Rewterz Threat Alert – Malicious NPM Packages Install njRAT

December 2, 2020

Rewterz Threat Advisory – Mozilla Thunderbird SMTP server response codes buffer overflow

December 3, 2020

Rewterz Threat Alert – Multi-Vector Miner and Tsunami Botnet with SSH Lateral Movement

December 2, 2020

Severity

Medium

Analysis Summary

A botnet is detected that propagates using weblogic exploit. The botnet carries two payloads: 1) a Monero XMR Miner binaries; and 2) Tsunami binaries. This botnet is primarily targeting cloud servers. In September, an earlier version of the botnet was exploiting misconfigured docker API. Interestingly, the current botnet version contains unused code for exploiting Redis and for bruteforcing SSH. The botnet achieves persistence in multiple ways; kills running processes, potentially competing mining tools and eliminates EDR. It uses base64 encoded intermediate stage shell-scripts and base64 encoded commands to download and execute python scripts. Tsunami is added as a second payload, in addition to Monero XMR miner.
It makes use of the Oracle WebLogic RCE exploit CVE-2020-14882. The campaign uses multiple shell-scripts and python-scripts with different dropping locations and connects to binary hosting webservers using hardcoded IP addresses and domains.

The stage 1 executes two payloads, a shell script, xms, and a python script. The shellscript xms is piped to bash from curl, in case that fails, it is fetched with wget, executed and removed, to prevent analysis. The python script is fetched and executed using base64 encoded commands to avoid detection and analysis. The xms shell script attempts to infect hosts that the server has been previously connected to. It also lists running processes to grab information about active SSH connections. The XMR Miner is also targeting Windows servers which is evident by the presence of .exe binaries in the same ftp server.

Impact

Unauthorized Remote Code Execution
Unauthorized Access
Process Termination
Detection Evasion
Unauthorized Resource Consumption

Indicators of Compromise

Domain Name

icanhazip[.]com
bash[.]givemexyz[.]in
pool[.]supportxmr[.]com
xmr[.]givemexyz[.]in

MD5

01581ccc96ce7ccc15205bb859d9e6bd
cd7ca50a01fc9c6e8fdc8c3d5e6100f0
8bfc072d37f41190515f8dc00a59fb2e
5954b9c0ee8490f6f1215bace6f6c6e4
ee48aa6068988649e41febfa0e3b2169
c4d44eed4916675dd408ff0b3562fb1f
5f15d232552301b9e53d597666f610ad
528cfc90fd59af990c2ebc18c0df9b47
790c54d34b09f078a24cf27d6c91740e
9a9a2ffdfa4d2586eef0d1d987b57e9e
8bcf9e1f24093bbf32fbbc3630a0153c
eefc0ce93d254982fbbcd26460f3d10d
b1fc3486f3f4d3f23fcbf8b8b0522bf8
f0551696774f66ad3485445d9e3f7214

SHA-256

72acbfdeadfa31d7ccda7fdcc93944b1948e263239af8850e5b44c518da0a4c5
fdc7920b09290b8dedc84c82883b7a1105c2fbad75e42aea4dc165de8e1796e3
35e45d556443c8bf4498d8968ab2a79e751fc2d359bf9f6b4dfd86d417f17cfb
6f7393474c6f3c452513231d1e3fa07ed9dcc8d53a1bb2d680c78e9aa03f8f9d
9b8280f5ce25f1db676db6e79c60c07e61996b2b68efa6d53e017f34cbf9a872
855557e415b485cedb9dc2c6f96d524143108aff2f84497528a8fcddf2dc86a2
22e3611cb2b156c3dc2d192b65707aac7787955d7dc120dfbc09aef8e12251b5
b07bf6e14050c1c56c9b80155417370b4704eb0655cfc18bb4259956162c3814
508ec039ca9885f1afc6f15bb70adfa9ed32f9c2d0bff511052edb39898951c7
8dbd281c98c8e176621566e3a77eb8a3b7ae4f254773d56f7033f903dd09a043
030f41373567846ee18716605dea3ef94d1861b9c32b664d25026d41c3557c00
9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2
1d804c5dfa6da0db4a4465232ad9117003df2ea8f0fc68d9e48700d4373a4568
1225cc15a71886e5b11fca3dc3b4c4bcde39f4c7c9fbce6bad5e4d3ceee21b3a

SHA1

2940e96f15345149143c53143a87fd9dce45d0ac
e632f6b93f9e3d3f90ac2068af0b9f1ccee3cd89
2d9600a0697de84522b4e65d9be02b9ed9352b4d
2132c65f23f8e5a3c533bfa4ab73562c476795e0
73c2099c703c9e644172ff58fd49622c06bf2784
57279a4f3ccd3f6abbc2c306682438234241598b
2847609cb04158c6f8e57ec65d63fabc68577a07
9173ca39c025c322864b05a1cd44c022925d7ffc
87fe997bb49499d1f743da9840618e30aeb5d24e
01ebd97e50edc39ade8cefacaffe5bef5c49bf15
adaaf46b2bd14a05e58a460e0e2115e696c182fa
bae9b44362654ef283cbd197bca4d2b3aca8868d
7bfa2404bc9733205d2374b92fb3ebf57410228f
d5f53aa9b9e9899fa511b199230159dfbf215dad

Source IP

205[.]185[.]116[.]78
66[.]70[.]218[.]40
209[.]141[.]35[.]17
104[.]244[.]75[.]25
198[.]98[.]57[.]217
194[.]156[.]99[.]30

URL

http[:]//205[.]185[.]116[.]78/b[.]py
http[:]//bash[.]givemexyz[.]in/dd[.]py

Remediation

Block the threat indicators at their respective controls.
Keep all systems and software updated to latest patched versions.
Maintain a strong password policy and enable multifactor authentication where possible.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us