We previously blogged about how we uncovered the operations of the hacking group we named Outlaw that uses an Internet Relay Chat (IRC) bot. This follow-up post covers a host part of the botnet operated by the group, which we found attempting to run a script on our IoT honeypot. The attacking bot used a tool called haiduc to search the internet for systems to attack, which it does by taking advantage of a common command injection vulnerability. If successful, it attempts to run the script min.sh (detected by Trend Micro as Coinminer.SH.MALXMR.ATNJ) on targeted hosts.
This time we spotted two variants of activities from Outlaw. The script used in the first version of its bot has two functionalities: the miner and Haiduc-based dropper. The code for the mining part also has two forms. One is in plain text bash/Perl script and the other is an obfuscated Perl script variant that avoids detection by content-inspecting intrusion prevention system (IPS)/firewalls.
The second variant of the code, distributed by the bot, was mainly designed to brute force and further exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel in order to escalate the privileges. This intention of further exploitation is supported by the discovery of the list of servers, which run a vulnerable library libc.so.6 with a known vulnerability.
Overview of the first variant
The miner downloads and starts mining for Monero cryptocurrency, using the binary that is capable of running on both Linux and Android. This variant of the miner first checks for other running miners present on systems. If it finds a “foreign” miner in the target system, the script kills the related mining processes of previous miners and starts to run its own binaries. This means that the bot here is capable of hijacking the mining activities of other bots from unrelated botnets. Do note that some Mirai variants have the same capability, but unlike certain Mirai variants, this bot does not patch the victims to protect them from further infection/reinfection.
After the mining has started, the bot has a function that checks the process list if the miner is actually running. If not, it downloads the malicious files again from the source and restarts the mining process, including the check for the presence of other miners.
This process allows the attacker to steal the already compromised mining hosts from other attackers and reinfect already “owned” hosts with an updated version of the miner, thus continuing the operation even after the attackers’ XMR wallets have been hijacked.
Once the mining operation is established, the miner reports back to its owner through a compromised website that hosts a PHP script with a randomly generated name.
The other part of the script takes care of bot propagation. It uses the haiduc tool, which we previously noted to be a tool that the Outlaw group primarily uses. In this variant of the haiduc toolset, it is used to first brute force vulnerable hosts running an SSH service. For that, it takes variable lists hosted in a compromised website in the form of PHP scripts. Once the brute-force is successful, it then runs the command that spreads the bot. This is done by running the commands to install the initial min.sh script from compromised websites. It then scans various targets, as set by commanding PHP script, and sends results to the botnet administrator via email, hardcoded in one of the PHP scripts. In our previous blog, we noted the group’s use of an IRC bot to form a botnet, this time the bot is controlled via PHP. It remains, however, that the files for the miner and the haiduc toolset are from the same group.
The infecting bot uses the URL hxxp://www[.]karaibe.us/.foo/min.sh to download the malicious shell script. Curiously, the domain also had a Google Analytics script embedded in the source code, which might have allowed the bot’s admins to monitor the campaign. Currently, the domain is resolved to a basketball league standings site. This technique is used by the Outlaw group at all times, and it has become obvious that one of the group’s core activities is to exploit more websites over PHP vulnerabilities to get new C&C or content delivery servers.
Looking into min.sh, the infecting script
Figure 1. Initial script, min.sh
The first part of the script downloads the mining binary and complementary files in the tgz archive. By adding another server/domain to the command in general, the attacker ensures that the threat will not be easily blocked when one system is taken down.
Note: In this example, it is the same destination — the difference is that it uses only IP once and the other uses fully qualified domain name (FQDN). Certain security information and event management (SIEM) tools can block one or another but usually not both as it might cause performance issues.
The downloaded archive is extracted and the working directory is moved to the hidden “.bin”. Usage of the hidden directory should help run the miner unnoticed by the system administrator.
It then runs the XMR mining binary, forwarding the output to “dev/null” while it is in the background.
In the next step, the working directory is changed to “/tmp”. Hidden “.vd” directory file is also removed to ensure that only the most current version is used in the following steps. Next, the sslm.tgz is downloaded, extracted, and run from the directory. It is a haiduc-based scanner that generates the target using a PHP script, which is hosted on the C&C server.
It sends out “the introduction” of the compromised host (see figure below) into another PHP script, hosted in the URL hxxp://www[.]karaibe[.]us/[.]foo/remote/info[.]php.
Figure 2. POST request to the C&C
After “the introduction” to C&C, it changes the working directory back to “/tmp” and removes the infection script from the affected system.
Further scanning options found in the second variant of the bot
We have analyzed various forms of haiduc toolsets and have previously mentioned capturing variants of the toolkit, with a populated list of targets for compromise. The two variants of haiduc described have a purpose that has never been seen before: To test captured target systems for the presence of running Remote Desktop Protocol (RDP) or cPanel. RDP is used for remote management of Windows-based hosts and servers, while cPanel is an open-source cloud administration interface. If it finds either of the services on the target host, it will be saved for future exploitation.
Scanning via Remote Desktop Protocol (RDP)
A search on Shodan would reveal hundreds, if not thousands, of servers with open RDP ports publicly seen on the internet. In case of a compromise, an attacker can gain access to another subnet of the network that is not available on the internet (could help them pivot further in the enterprise network), steal sensitive information, spy on individuals, and control industrial systems, among others.
The script on the figure below was used to run a Perl script psc2 (detected by Trend Micro as ELF_PORTSCAN.TNK), which searched for RDP-related open ports. The output is fed to the tool called rdp (ELF 32-bit LSB executable, Intel 80386), which takes the remote host address provided by psc2 script and attempts to log in. The threat actor used this script variant for manual attacks.
Figure 3. First variant of the script running Perl script psc2 and rdp tool
The second variant of the starting script already has preparations to be controlled over a PHP-based C&C. In this case, the arguments included the “class” file (detected by Trend Micro as HKTL_SHARK.C). One variant of the class files listed known organizations, while the second one listed IPs’ classes based on their GeoIP location. Again, the script first runs the Perl-based port scanner and its outputs are supplied to the rdp tool (detected by Trend Micro as ELF_PORTSCAN.TNK). The tool had also an embedded wordlist, with 3,811 lines of generated credentials.
Figure 4. Second variant of the script running Perl script psc2 and rdp tool, with embedded wordlist
Attacking the cloud via cPanel
cPanel is a cloud hosting platform with a very common administration interface. It is often used by small- and medium-sized businesses (SMBs) for the management of their private cloud services. A successful attack could affect the victim tremendously as the attacker could hijack the whole cloud infrastructure containing sensitive data. Regardless of the possible consequences, it is common to have publicly available login interfaces for the cloud management interface, hosted on the company-owned subdomains. This bad habit is exploited by the following attack, which is simple yet can have a great impact on organizations.
Same as with RDP, the attack uses a list of victims rather than scanning the whole internet. Each host is enumerated for the presence of the subdomains using the non-malicious script “bing-ip2hosts,” developed by Morning Star Security. Results are output to the target list called “bios,” which is then fed to known brute tool (detected by Trend Micro as HKTL_PORTSCAN) used for brute force, in a wrapper bash script called “go.” The toolkit allows attackers to target certain countries using the “class” files. Script “go” is a bash wrapper, which uses the “class” to generate a list of IPs. “getdns” scripts get the subdomain lists by invoking the “bing-ip2hosts.” Finally, the brute will be called to perform the brute-force.
Figure 5. cPanel attack script
Conclusion and solutions
The hacking group Outlaw’s botnet is evolving. It gained the PHP command and control ability to overcome some IRC downfalls, for better C&C servers scalability and more functions introduced with PHP language.
The group tends to use well-known hacking tools and the haiduc tool as well, both usually wrapped in bash scripts that allow less-skilled users to run the tools. Haiduc itself is conspicuous and therefore can be monitored with low-interaction honeypots.
Regardless of the choice of the tools, the group is successful in getting new targets. So far, we spotted over 180,000 compromised hosts and 20,000 newly compromised hosts, including IoT systems, various websites, cloud-based virtual private servers (VPS), compromised Windows servers, to name a few, across the world.
Even mobile devices based on Android can be affected. This, however, requires the owner to root the device first, or alternatively run the infected files deliberately using a “chrooted” Linux-based system. We discovered that detecting the real IP/location is possible through this malware on Android devices.
First it seemed that the goal of the Outlaw group is to build an infrastructure capable of distributed denial of service (DDoS) against many known companies. Later, they have also facilitated brute forcing the SSH so they could grow the botnet further. Then the cryptocurrency mining started, with the latest discovery described in this blog that RDP and cPanel brute-force are also in the scope of the group’s operation.
To prevent risks involved in the hacking group Outlaw’s botnet operations, users can consider adopting security solutions that can defend against malicious bot-related activities through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
For further details on how the group’s operations use different files, refer to this appendix.
Indicators of Compromise (IoCs)
|Related hashes (SHA-256)|
67[.]205[.]129[.]169 – C&C server
167[.]114[.]54[.]15 – Infecting IP
hxxp://www[.]karaibe[.]us/[.]foo/remote/info[.]php – lists IP addresses/ targets for the scanning
hxxp://www[.]karaibe[.]us/[.]foo/feed/feedp[.]php – lists tested credentials
hxxp://www.karaibe[.]us/[.]foo/feed/class[.]php – first two octets of an IP address to be scanned