/r/LinuxMalware

Photograph via snooOG

Posts of Linux / ELF malware and their botnets for RE purpose. This subreddit is modded, the site's contents are MalwareMustDie.org's @unixfreaxjp Linux threat research material.

Posts of Linux / ELF malware for RE purpose. This subreddit is modded, the site's contents are MalwareMustDie.org's @unixfreaxjp Linux threat research material.

Change view mode: RSS | Mobile | NewReddit

Latest Linux Malware cases:

Linux Malware Analysis Museum:

..and, you may also want to visit:

/r/LinuxMalware

2,125 Subscribers

0

Recent Linux ransomware

Recent #linux ransomware I reversed so far:
Akira, Monti, Abyss, Royal, Black Basta, LockBit, Hive, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX.

RE result be released in conference.

0 Comments
2023/08/24
05:47 UTC

5

Explanation about this subreddit (README)

This post is to elaborate the contents of this subreddit, for the new design that has not had sidebar menu. The subreddit posts of Linux / ELF malware is for RE purpose, it may help you on learning to analyze a Linux malware. This subreddit is single-modded and the site's contents are MalwareMustDie.org's @unixfreaxjp Linux threat research material. You may link to any of the contents or this subreddit with mention to the original researcher (unixfreaxjp).

You switch the view mode: RSS | Mobile | NewReddit | OldReddit

You may want to discuss about my analysis but I am not good in chatting, if you have question please upload your text from here.

So about the contents:

These are the latest Linux Malware cases I have reversed and posted:

And these are my older Linux malware analysis, I called it "analysis museum":

..and lastly, you may also want to visit other similar sub-reddits too like:

  • [/r/Malware]

  • [/r/ReverseEngineering]

Cheers! - unixfreaxjp -

0 Comments
2023/02/15
18:18 UTC

6

Linux/NGioWeb

1 Comment
2021/04/10
06:41 UTC

5

Linux/DGAbot

1 Comment
2021/04/05
17:42 UTC

10

About shellcode basics and analysis them in radare2 (online tutorial w/Video, Slides & Q/A)

0 Comments
2020/12/16
18:38 UTC

6

Linux/Hoho a.k.a "DarkNexus" (memo)

1 Comment
2020/06/03
21:52 UTC

3

Linux/Rebirth or Vulcan in 2020 (Gaygyt evolved)

2 Comments
2020/05/29
09:54 UTC

5

Linux/Gafgyt SNoOpy

1 Comment
2020/05/29
09:52 UTC

6

[Announcement] My own kernelmode[.]info Linux/Malware reports is merged in here

As some of you maybe know that I involved in contribution for Linux/Malware at the kernelmode.info forum, before I left it.

I would like to announce that the 16 threads of Linux/Malware analysis, either those were ones I first initiated it, or at those threads were having my analysis and writing efforts, are all backup up and merged in this repository successfully. The backup is only taking the first page of each thread due to the size limitation in the storage, however it is important to proof the first malware that has been firstly found or firstly named during MMD effort and those has been decided on my analysis desk.

What I wrote in the kernelmode forum are important because at the time I thought I was being between friendlies, therefore under the strong trust level many of the Linux/Malware threat analysis insights were shared over there.

The data has been successfully saved as offline web-pages, and for this repository purpose only the first page is shared, by the link to a GitHub storage account as the Open Source(feel free to analyze them).

Noted ("THIS IS IMPORTANT!): as long as you don't click the URL/links in those saved pages and just read them and "go back" here after reading, you will only browse the first page under the GitHub's service/host environment < again, please note this. If you want to read further and click some links on that first page, you will be redirected to the "Archive of KernelMode" server located at the below ISP and network details. I have nothing to do with the service and I don't know who is managing it, you can access it with your own risk. (Risk like, i.e. your access can be recorded by unknown parties, etc, I don't know..):

IP: 81.95.1.72
FQDN hostname: mif.h5l.org. 
ASN: AS201011
ISP:  OxygemDigital Inc, Victoria
Country: Seychelles

To recognize those migrated threads you can grep the characters "^KM" in the right-side menu list of Linux malware, and if you did it well, these are the list that has been added:

(65) : - Linux/Pscan and SSHscan ^KM

(71) : - Linux/KillFile ^KM

(75) : - Linux/BangSyn ^KM

(85) : - Linux/DTool ^KM

(95) : - Linux/Bashdoor(Gafgyt/Torlus/Qbot 1st found ^KM

(101): - Linux/Encoder ^KM

(107): - Linux/Torte ^KM

(123): - Linux/XorDDOS first found/rpt ^KM

(143): - Linux/ChinaZ "the beginning" 1st found ^KM

(145): - Linux/GoARMBot ^KM

(149): - Linux/AESDDoS ^KM

(153): - Linux/.Iptables or Iptablex ^KM

(159): - Linux/Mayhem ^KM

(161): - Linux/BossaBot ^KM

(167): - Linux/Elknot ^KM

(179): - Linux/Kaiten (Tsunami) ^KM

Lastly, I would like to thank kernelmode moderator @Xylit0l, who kindly allowed the backing up process to run smoothly, and to acknowledge the merge of the backups into this repository.

So please help yourself to read those analysis. There are a lot of them has not been covered by other places due to my limitation time to write to MMD blogs or other reporting forms.

I really hope that /r/LinuxMalware subreddit can be used for the future and stable media for the posting of Linux malware research, as a rich repository, for the future, and learning from the past, all of the data posted in here are backed up before posted.

In the future, after the mechanism of subreddit is mastered, I will share the posting access to others. There are many more analysis data that need to build first, I will need at least another year to cleaning up the backlog reports I made in the past.

Thank you and best regards

mmd0xFF

0 Comments
2020/05/23
21:18 UTC

1

Linux/Mirai Hilix

In my opinion, this Mirai is interesting, since the TABLE_SCAN*(etc) stuff is encoded with "new" encoder, not decrypter.

Let's see this encoder in x86-32 assembly:

    0x08050d90  56        push esi  
    0x08050d91  53        push ebx  
    0x08050d92  8b4c2414  mov ecx, dword [arg_ch] // ecx = Length
    0x08050d96  8b74240c  mov esi, dword [arg_4h] // esi = var_Pos
    0x08050d9a  8b5c2410  mov ebx, dword [arg_8h] // ebx = var_CryptedStr
    0x08050d9e  85c9      test ecx, ecx // check length
,=< 0x08050da0  740d      je 0x8050daf  
|   0x08050da2  31d2      xor edx, edx // edx = counter = 0
|   ;
.--> 0x08050da4  8a041a    mov al, byte [edx + ebx] // AL holds CryptedStr char(counter=array)
:|   0x08050da7  880432    mov byte [edx + esi], al // AL stored CryptedStr w/addition (Length)
:|   0x08050daa  42        inc edx      // counter++
:|   0x08050dab  39ca      cmp edx, ecx // compare counter (edx) to length (ecx)
`==< 0x08050dad  75f5      jne 0x8050da4
 |   ; 
 `-> 0x08050daf  5b        pop ebx
     0x08050db0  5e        pop esi

It's as equal to something like this in C

void 2NDDECODER(var_Pos, var_CryptedStr, var_StrLength)
// asm loop logic:
// mov al, byte [edx + ebx]  ; edx = var_count
// mov byte [edx + esi], al  ; *esi = *var_CryptedStr
// inc edx
{
    var_count;
    if (var_StrLength != 0) 
    {   var_count = 0;
        do {
            *(var_count + var_Pos) = *(var_count + var_CryptedStr);
            var_count = var_count + 1;
           } while (var_count != var_StrLength);
    } return;
}

Some analysis screenshots are in here & I announced it on twitter too for the blocking and IDC cleanup purpose.

Samples & file types are in these hashes:

MD5 (Hilix.arm) = 7a5e717aa86fd986d9aef089c6e07bcd
MD5 (Hilix.m68k) = 8293c25c4c759654ea72342750a91170
MD5 (Hilix.mips) = 94008c192bd62432fbacede828e2c497
MD5 (Hilix.ppc) = 749d282b6ff9e1b9390201173af694c0
MD5 (Hilix.sh4) = 34307f52ba4a81d94058c130df146c5a
MD5 (Hilix.spc) = 84d45afab65260068009911871f5babd
MD5 (Hilix.x86) = ec413215dc385d95e1c89d9bda44de4d
Hilix.arm:  ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
Hilix.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Hilix.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Hilix.ppc:  ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Hilix.sh4:  ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Hilix.spc:  ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Hilix.x86:  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
0 Comments
2020/05/13
16:06 UTC

5

Linux/Kaiji

Following a threat intelligence aiming Frontier networks containers, I analyzed this unknown new Linux (DDoS tool) malware made by Go lang w/ China origin (see @unixfreaxjp comment at VirusTotal ), and named it as Linux/Kaiji, announced first awareness w/screenshots in twitter. More of my insights comment is in this interview.

0 Comments
2020/05/05
07:43 UTC

4

[remake] 2 minutes ARM32 RE crash course to grab Mirai hexstring (telnet-loader) payloads on recent FBOT's botnet infection.

0 Comments
2020/04/28
13:47 UTC

2

Easy tutorial to dissect any pushed hexstrings IoT malware loader URL

0 Comments
2020/04/19
11:37 UTC

0

How Kaiten(Tsunami) w/STD base code has evolved now (MMD twitter)

0 Comments
2020/04/19
07:15 UTC

3

(memo) RHOMBUS an ELF bot installer/dropper

A newly seen ELF IoT bot's Dropper/Installer, I firstly handling these hashes for intel 64bit & ARM 32bit, along with other architectures,

It's spotted under file naming of RHOMBUS.{arch} :

b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784
83e4fb6e5b042c15c035f399d286690f0382c01b43b84898564315951bb1c375

Several explanation:

Basically this is an ELF malware installer (and dropper), it drops another ELF as payload & set cron as "autostart" for it. The installed payload is a bot client (embedded in the dropper). It seeks the /tmp directory path, extracted embedded binary data and creates file "/tmp/fileXXXXXX" (X= combination permutated strings), i.e: "fileCo70r0", then it saves the executable code into dropped ELF bot binary.

The dropped ELF binary is the payload, a DDOS bot client, that is having basic stuff like remote execution, receiving bot commands, encrypted traffic functions, etc), see below for detail.

The interesting part for the dropper is, after dropping the payload, it installs persistence startup to "/etc/cron.hourly/0" and lastly executed the dropped binary and then cleaned-up itself. The dumped the embedded ELF is with the hash : 269029c1554b13c3eccfaacf0196ff72 (you can check this hash after you drop / extract embedded part).

How to detect by behavior in a glance:

The dropped binary is a bot client that will print "IVEBEENEXECUTED" on execution, and made below networking:

1. listening to (bind to 127.0.0.1) TCP/12645 < likely a command receiver port
2. callback to C2 (bind to LOCALIP:HIGHPORTS) at 209.126.69.167:2020 (IP = AS6428 River City Internet Group, Primary Networks, USA)

PS: The source of this infection is also from USA network: 104.244.72.54 on AS53667 at PonyNET, honeypots detected it:

104[.]244[.]72[.]54/RHOMBUS.sh4
104[.]244[.]72[.]54/RHOMBUS.x86
104[.]244[.]72[.]54/RHOMBUS.arm5
104[.]244[.]72[.]54/RHOMBUS.x86_64
104[.]244[.]72[.]54/RHOMBUS.mpsl

Interesting strings in the embedded (or) the dropped binary, aka the payload is:

0xZ6c8 48 47 %s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\n\r\n
0x_1bd 5 4 \b\n\n\n
0x_1d0 9 8 hlLjztqZ
0x_220 21 20 npxXoudifFeEgGaACScs
0x_235 8 7 +0-#'I
0x_2a8 15 14 Unknown error
0x_2c0 8 7 Success
0x_e1d 8 7 /bin/sh

some_ encrypted strings are intact, you can "grep" these:

0x_6f8 7 6 {inod\f
0x_6ff 5 4 snnu
0x_704 10 9 0110biho\f
0x_70e 9 8 edg`tmu\f
(etc)

So, What is this threat anyway?

We were suspecting this ELF dropper is a part of a new ELF/linux DDoSer w/new installer possibilities were varied, maybe CLOUDSNOOPER or, and, well, in the end it is just a dropper to drop "another" DDoSer bots. (one of a kind of: Gafgyt, Kaiten, Mirai and such) just another new coded one.. Made by skids in DDoS ecosystem.

How the payload works in general:

The payload has these functions:

  1. C2 command receiver
  2. Execution of DoS attack variations
  3. Sending data to C2 of compromised device
  4. Has a remote command execution that can be used to execute downloaded file or crafted pushed command
  5. Encryption to process config and receive-transmission comm.

In detail it works as follows:

After static reversing & decrypting payloads distributed via the dropper, and also decrypting/analyzing more recent samples distributed w/o dropper it shows that the connection to C2 will trigger the real activity of this bot (decryption of transmission data, processing receiving commands, and offensive execution for five DOS variation attacks of commands, including one of them are sub packeting forged "urg", ack", rst", "fin", "psh" attacks, other is with the "0" or "1" sub attack types, and there's also L7 flood spoofing for HTTP/1.1 too).

The transmission data is using encryption (XOR'ed basis), that's also used for processing embedded & hard coded config in the bot client, and also the pushed one through the listening port.

Activities invoked are not only processing bot command but involving the command execution triggered by "sh -c" in the system compromised by this bot.

C2 will be sent (with write method) by encrypted data through connected socket from the bot client, contains data of bot info and networking (IP) with this string:

"jm:%s:%d OR "jm:_:%d

The infrastructure used by the adversaries to spread the payload and as C2 is listed so far as follows, you should block these:

209.126.69.167  | I167.datasoft.ws. |6428 | 209.126.64.0/20 | CDM | US 
45.135.134.132  |  |51659 | 45.135.134.0/23 | ASBAXET | RU 
167.172.128.4   |  |14061 | 167.172.128.0/20 | DIGITALOCEAN-ASN | US 
205.185.122.243 | google-public-dns-a.google.com.(fake) |53667 | 205.185.112.0/20 | PONYNET | US 

Still, I haven't got enough time to check on this thoroughly, currently busy w/other works too, I am sure I am still missing one or two, so please add or comment, I will update the info regularly.

Let's call this new threat as "RHOMBUS". The OpenIOC is here.

1st found credit: 0xrb (thank you).

10 Comments
2020/03/11
20:42 UTC

2

Checking on Linux/Mozi, trying to make a comeback (thread w/links to IOC)

2 Comments
2020/03/09
21:28 UTC

2

Some issues w/ recent Hajime IoT linux malware & its botnet

I made a thread in twitter for this issue, hopefully this will improve the situation.

0 Comments
2020/03/08
13:00 UTC

5

New "SystemTen" botnet miner threat, now w/other "supper savvy" LOL-packed ELF and.. "atomic" bash-base64 parsers :)

The threat is still there, thx RJ+Ceph for the fun poke of ELF bins. My unpacking, analysis for that bins is in here (The IOC raw info is all in there too). Be aware of low detection ratio.

Basically they still try on poorly (exec with deletion afterwards, no injection) effort to be fileless, more "insane efforts" in ELF packer, and execution series of "bash" parsed encoded base64 commands executed by "sh".. as its bot installer, bot updater, miner installer and updater, with the flavor of onions, using latest XMrig w/hardcoded pools .. shortly, it's a come-back.

Hint: Someone in PRC/China is persistently "sponsoring a serious big effort" in mass crypto-mining here.

MalwareMustDie!

4 Comments
2020/02/11
09:59 UTC

8

Linux ISO live boot w/radare2's r2Ghidra & R2DEC decompilers (multiple arch support) for Linux RE/DFIR

For Linux RE (Binary Analysis)/DFIR circle: The only Linux ISO live boot for RE/DFIR folks pre-installed with radare2's r2Ghidra & R2DEC decompilers, Tsurugi Linux SECCON ed. (see ENGLISH text translation link)

For recent info & updates, see Tsurugi Linux site.

About radare2 (Binary analysis tool web site, contribute here

The ISO has been tested, released and used at SECCON 2019 Tokyo, Japan, December 21, 2019.

3 Comments
2019/12/24
05:31 UTC

5

My HACKLU2019 Keynote: Linux fileless malware infection, process injection and post-exploitation framework

I have done my keynote presentation in HackLU 2019 regarding to the subject. The slide is 148pages long and it was (had to be) done within 45minutes. The conference folks can read the slides & watch the video slowly afterwards.

It was a nice LONG (45m) techie talk, the point of the presentation is for the better security and defense purpose in relation to mitigate the post-exploitation attack using process injection that leave all of us mostly with the fileless state. So, it is explaining how indeed the breakdown of a post-exploitation attacks on Linux, how the process injection can be happened in user space, in kernel or in ramdisk, and how the fileless state can be implemented, those are explaination needed in order for us to killchain these attacks in the future to prevent them better.

During the presentation I was like trying to mix between ideology in security, technical concept and actual incident cases with several examples that can make IR more practical and interactively involved in the talk, with putting several reverse engineering codes for the RE engineers that may see the talk to follow the flow in dissecting those cases.

As the follow up from the talk, there are some reading takeaways, and Q & A I have listed in MalwareMustDie blog. Hope you can find them useful to make a better understanding of the slides and the video.

We don't share the material directly from any ranks of MMD openly, HackLU has them. TLP AMBER is applied in our team for the sharing purpose, and we have the good explanation of it, written in our blog. But if you are in the security field or in Linux development, and you don't reach the materials yet, feel free to PM me by explaining about yourself and why you need to see them. We don't share it to unknown security people.

I am planning to make the defense workshop or hackathon for this kind of threat on Linux in the FIRST conference next year, if you are in IR maybe you could come and join the venet so we can discuss and demo many approach for this matter. I will let you know.

Thank you very much for the reading and always support.

1 Comment
2019/10/28
17:27 UTC

5

Fun in dissecting "LSD Packer" ELF GoLang Miner installer/loader made by "Hippies" China SystemTen (aka Rocke) Gang

5 Comments
2019/04/20
09:16 UTC

10

Analysis of (new) malware list post-MMD blog

The {full-list}

Hello. I made few scattered analysis of new (Linux mostly) malware after MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via IoT botnet post.

Let me sort them out before I completely forget where they are. Noted: some of them are not Linux ones and I may missed some posts, so you can check them out also in: VirusTotal's comments, kernelmode / grep author "unixfreaxjp" or in Linux Malware subreddit. You may also want to check the older list for older analysis. Thank's for your support!

These are the latest:

Mirai/Fbot new version is back with strong infection pace

New SystemTen/Rocke miner dropper ELF

Linux/Fbot - new encryption explained

ICS related ELF

Linux/Mozi - MIPSEL - the strings after unpacking

Linux/AirDropBot - new threat, full analysis

Unpacking Linux/Neko Packed MIPS

Raccoon stealer recent infection in the wild

Dissecting on memory post exploitation powershell beacon w/ radare2

Previous ones:

Honda Car's Panel's Rootkit from China

Linux/SystemTen

Linux/Httpsd

Linux/SS(Shark)

Linux/DDoSTF today

GoARM.Bot + static strip ARM ELF by ChinaZ

Linux/ChinaZ Edition 2

Linux/CarpeDiem

Linux/Haiduc (bruter/memo)

Linux/Vulcan

Linux/HelloBot

Linux/Cayosin

Linux/DDoSMan

Linux/Mirai-Miori

Linux/Mandibule (Process Injector)

So Many Mirai..Mirai on the wall)

Today's Kaiten & PerlDDoS

Linux/STD bot

Linux/Kaiten (modded ver) in Google clouds

Linux/Qbot or GafGyt ...in Kansas city?

ChinaZ gang is back to shellshock drops Elknot abuses USA networks

Intel POPSS Vulnerability PoC Reversed

Win32/TelegramSpyBot

Win32/WaRAT

Win32/Bayrob

OSX/MugTheSec

OSX/MachO-PUP (a quickie)

Webshell/r57shell

*) Enjoy! #MalwareMustDie!

1 Comment
2019/04/06
17:38 UTC

Back To Top