Outlaw’s Botnet Spreads Miner, Perl-Based Backdoor
One of our honeypots detected a URL spreading a botnet with a Monero miner bundled with a Perl-based backdoor component.
by Augusto Remillano II and Byron Gelera
TrendMicro
June 13, 2019 https://www.trendmicro.com/en_us/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html
| Remarks |
|---|
| honeypot |
| URL |
| botnet |
| Monero |
| cryptocurrency miner |
| backdoor |
| Outlaw hacking group |
| Perl |
| SSH backdoor |
| DDoS |
| DDoS as a service |
| tar file |
| shell script |
| China |
| brute force |
| .x15cache |
| bash |
| payload |
| cron |
| anacron |
| territorial malware |
| rsync |
| obfuscation |
| Shellbot https://www.trendmicro.com/en_us/research/18/k/perl-based-shellbot-looks-to-target-organizations-via-cc.html |
| file download, command execution, and DDoS capabilities |
| dota2.tar.gz |
| SSH brute force |
| tsm32/tsm64 are scanning/propagation components of this botnet |
| /dev/shm |
| .satan – shell script that installs the backdoor as a service |
| hidden files |
| first observed by TrendMicro in 2018 |
| reconnaissance |
| UDP |
| IP address |
| port scan |
| APK file |
| Android |
| recommendation: close unused ports |
| recommendation: restrict needed ports |
| recommendation: security in depth |
| recommendation: block malicious URLs with filtering, behavioral analysis, and sandboxing |
Indicators of Compromise (IoCs)
| File name | SHA256 | Detection |
|---|---|---|
| rsync | 0d71a39bbd666b5898c7121be63310e9fbc15ba16ad388011f38676a14e27809 | Backdoor.Perl.SHELLBOT.AB |
| ps | bb1c41a8b9df7535e66cf5be695e2d14e97096c4ddb2281ede49b5264de2df59 | Backdoor.Linux.SSHDOOR.AB |
| cron | 4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d | Coinminer.Linux.MALXMR.UWEJN |
| anacron | 66b79ebfe61b5baa5ed4effb2f459a865076acf889747dc82058ee24233411e2 | Coinminer.Linux.MALXMR.UWEJN |
| tsm32 | 0191cf8ce2fbee0a69211826852338ff0ede2b5c65ae10a2b05dd34f675e3bae | Trojan.Linux.SSHBRUTE.A |
| tsm64 | 085d864f7f06f8f2eb840b32bdac7a9544153281ea563ef92623f3d0d6810e87 | Trojan.Linux.SSHBRUTE.A |
| URLs |
|---|
| 146[.]185[.]171[.]227:443 |
| C&C for Backdoor.Perl.SHELLBOT.AB - 5[.]255[.]86[.]129:3333 |
| C&C for Backdoor.Linux.SSHDOOR.AB - 54[.]37[.]70[.]249/.satan |
| 54[.]37[.]70[.]249/rp |
| hxxp://54[.]37[.]70[.]249/.x15cache |
| hxxp://54[.]37[.]70[.]249/dota2.tar.gz |
| hxxp://54[.]37[.]70[.]249/fiatlux-1.0.0.apk |
| APK file hosted on this server - hxxp://mage[.]ignorelist[.]com/dota.tar.gz |
| mage[.]ignorelist[.]com |
| zergbase[.]mooo[.]com |