The Growing Threat of Malware Concealed Behind Cloud Services
2024-6-25 23:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:84 收藏

Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High

Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hosting methods lack.

Over the past month, FortiGuard Labs has been monitoring botnets that have adopted this strategy, abusing cloud services to enhance their malicious capabilities. These botnets, such as UNSTABLE and Condi, have been observed leveraging cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices. Using cloud servers for C2 operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack. We have also observed a threat actor exploiting multiple vulnerabilities to target JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21, and Ivanti Connect Secure to amplify their attacks. 

In this article, we will detail this threat actor's initial attack method and further explore the botnets being used.

UNSTABLE Botnet

Initial access by the UNSTABLE Botnet targets the JAWS Webserver RCE vulnerability, CVE-2016-20016, and retrieves the downloader script “jaws” from 45[.]128[.]232[.]15.

Figure 3: Downloader script "jaws"

It includes multiple binary files for 13 architectures executed using the parameter “jaws.exploit.” The UNSTABLE Botnet is a Mirai variant that uses XOR to encode its configuration. It has three main modules: exploitation, scanner, and DDoS attack. The exploitation module targets three vulnerabilities: CVE-2016-20016, CVE-2018-10561/10562, and CVE-2017-17215. 

Figure 4: Exploitation module

The scanner module includes a hard-coded list of usernames and passwords that it uses for brute-force scanning of other endpoints in the network.

root

Zte521

swsbzkgn

taZz@23495859

grouter

juantech

tsgoingon

telnet

pass

solokey

oelinux123

password

admin

tl789

svgodie

default

GM8182

t0talc0ntr0l4!

user

hunt5759

zhongxing

guest

telecomadmin

zlxx.

telnetadmin

twe8ehome

zsun1188

1111

h3c

xmhdipc

12345

nmgx_wapia

klv123

123456

private

hi3518

54321

abc123

7ujMko0vizxv

88888888

ROOT500

7ujMko0admin

20080826

ahetzip8

dreambox

666666

anko

system

888888

ascend

iwkb

1001chin

blender

realtek

xc3511

cat1029

00000000

vizxv

changeme

12341234

5up

iDirect

huigu309

jvbzd

nflection

win1dows

hg2x0

ipcam_rt5350

antslq

Figure 5: Scanner module and hard-coded username/password

The DDoS attack module is a typical list that covers several protocols. The UNSTABLE botnet contains nine methods: attack_tcp_ack, attack_tcp_syn, attack_tcp_legit, attack_tcp_sack2, attack_udp_plain, attack_udp_vse, attack_udp_thread, attack_gre_ip, and attack_method_nudp. The botnets can choose the appropriate method based on commands from its C2 server.

Condi DDoS Botnet

FortiGuard Labs previously disclosed the Condi DDoS botnet, which continues to exploit CVE-2023-1389 to gain control of devices and execute its malicious activities. The binary file is hosted on “45[.]128[.]232[.]90” for distribution.

Once a device is infected, the malware kills off the competition and specific processes. It then sets up a connection to a central Command and Control (C2) server, “trembolone[.]zapto[.]org.”

Figure 6: Checking list for terminating process

Figure 7: Get the updated version of Condi Botnet

UDP Flooder and Process Checker

FortiGuard Labs noticed the incident as the payload “ping -c 20 209.141.35.56,” which seemed unusual within such an attack. Since the IP address is neither the attack source nor the destination intranet, we suppose these two IP addresses, 45[.]128[.]232[.]229 and 209[.]141[.]35[.]56, might be controlled by the attacker simultaneously and one of them is a command and control (C2) server.

The attack source IP address, “45[.]128[.]232[.]229,” has four files named “msgbox.exe,” “udp,” “udparm,” and “udpmips,” respectively. These are DoS tools for different Linux architectures, except “msgbox.exe,” which pops up a message box with the string “RAT.”

The following analysis examines the “udp” file.

The tool has an unmistakable usage message, “Usage: %s <IP> <SECONDS> [PORT],” while executing without any arguments.

Figure 9: Execution tool without arguments

When executing with the necessary “IP” and “SECONDS” arguments, the tool triggers a UDP flooding DoS attack using system-generated random characters.

Figure 10: Execution tool with arguments

Figure 11: UDP flooding traffic

The IP address “209[.]141[.]35[.]56” pinged by the compromised device is exploited by the attack source IP address “45[.]128[.]232[.]229” using the CVE-2023-1389 vulnerability. It was first met with a page that the FBI has seized due to its use as a DDoS service (Figure 12). However, FortiGuard Labs found the IP address also has another route, “hxxp://209[.]141[.]35[.]56/getters/,” which contains 19 malware variants for different Linux architectures. (see Figure 13)

Figure 12: Website seized page

aarch64

microblazebe

aarch64be

microblazeel

arcle-750d

mips

arcle-hs38

mipsel

armv4l

nios2

armv5l

openrisc

armv6l

powerpc

armv7l

riscv64

i586

sh4

m68k

sparc

m68k-68xxx

x86_64-core-i7

m68k-coldfire

x86-core2

m68k-coldfire.gdb

x86-i686

xtensa-lx60

Figure 13: The malware for different Linux architectures

We focus on analyzing the file for architecture “x86-i686.” The malware creates a socket and checks whether the C2 server is valid. If not, it terminates the program. If the server is confirmed reachable, the malware sets up a connection with C2 server “45[.]128[.]232[.]229,” which is the exploit CVE-2023-1389 source IP address, executes the “ps” command, and gathers process-related output information.

Figure 14: Set C2 server IP address

The malware executes the command “ps -eo pid,comm --no-headers” through “/bin/bash” to get all process PIDs (Process IDs) and command names running without a header line.

Figure 15: Executes command

It then leverages the obtained PIDs (Process IDs) to further check the commands of those executing processes using “/proc/<PID>/comm.”

Figure 16: Read process command

Afterward, the malware sends related information to the C2 server.

Figure 17: Sending information to the C2 server

According to our analysis, the attackers seem to have a cloud command and control (C2) server (45[.]128[.]232[.]229) and a network-attached malware storage (209[.]141[.]35[.]56). The attacker first checks to see if the leveraged device can reach the network-attached malware storage to download malware and execute the following attack stages.

Skibidi

This malware, which we named “Skibidi,” was spread by the attacker using two different vulnerabilities simultaneously. One is CVE-2023-1389 in TP-Link Archer AX21, which botnets have continuously exploited since it was launched, as detailed in the report produced by FortiGuard Lab. The other is CVE-2024-21887 in Ivanti Connect Secure, which caused a sensation in April 2024.

Figure 18: Attack traffic through Ivanti Connect Secure (CVE-2024-21887)

Figure 19: Attack traffic through TP-Link Archer AX21 (CVE-2023-1389)

Attackers first download the “Skibidi” malware with a downloader script. It downloads and executes each malware to determine the proper Linux architecture attack.

Figure 20: Downloader script

arm4

mips

arm5

mipsel

arm6

ppc

arm7

sh4

x86_64

Figure 21: The malware targets Linux architectures

The following analysis is based on the malware “skibidi.x86_64.” While executing the malware, it displays the string “youre not skibidi enough.”

Figure 22: Executes the malware

It then calls the Linux function “ptrace” to handle the process on the victim host. The malware sends signals like a debugger to the sub-program, the malware itself, to fork another process to evade detection.

Figure 23: Call "ptrace" function

The malware then decodes strings encoded by XOR for the behaviors creating process and popping up execution result string.

Figure 24: XOR encoded strings

It calls the system function “prctl,” which manipulates the calling process by naming it with the XOR-encoded strings “-bash” and “x86_64.”

Figure 25: Process of the malware

Afterward, the malware tries to connect with its C2 server through a socket. Meanwhile, it uses the system call “select” to listen to the events of files the attacker is interested in, such as process events.

Figure 26: Call “select” function

The malware repeats these steps of listening to events and sends the results back to the server.

Conclusion

Cloud services' inherent flexibility and efficiency have unwittingly provided cybercriminals with a new arena for their activities. This shift to cloud-based operations marks a significant evolution in the threat landscape, with malware operators exploiting these platforms' advantages. Organizations must bolster their cloud security defenses as botnets and DDoS tools continue to leverage cloud services. Robust security measures and vigilant monitoring within cloud environments are imperative to combat these sophisticated attacks. Implementing a multi-layered security approach, including regular patching, updates, and network segmentation, is essential to isolate critical assets and mitigate potential breaches.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

BASH/Mirai.AEH!tr.dldr

ELF/Gafgyt.ST!tr

ELF/Mirai.CDB!tr

ELF/Mirai.CEA!tr

ELF/Mirai.CPD!tr

ELF/Mirai.OX!tr

ELF/Skibidi.CQC!tr

ELF/UDPFlooder.1C8B!tr

ELF/UDPFlooder.1EE7!tr

ELF/UDPFlooder.E063!tr

Linux/Mirai.CPD!tr

Linux/Mirai.REAL!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard Web Filtering Service blocks the C2 servers and downloads URLs.

FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:

CVE-2016-20016: JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution

CVE-2017-17215: Huawei.HG532.Remote.Code.Execution

CVE-2018-10561: Dasan.GPON.Remote.Code.Execution

CVE-2018-10562: Dasan.GPON.Remote.Code.Execution

CVE-2023-1389: TP-Link.Archer.AX21.Unauthenticated.Command.Injection

CVE-2024-21887: Ivanti.Connect.Secure.Policy.Secure.Authentication.Bypass

We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

C2

45[.]128[.]232[.]15

45[.]128[.]232[.]90

45[.]128[.]232[.]229

45[.]128[.]232[.]234

URLs

hxxp://45[.]128[.]232[.]15

hxxp://45[.]128[.]232[.]90

hxxp://45[.]128[.]232[.]229

hxxp://209[.]141[.]35[.]56/getters

hxxp://45[.]128[.]232[.]234

Files

d5e81e9575dcdbbaa038a5b9251531d8beccedc93bd7d250a4bb2389c1615cd6

6226e896850de8c5550b63481b138067582ebf361f7c5448d9d0596062150d89

4c2dcd13685f24800b73856d1f3ec9a2c53c2b5480a9c10b73035a43df26c2e8

31914b317ba6a44a9d3acb99979ec8c163bef8667b0ae41524e335847d70afb0

5fbfc4c8204309e911d22d3b544773f8d4f9ab2edc71f8967bbdcce6cbc834ca

53daa1e4c2f5c11a75989334c2a0227689509606aeda9d7ab11dd200ee6138c6

a9690df4542f28fc4e3b9161b9f8d685d4ce8753bfd9b1f5c8aacd6aa4bef873

fb86bb0863d15ac65a916979052220f755765eb0d5bc4c1c47e34762738d2311

cd05eaa2b01ec1a4880839628d1c6e3bed9045478cacbfb88f14d1937ccf667b

c88da56b348f8d89b5ab99a710de7131bdbc2f1dba4bb9809b1b3fd27322630e

83a2608a93b643f68ab3dcfccf8de7b13394cc214a78fa59b6867e47fc56928c

3660fbe90420f60664e68859de918a5c592dd33024f69bebff8bb77ab41b8fca

75b594a20110e487e35ec4590a5211a425119cdf0fea6fcf030ee20cb548b7e5

ef2e57a5992d85ea2bfb5c5645f8b361dcd5c49eede38185a7b99ec00c287550

2e69d9942a4c0d6d0294d038263f2d12f3a5f6aef8d72279b01e025d32addab2

1a8508f62447e5ee624866b571a29cedc369d6ee8182782f32a75dcd58494d8c

305e0eb9b815dddd40d73f4464946a0ec21866b7727e4fe073692bf82bb46936

0092b27bee2df9536e8aff8948a1007ed1eb03f0e12e0348b72a113e7d4cb585

65f2850892365a4d6bafc303ed04379bef3b41a85336e274f9348603105d2f37

c569eb7f33dcec3e6cdcfee7195202813fda6b7bf9ecb786a4a909d6745cbbff

5110f8af13cdd872b904784d2aec75031c663baad01d68b5f05daa950d18ced3

eec122d6480803bcdd2c6906b0ae35bcffaf6bf5117dac8c7b2621f0b98b68ea

9f14cdea1b41ac1c7251e3f2d4186e12d480d108942bc8f1f7bcac133ed88ccc

5a0a8de050cc8ad2f9af41e4018b0317afc39c571f23bc9cfa115c6558205722

eb9ba3171a98dc543cbc599eb6ab9aa3a5a47cc6931afe511fa839c6a5fb889c

1825c787c308d3cb1125d416025af8c8344a158f0a0b3467df6c0c875d2d8800

eb926f93bdd9b38d44d2239b4ec9c1d45762f850bee80cf9556b23372b6f0639

8fb6110b2114e7786b1d4e7f600a08de0a25432417f863d9663d576a3c895e86

dc87ff82199cb60a8bcf59d4f8c0a706bf10051d0c15a911d37d1cda8fcf5f9e

1816c473ba94f4740c0931e118d038ecb0733f8ffb7cbb74dedc7b78952f8318

d4dbd379f914ff5ba40c1aac1be37602e4cde687e47cfd7793cb10192617f4af

d034664f627af11bd2a34ba1b228b5a6841309caabfd72a731bbd4724d947e27

4cc2110f89afac1de0c1989d0af07f8879003cac0803660f37cf394a0027db69

bd42e67e6238dfec0b7786797733c54ae1d92fe0e883758dddea779e113b5271

bd42e67e6238dfec0b7786797733c54ae1d92fe0e883758dddea779e113b5271

e758c4428a590519a281344a31f236146c996c784433fbe82eee009dd922516c

3a3581da268d0fdb8c8027e261b682b07b6715c62fbf2c8aca301b7e8dd9d637

6e21e400928f24630339441f6da0f3f1b66860bf480a9f5af20482878b686189

8363ecc977d426f0e922abbeb4f1e8ed06397c0b6951dd75233016d3b5af58c9

e511f5c8fc0bd713dc9b9742e8c682ba66177bb617e9118f84b150cf6ff4a07f

ddcb420c4141760feed2fc8c76425b72ab111d271385040c1446f6ab3993c6d7

2b526e5ac01916d74e7aa88770102a8f34d4c57cea7a4e45c501331670635e26

666eed520d2b430e1016eec555c0cd125912f9a8f7590d77c286eff52416fbaf

ba4229f5e44c378ae293b58139233a9bfbecbfd22fb51e05f74de38b186a071c

c376db6e6f6905113e7beb1f14d8e5a44b8374a959eefd0f5d25ab0f3cbabee2

ae999de92c369e53a3287ab034f2839367b44f7fd82d6ed56a5700c22ed44635

e94b6b99fae4dc8e5b0796c877ed01bf25f77ccab95fb43d24abed00e0f8a15a

8fcb5c4c5306f3e7ffa2a47dedaddc108c77ef8ef48ec0980a0c441333e0a18b

34f653119e418621c1cbfe7cf0614ea62e9a98dc345e4d7408eea96a08d3ac0d

a51333460fb711e0b172b6e4893d5bca6b9996f240b450fdaa5cbf14511c9e27

90a43ca83efb2d460b86ff897b1bc657170b6c79c2c804610cdfca8f24adc71e

c5b6320925963ca6d5439dca7154c526c3a26500e204b48ff30a50c3a1b875ad

e7d87e68265a9a324d76759cca4f613c28c590b36490c8c65ee3d17918e5d3ec

2867b3fd3c840aa9c868a88a5f6d417a09e4158f8209f0450a07eeb7e99ba4c8


文章来源: https://feeds.fortinet.com/~/900044114/0/fortinet/blog/threat-research~The-Growing-Threat-of-Malware-Concealed-Behind-Cloud-Services
如有侵权请联系:admin#unsafe.sh