Reversed C2 traffic from China
Last Updated: 2018-05-11 11:53:06 UTC
by Remco Verhoef (Version: 1)
For the past few months, we've seen some intriguing data coming from 3 separate ip addresses from within China. The payload of this traffic seems to be generated by well known remote access tooling njRAT and Gh0st and destined to their C2 server. Normally you would not expect any C2 traffic in honeypots, except in the case of ip address reusal where you got an ip address which has been used as C2 before. As we have catched this traffic in multiple honeytraps, someone must be scanning the internet with this payload. There are many different destination ports targeted, so far we have seen ports 991, 1050, 1122, 1177, 1188, 1190, 1199, 3460, 12345, 1627, 3311, 5552, 5568, 8484, 8844, 8899, 33369, 42091.
The ip addresses we have seen so far are 22.214.171.124, 126.96.36.199 and 188.8.131.52. Those ip addresses have a webserver running, containing the message: "Y-Team is a network security team, which focus on internet-wide network attack events." with contact information. It seems that they are searching for active C2 servers.
The payloads that have being used are interesting and similar to other njRAT payloads:
lv|'|'|SGFja2VkXzYx|'|'|DG-69JK87|'|'|root|'|'|2018-02-06|'|'|AKM|'|'|Windows 7 SP1|'|'|Yes|'|'|0.6|'|'|577|'|'||'|'|',[endof]
lv|'|'|bmtfc3VydmlsbGVuY2VfYTE4|'|'|RS-X4FA66|'|'|root|'|'|2018-02-06|'|'|DPRK|'|'|Red Star OS X|'|'|Yes|'|'|1.0|'|'|577|'|'||'|'|',[endof]
If you extract the interesting parts of the payload:
|bmtfc3VydmlsbGVuY2VfYTE4||nk_survillence_a18 (this is a unique identifier for the encrypted system, combined of the name of the campaign and a identifier)|
|SGFja2VkXzYx||SGFja2VkXzYx -> Hacked_61 (this is also a campaign identifier)|
|2018-02-06||date modified of the malware|
report if there is a camera available
|0.6 and 1.0||malware version|
Another payload we've seen is the base64 encoded string: a2ltam9uZ3VuaXN2ZXJ5aGFwcHk=, which decodes to kimjongunisveryhappy.
The payloads contain a lot of references to North Korea, like nk_survillence_a18, DPRK (Democratic People's Republic of Korea), Red Star OS X (which is the North Korean OS that looks like Apple OS X). Y-Team is doing efforts to make the traffic appear to be generated by an infected North Korean machine.
Besides our honeytraps, AbuseIPDB contains entries with the same traffic.
Previously, we have seen the same hosts scanning with different payloads:
* /?CAVIT (scanning for Trend Micro OSCE clients on port 12345)
* /bins.sh on port 80
* /select.sh on port 8081
* /NetSyst81.dll on port 4545
Do you have extra information regarding this diary? Or do you have different views? Please let us know.
The "Statement of Harmless Internet Scan" and the numeric account to qq.com doesn't exactly help instill any level of comfort.
May 11th 2018
5 years ago