in one of the PHP scripts. In our previous blog, we noted the group’s use of an IRC bot to form a botnet, this time the bot is controlled via PHP. It remains, however, that the files for the miner and the haiduc toolset are from the same group.The infecting bot uses the URL hxxp://www[.]karaibe.us/.foo/min.sh to download the malicious shell script. Curiously, the domain also had a Google Analytics script embedded in the source code, which might have allowed the bot’s admins to monitor the campaign. Currently, the domain is resolved to a basketball league standings site. This technique is used by the Outlaw group at all times, and it has become obvious that one of the group’s core activities is to exploit more websites over PHP vulnerabilities to get new C&C or content delivery servers. Looking into min.sh , the infecting script
Figure 1. Initial script, min.shMining activity
The first part of the script downloads the mining binary and complementary files in the tgz archive. By adding another server/domain to the command in general, the attacker ensures that the threat will not be easily blocked when one system is taken down.
Note: In this example, it is the same destination ― the difference is that it uses only IP once and the other uses fully qualified domain name (FQDN). Certain security information and event management (SIEM) tools can block one or another but usually not both as it might cause performance issues.
The downloaded archive is extracted and the working directory is moved to the hidden “.bin”. Usage of the hidden directory should help run the miner unnoticed by the system administrator.
It then runs the XMR mining binary, forwarding the output to “dev/null” while it is in the background.Scanning activity
In the next step, the working directory is changed to “/tmp”. Hidden “.vd” directory file is also removed to ensure that only the most current version is used in the following steps. Next, the sslm.tgz is downloaded, extracted, and run from the directory. It is a haiduc-based scanner that generates the target using a PHP script, which is hosted on the C&C server.It sends out “the introduction” of the compromised host (see figure below) into another PHP script, hosted in the URL hxxp://www[.]karaibe[.]us/[.]foo/remote/info[.]php.
Figure 2. POST request to the C&C
After “the introduction” to C&C, it changes the working directory back to “/tmp” and removes the infection script from the affected system.Further scanning options found in the second variant of the bot
We have analyzed various forms of haiduc toolsets and have previouslymentioned capturing variants of the toolkit, with a populated list of targets for compromise. The two variants of haiduc described have a purpose that has never been seen before: To test captured target systems for the presence of running Remote Desktop Protocol (RDP) or cPanel. RDP is used for remote management of windows-based hosts and servers, while cPanel is an open-source cloud administration interface. If it finds either of the services on the target host, it will be saved for future exploitation.Scanning via Remote Desktop Protocol (RDP)
A search on Shodan would reveal hundreds, if not thousands, of servers with open RDP ports publicly seen on the internet. In case of a compromise, an attacker can gain access to another subnet of the network that is not available on the internet (could help them pivot further in the enterprise network), steal sensitive information, spy on individuals, and control industrial systems, among others.The script on the figure below was used to run a Perl script psc2 (detected by Tre