Bitcoin Miner File Upload via FTP

Published: 2016-11-13. Last Updated: 2016-11-13 23:48:07 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

I wrote a diary six months ago about using INetSim as a honeypot. Over the past few weeks I have captured only one package type uploaded through the FTP service to my honeypot, Bitcoin Miner. As for the web service, I have been getting several times the same command (captured as a file) as an ASCII encoded command (cmd=):

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

The command translate into a UNIX command as follow:

cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt

Some of the web GET/POST traffic captured over HTTP/SSL:

url=http://192.168.152.84/robots.txt
url=http://192.168.152.84/sitemap.xml
url=http://testp3.pospr.waw.pl/testproxy.php
url=http://192.168.152.84:8080/manager/html
url=http://www.7777757.com/
url=http://192.168.152.84/xmlrpc.php
url=http://192.168.152.84:8080/
url=http://www.aszw8.com/
url=http://www.7777757.com/
url=http://testp4.pospr.waw.pl/testproxy.php
url=http://testp4.pospr.waw.pl/testproxy.php
url=http://192.168.152.84:8080/manager/html
url=https://192.168.152.84:443/
url=http://www.aszw8.com/
url=http://192.168.152.84:8080/script
url=https://192.168.152.84/
url=http://192.168.152.84:8080/manager/html
url=http://192.168.152.84:8080/manager/html
url=http://testp4.pospr.waw.pl/testproxy.php

The first 5 files are all the same file; the file was uploaded via FTP multiple times and is a well known Bitcoin Miner package. The last file was also uploaded a few days ago and is also a new type of Bitcoin Miner package (zip):

[1] 1578496 Oct 25 00:49 2288866c1ed93431bc46df5c83977dda64272144
[2] 1578496 Oct 29 05:39 63a61c7878e5a6265c7b13c1d59bd5661f4e282e
[3] 1578496 Oct 30 11:42 8bf6f9ce6816efe45b2088ca0bb8ed3dfce9b66d
[4] 1578496 Oct 31 05:10 30e4c2bb076f87b3e6f2dd996eb8d204f006e642
[5] 1578496 Oct 31 16:35 89bc907d3dcb89eefa36d718fc796f2e709223c0
[6] 3528005 Nov  8 10:21 412b618589ce9eed3d893b81be20a3f2c51d5ce4 (zip file contains IMG001.scr and information.vbe)

Virustotal Results

[1][2][3][4][5] https://www.virustotal.com/en/file/807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d/analysis/
[6] https://www.virustotal.com/en/file/7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd/analysis/
[7] https://isc.sans.edu/forums/diary/INetSim+as+a+Basic+Honeypot/21055
[8] http://www.rapidtables.com/convert/number/hex-to-ascii.htm

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

4 comment(s)

Comments

Again I know my lack of knowledge on this subject will stand out, but what is x3610cker?
According to https://www.protectwise.com/blog/observing-large-scale-router-exploit-attempts.html this is an attempt to ID vulnerable home routers
This command cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt attempts to create a file in /var/tmp x3610cker and then try to read it.
ahhh im pretty on point with bash scripting, but sometimes stuff just flys right by me. I think it might be that in the dairy it is read to me as (this is due to font im sure)

cd /var/tmp && echo -ne ||x3610cker > 610cker.txt && cat 610cker.txt



idk, thats what threw me off.

edit: ahhhhh its cause it was all italicized and \\ italicized is ||

Diary Archives