Pierluigi Paganini November 26, 2020

Security expert Tolijan Trajanovski analyzed an SSH-backdoor Botnet that implements an interesting ‘Research’ infection technique.

In a recent tweet, the malware researcher @0xrb shared a list containing URLs of recently captured IoT botnet samples. Among the links, there was an uncommon example, a URL behind a Discord CDN, which as pointed by the IoT malware researcher @_lubiedo, may be difficult to block.

Summary: The malware author claims to be doing these infections for ‘research purposes’, or in his words to test which servers would stay active with infection unnoticed for the longest period (by infection we refer to adding users for remote ssh access). The ‘no harm research purposes’ claim is backed by making the final stage of the infection a shell-script rather than a compiled binary which would require more time to reverse engineer. Also, stage 1 binary payload is not obfuscated/packed. This botnet malware backdoors Linux devices with SSH access by adding users.

Interesting bits:
network IDS / blacklist evasion -> Discord CDN for binary distribution over HTTPS rather than VPS boxes (the typical way)
Anti-sandbox and EDR / Antivirus evasion -> Use of timeouts, removes logs and bash history, echoed hex-strings as intermediate payload

Stage 1:

The infection starts with fetching a shell-script from the URL below and executing it:
hxxps://cdn[.]discordapp.com/attachments/779820448182960152/780735645169352765/ugyuftyufydurdiytyabins.sh

When it comes to IoT/Linux botnets, the shell-scripts are typically used for downloading and executing cross-compiled binaries of the botnet. In this analysis, we’ll look at the binary sample compiled for Intel x86 CPU.

URL: htxxps://cdn[.]discordapp.com/attachments/780731895721492502/780732439554687006/x86
Binary name:x86
SHA256: 3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232
Virustotal: https://www.virustotal.com/gui/file/3a09d7ff4e492c9df2ddd9f547d0307d8e57dabebfb0bb8673c0c078deda6232/detection
The x86 sample is detected by 42/62 AV engines. This is not strange since the sample is not obfuscated using packers or string encoding. 

Stage 2:

The x86 sample (stage 1) makes an HTTP GET request to a URL: hxxp://45[.]11.181.37/…/vivid
The web server responds with a sequence of bytes that is piped to bash directly and not written to a file on the machine, as it is typically done with the echoed hex strings payload transfer technique, originally introduced by Hajime. The hex string resolves a sequence of shell commands fetched from the web server that instructs the victim device to perform the following:

1. Wait some time -> possible evasive behaviour against EDR/Antivirus and sandbox analysis
2. Downloads the Stage 3 Payload hxxp://gay[.]energy/…/os
3. Clears bash history 

Stage 3:

The stage 3 payload, os, is also a shell-script, it performs the following actions:

1. Adds users
2. Makes a request to a PHP server that registers the newly infected/backdoored devices. The registration request contains the port of the SSH server on the victim device , the OS name, number of CPUs and RAM+SWAP memory available on the device.
3. Removes logs and bash history

PHP server that handles registration of new infected devices: hxxp://gay[.]energy/WelcomeNewBotBuddy/OwO.php

Original analysis @ https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/

About the author: Tolijan Trajanovski (@tolisec)

Tolijan Trajanovski is a Cyber Security Researcher and a PhD Candidate at the University of Manchester, UK, specializing in IoT Security and Malware Analysis.

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]