/r/LinuxMalware
Posts of Linux / ELF malware and their botnets for RE purpose. This subreddit is modded, the site's contents are MalwareMustDie.org's @unixfreaxjp Linux threat research material.
Posts of Linux / ELF malware for RE purpose. This subreddit is modded, the site's contents are MalwareMustDie.org's @unixfreaxjp Linux threat research material.
Change view mode: RSS | Mobile | NewReddit
Latest Linux Malware cases:
on-going Linux/Kaiji
Linux Malware Analysis Museum:
Linux/Bashdoor(Gafgyt/Torlus/Qbot (first router campaign case actor: LizardSquad)
Linux/Bashdoor(Gafgyt/Torlus/Qbot 1st found in shellshock, actor: LizardSquad)
..and, you may also want to visit:
/r/LinuxMalware
Recent #linux ransomware I reversed so far:
Akira, Monti, Abyss, Royal, Black Basta, LockBit, Hive, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX.
RE result be released in conference.
This post is to elaborate the contents of this subreddit, for the new design that has not had sidebar menu. The subreddit posts of Linux / ELF malware is for RE purpose, it may help you on learning to analyze a Linux malware. This subreddit is single-modded and the site's contents are MalwareMustDie.org's @unixfreaxjp Linux threat research material. You may link to any of the contents or this subreddit with mention to the original researcher (unixfreaxjp).
You switch the view mode: RSS | Mobile | NewReddit | OldReddit
You may want to discuss about my analysis but I am not good in chatting, if you have question please upload your text from here.
So about the contents:
These are the latest Linux Malware cases I have reversed and posted:
And these are my older Linux malware analysis, I called it "analysis museum":
Linux/Bashdoor(Gafgyt/Torlus/Qbot (first router campaign case actor: LizardSquad)
Linux/Bashdoor(Gafgyt/Torlus/Qbot 1st found in shellshock, actor: LizardSquad)
..and lastly, you may also want to visit other similar sub-reddits too like:
[/r/Malware]
[/r/ReverseEngineering]
Cheers! - unixfreaxjp -
As some of you maybe know that I involved in contribution for Linux/Malware at the kernelmode.info forum, before I left it.
I would like to announce that the 16 threads of Linux/Malware analysis, either those were ones I first initiated it, or at those threads were having my analysis and writing efforts, are all backup up and merged in this repository successfully. The backup is only taking the first page of each thread due to the size limitation in the storage, however it is important to proof the first malware that has been firstly found or firstly named during MMD effort and those has been decided on my analysis desk.
What I wrote in the kernelmode forum are important because at the time I thought I was being between friendlies, therefore under the strong trust level many of the Linux/Malware threat analysis insights were shared over there.
The data has been successfully saved as offline web-pages, and for this repository purpose only the first page is shared, by the link to a GitHub storage account as the Open Source(feel free to analyze them).
Noted ("THIS IS IMPORTANT!): as long as you don't click the URL/links in those saved pages and just read them and "go back" here after reading, you will only browse the first page under the GitHub's service/host environment < again, please note this. If you want to read further and click some links on that first page, you will be redirected to the "Archive of KernelMode" server located at the below ISP and network details. I have nothing to do with the service and I don't know who is managing it, you can access it with your own risk. (Risk like, i.e. your access can be recorded by unknown parties, etc, I don't know..):
IP: 81.95.1.72
FQDN hostname: mif.h5l.org.
ASN: AS201011
ISP: OxygemDigital Inc, Victoria
Country: Seychelles
To recognize those migrated threads you can grep the characters "^KM" in the right-side menu list of Linux malware, and if you did it well, these are the list that has been added:
(65) : - Linux/Pscan and SSHscan ^KM
(71) : - Linux/KillFile ^KM
(75) : - Linux/BangSyn ^KM
(85) : - Linux/DTool ^KM
(95) : - Linux/Bashdoor(Gafgyt/Torlus/Qbot 1st found ^KM
(101): - Linux/Encoder ^KM
(107): - Linux/Torte ^KM
(123): - Linux/XorDDOS first found/rpt ^KM
(143): - Linux/ChinaZ "the beginning" 1st found ^KM
(145): - Linux/GoARMBot ^KM
(149): - Linux/AESDDoS ^KM
(153): - Linux/.Iptables or Iptablex ^KM
(159): - Linux/Mayhem ^KM
(161): - Linux/BossaBot ^KM
(167): - Linux/Elknot ^KM
(179): - Linux/Kaiten (Tsunami) ^KM
Lastly, I would like to thank kernelmode moderator @Xylit0l, who kindly allowed the backing up process to run smoothly, and to acknowledge the merge of the backups into this repository.
So please help yourself to read those analysis. There are a lot of them has not been covered by other places due to my limitation time to write to MMD blogs or other reporting forms.
I really hope that /r/LinuxMalware subreddit can be used for the future and stable media for the posting of Linux malware research, as a rich repository, for the future, and learning from the past, all of the data posted in here are backed up before posted.
In the future, after the mechanism of subreddit is mastered, I will share the posting access to others. There are many more analysis data that need to build first, I will need at least another year to cleaning up the backlog reports I made in the past.
Thank you and best regards
mmd0xFF
In my opinion, this Mirai is interesting, since the TABLE_SCAN*(etc) stuff is encoded with "new" encoder, not decrypter.
Let's see this encoder in x86-32 assembly:
0x08050d90 56 push esi
0x08050d91 53 push ebx
0x08050d92 8b4c2414 mov ecx, dword [arg_ch] // ecx = Length
0x08050d96 8b74240c mov esi, dword [arg_4h] // esi = var_Pos
0x08050d9a 8b5c2410 mov ebx, dword [arg_8h] // ebx = var_CryptedStr
0x08050d9e 85c9 test ecx, ecx // check length
,=< 0x08050da0 740d je 0x8050daf
| 0x08050da2 31d2 xor edx, edx // edx = counter = 0
| ;
.--> 0x08050da4 8a041a mov al, byte [edx + ebx] // AL holds CryptedStr char(counter=array)
:| 0x08050da7 880432 mov byte [edx + esi], al // AL stored CryptedStr w/addition (Length)
:| 0x08050daa 42 inc edx // counter++
:| 0x08050dab 39ca cmp edx, ecx // compare counter (edx) to length (ecx)
`==< 0x08050dad 75f5 jne 0x8050da4
| ;
`-> 0x08050daf 5b pop ebx
0x08050db0 5e pop esi
It's as equal to something like this in C
void 2NDDECODER(var_Pos, var_CryptedStr, var_StrLength)
// asm loop logic:
// mov al, byte [edx + ebx] ; edx = var_count
// mov byte [edx + esi], al ; *esi = *var_CryptedStr
// inc edx
{
var_count;
if (var_StrLength != 0)
{ var_count = 0;
do {
*(var_count + var_Pos) = *(var_count + var_CryptedStr);
var_count = var_count + 1;
} while (var_count != var_StrLength);
} return;
}
Some analysis screenshots are in here & I announced it on twitter too for the blocking and IDC cleanup purpose.
Samples & file types are in these hashes:
MD5 (Hilix.arm) = 7a5e717aa86fd986d9aef089c6e07bcd
MD5 (Hilix.m68k) = 8293c25c4c759654ea72342750a91170
MD5 (Hilix.mips) = 94008c192bd62432fbacede828e2c497
MD5 (Hilix.ppc) = 749d282b6ff9e1b9390201173af694c0
MD5 (Hilix.sh4) = 34307f52ba4a81d94058c130df146c5a
MD5 (Hilix.spc) = 84d45afab65260068009911871f5babd
MD5 (Hilix.x86) = ec413215dc385d95e1c89d9bda44de4d
Hilix.arm: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
Hilix.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Hilix.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Hilix.ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Hilix.sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Hilix.spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Hilix.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Following a threat intelligence aiming Frontier networks containers, I analyzed this unknown new Linux (DDoS tool) malware made by Go lang w/ China origin (see @unixfreaxjp comment at VirusTotal ), and named it as Linux/Kaiji, announced first awareness w/screenshots in twitter. More of my insights comment is in this interview.
A newly seen ELF IoT bot's Dropper/Installer, I firstly handling these hashes for intel 64bit & ARM 32bit, along with other architectures,
It's spotted under file naming of RHOMBUS.{arch} :
b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784
83e4fb6e5b042c15c035f399d286690f0382c01b43b84898564315951bb1c375
Several explanation:
Basically this is an ELF malware installer (and dropper), it drops another ELF as payload & set cron as "autostart" for it. The installed payload is a bot client (embedded in the dropper). It seeks the /tmp directory path, extracted embedded binary data and creates file "/tmp/fileXXXXXX" (X= combination permutated strings), i.e: "fileCo70r0", then it saves the executable code into dropped ELF bot binary.
The dropped ELF binary is the payload, a DDOS bot client, that is having basic stuff like remote execution, receiving bot commands, encrypted traffic functions, etc), see below for detail.
The interesting part for the dropper is, after dropping the payload, it installs persistence startup to "/etc/cron.hourly/0" and lastly executed the dropped binary and then cleaned-up itself. The dumped the embedded ELF is with the hash : 269029c1554b13c3eccfaacf0196ff72 (you can check this hash after you drop / extract embedded part).
How to detect by behavior in a glance:
The dropped binary is a bot client that will print "IVEBEENEXECUTED" on execution, and made below networking:
1. listening to (bind to 127.0.0.1) TCP/12645 < likely a command receiver port
2. callback to C2 (bind to LOCALIP:HIGHPORTS) at 209.126.69.167:2020 (IP = AS6428 River City Internet Group, Primary Networks, USA)
PS: The source of this infection is also from USA network: 104.244.72.54 on AS53667 at PonyNET, honeypots detected it:
104[.]244[.]72[.]54/RHOMBUS.sh4
104[.]244[.]72[.]54/RHOMBUS.x86
104[.]244[.]72[.]54/RHOMBUS.arm5
104[.]244[.]72[.]54/RHOMBUS.x86_64
104[.]244[.]72[.]54/RHOMBUS.mpsl
Interesting strings in the embedded (or) the dropped binary, aka the payload is:
0xZ6c8 48 47 %s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\n\r\n
0x_1bd 5 4 \b\n\n\n
0x_1d0 9 8 hlLjztqZ
0x_220 21 20 npxXoudifFeEgGaACScs
0x_235 8 7 +0-#'I
0x_2a8 15 14 Unknown error
0x_2c0 8 7 Success
0x_e1d 8 7 /bin/sh
some_ encrypted strings are intact, you can "grep" these:
0x_6f8 7 6 {inod\f
0x_6ff 5 4 snnu
0x_704 10 9 0110biho\f
0x_70e 9 8 edg`tmu\f
(etc)
So, What is this threat anyway?
We were suspecting this ELF dropper is a part of a new ELF/linux DDoSer w/new installer possibilities were varied, maybe CLOUDSNOOPER or, and, well, in the end it is just a dropper to drop "another" DDoSer bots. (one of a kind of: Gafgyt, Kaiten, Mirai and such) just another new coded one.. Made by skids in DDoS ecosystem.
How the payload works in general:
The payload has these functions:
In detail it works as follows:
After static reversing & decrypting payloads distributed via the dropper, and also decrypting/analyzing more recent samples distributed w/o dropper it shows that the connection to C2 will trigger the real activity of this bot (decryption of transmission data, processing receiving commands, and offensive execution for five DOS variation attacks of commands, including one of them are sub packeting forged "urg", ack", rst", "fin", "psh" attacks, other is with the "0" or "1" sub attack types, and there's also L7 flood spoofing for HTTP/1.1 too).
The transmission data is using encryption (XOR'ed basis), that's also used for processing embedded & hard coded config in the bot client, and also the pushed one through the listening port.
Activities invoked are not only processing bot command but involving the command execution triggered by "sh -c" in the system compromised by this bot.
C2 will be sent (with write method) by encrypted data through connected socket from the bot client, contains data of bot info and networking (IP) with this string:
"jm:%s:%d OR "jm:_:%d
The infrastructure used by the adversaries to spread the payload and as C2 is listed so far as follows, you should block these:
209.126.69.167 | I167.datasoft.ws. |6428 | 209.126.64.0/20 | CDM | US
45.135.134.132 | |51659 | 45.135.134.0/23 | ASBAXET | RU
167.172.128.4 | |14061 | 167.172.128.0/20 | DIGITALOCEAN-ASN | US
205.185.122.243 | google-public-dns-a.google.com.(fake) |53667 | 205.185.112.0/20 | PONYNET | US
Still, I haven't got enough time to check on this thoroughly, currently busy w/other works too, I am sure I am still missing one or two, so please add or comment, I will update the info regularly.
Let's call this new threat as "RHOMBUS". The OpenIOC is here.
1st found credit: 0xrb (thank you).
I made a thread in twitter for this issue, hopefully this will improve the situation.
The threat is still there, thx RJ+Ceph for the fun poke of ELF bins. My unpacking, analysis for that bins is in here (The IOC raw info is all in there too). Be aware of low detection ratio.
Basically they still try on poorly (exec with deletion afterwards, no injection) effort to be fileless, more "insane efforts" in ELF packer, and execution series of "bash" parsed encoded base64 commands executed by "sh".. as its bot installer, bot updater, miner installer and updater, with the flavor of onions, using latest XMrig w/hardcoded pools .. shortly, it's a come-back.
Hint: Someone in PRC/China is persistently "sponsoring a serious big effort" in mass crypto-mining here.
MalwareMustDie!
For Linux RE (Binary Analysis)/DFIR circle: The only Linux ISO live boot for RE/DFIR folks pre-installed with radare2's r2Ghidra & R2DEC decompilers, Tsurugi Linux SECCON ed. (see ENGLISH text translation link)
For recent info & updates, see Tsurugi Linux site.
About radare2 (Binary analysis tool web site, contribute here
The ISO has been tested, released and used at SECCON 2019 Tokyo, Japan, December 21, 2019.
I have done my keynote presentation in HackLU 2019 regarding to the subject. The slide is 148pages long and it was (had to be) done within 45minutes. The conference folks can read the slides & watch the video slowly afterwards.
It was a nice LONG (45m) techie talk, the point of the presentation is for the better security and defense purpose in relation to mitigate the post-exploitation attack using process injection that leave all of us mostly with the fileless state. So, it is explaining how indeed the breakdown of a post-exploitation attacks on Linux, how the process injection can be happened in user space, in kernel or in ramdisk, and how the fileless state can be implemented, those are explaination needed in order for us to killchain these attacks in the future to prevent them better.
During the presentation I was like trying to mix between ideology in security, technical concept and actual incident cases with several examples that can make IR more practical and interactively involved in the talk, with putting several reverse engineering codes for the RE engineers that may see the talk to follow the flow in dissecting those cases.
As the follow up from the talk, there are some reading takeaways, and Q & A I have listed in MalwareMustDie blog. Hope you can find them useful to make a better understanding of the slides and the video.
We don't share the material directly from any ranks of MMD openly, HackLU has them. TLP AMBER is applied in our team for the sharing purpose, and we have the good explanation of it, written in our blog. But if you are in the security field or in Linux development, and you don't reach the materials yet, feel free to PM me by explaining about yourself and why you need to see them. We don't share it to unknown security people.
I am planning to make the defense workshop or hackathon for this kind of threat on Linux in the FIRST conference next year, if you are in IR maybe you could come and join the venet so we can discuss and demo many approach for this matter. I will let you know.
Thank you very much for the reading and always support.
The {full-list}
Hello. I made few scattered analysis of new (Linux mostly) malware after MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via IoT botnet post.
Let me sort them out before I completely forget where they are. Noted: some of them are not Linux ones and I may missed some posts, so you can check them out also in: VirusTotal's comments, kernelmode / grep author "unixfreaxjp" or in Linux Malware subreddit. You may also want to check the older list for older analysis. Thank's for your support!
These are the latest:
Mirai/Fbot new version is back with strong infection pace
New SystemTen/Rocke miner dropper ELF
Linux/Fbot - new encryption explained
Linux/Mozi - MIPSEL - the strings after unpacking
Linux/AirDropBot - new threat, full analysis
Unpacking Linux/Neko Packed MIPS
Raccoon stealer recent infection in the wild
Dissecting on memory post exploitation powershell beacon w/ radare2
Previous ones:
Honda Car's Panel's Rootkit from China
GoARM.Bot + static strip ARM ELF by ChinaZ
Linux/Mandibule (Process Injector)
So Many Mirai..Mirai on the wall)
Linux/Kaiten (modded ver) in Google clouds
Linux/Qbot or GafGyt ...in Kansas city?
ChinaZ gang is back to shellshock drops Elknot abuses USA networks
Intel POPSS Vulnerability PoC Reversed
*) Enjoy! #MalwareMustDie!