Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
New Worm Leverages Open Source Tools and GitHub to Build its Botnet
Sep 27, 2018

On September 19, 2018, Juniper Threat Labs discovered a new wave of attacks from a cryptominer worm targeting Linux servers, home networking devices, and IOT devices. These attacks were bundled with a number of exploits to spread rapidly and widely. The attack has three parts: infection, mining, and spreading.

 

Infection

A compromised machine downloads the following script from 185[.]10[.]68[.]163:

 

image9.png

 

The site 185[.]10[.]68[.]163 (or petey[.]cf) is a clone of a legitimate business website. It hosts the malware for the attack and acts as a command-and-control server. The compromised machine downloads two Linux shell scripts, miner.sh and scanner.sh, which are then executed in the background.

 

Mining

The mining script is as follows:

 

image1.png

 

First, the worm attempts to download and run two open-source cryptocurrency miners, one for Linux systems running on x86 hardware and another for ARM-based Linux systems like the Raspberry Pi or IOT appliances. Both types of software mine cryptonight-based coins such as Monero. These coins are popular for cryptominers because, unlike bitcoin, they can be efficiently mined on general purpose computing hardware.

 

mining.png

 

After launching both cryptominers (at least one of which will fail due to hardware incompatibility) the worm achieves persistence by overwriting the user’s .bashrc startup script:

 

image8.png

 

Spreading:

The second task is to spread infection as widely as possible. Although the mining script downloads binaries for both x86 and ARM, the propagation portion of the attack works only on x86-based machines.

 

image4.png

 

Zmap is a popular open-source tool for scanning the internet for available services. The scanner.sh script tries to intercept local network traffic and scans for services on port 80 (http) and 22 (ssh). It then passes these lists of targets to the bruteforce_ssh binary. In addision to bruteforcing username/password combinations for ssh access, bruteforce_ssh also attempts a remote code execution exploits on a variety of web applications, home routers, and IOT devices:

 

image3.png

 

In this captured traffic, we have identified the following exploits being used by this worm to spread.

 

https://www.exploit-db.com/exploits/45427/

 

45427.png

 

 

https://www.exploit-db.com/exploits/40212 

 

40212.png

 

 

https://blogs.securiteam.com/index.php/archives/3445

 

3445.png

 

 

https://security.stackexchange.com/questions/176794/web-attack-cctv-dvr-remote-code-execution-node-j...

 

swedish.png

 

 

https://www.exploit-db.com/exploits/42114/

 

42114.png

 

 

https://www.exploit-db.com/exploits/41499/

 

41499.png

 

 

https://github.com/hahwul/mad-metasploit/blob/master/mad-metasploit-archive/exploits/linux/remote/45...

 

45124.png

 

 

https://github.com/jpiechowka/jenkins-cve-2016-0792/blob/master/exploit.py

 

jenkins.png

 

 

https://www.exploit-db.com/exploits/40500/

 

40500.png

 

 

https://www.exploit-db.com/exploits/41782/

 

41782.png

 

 

https://www.exploit-db.com/exploits/31683/

 

31683.png

 

 

https://www.exploit-db.com/exploits/43055/

 

43055.png

 

 

https://www.exploit-db.com/exploits/42730/

 

42730.png

 

 

https://www.exploit-db.com/exploits/44760/

 

44760.png

 

Detections

The malware used in this campaign is detected on Sky ATP as Linux:Trojandownloader:Cryptominer and on JATP as LINUX_BRUTEFORCESSH.

 

 Screen Shot 2018-09-27 at 10.08.11 PM.png

 

 

IOCs

 

Scripts

047b8d7cf1641a0d7f6ce2c844a22b6b08317a8ff086620978f2bd40817475d8  miner.sh

2f89f8f0a5f3e7fde7551fb283ae8cc4ab198ca352a53dd3b8a1f5250bd05182  scanner.sh

c1108e6b20820df362c4325163a61e18e8381e13bd4dd6cc0fc23f84d1f12a2b  worldwest.sh

e79f51a7304275a6b9b9789019f1d356d2830a9a26888e3bc8e53ed4913cf1aa  .bashrc

 

Linux executables:

d6920ff5990cf7ad0a606589a5ed91aca6da1709462f9e784b74d1f990b1bf35  bruteforce_ssh

b298bbcae1fac85eb982396229beda78695bf634aae8b182f865951e1e3f29b0  bruteforce_ssh

c91fa48a979f8be95bbd2931e6c6b3425b7fba7ea6b87b05a8fbe856482b398f  bruteforce_ssh

c890d18fe3753a9ea4d026fc713247a9b83070b6fe40539779327501916be031  xrig_386

b8687ab465c280847193d36a67c390616933032db31932d8ac191041343b68f6  xrig_arm

a51578a7c0937e014b0ecfeefc18d291acfd59b54c5a77ff484b011d67bf38cc  tcpconnect_zmap

abbce2b9bd7ed54ed0183f4d619e0181fe56949594a0ca5cd3cdfbf94d8f66b4  zmap

 

IPs and domains:

petey[.]cf

185[.]232[.]64[.]161

185[.]232[.]64[.]163

 

Top Kudoed Authors