This week I found this traffic in my honeypot, my first impression, it didn't look that unusual since Base64 encoding is used quite a bit to encode traffic to a web server. Using CyberChef, I decoded the Base64 portion to see what it was all about only to find out it was further encoded in Base64. Decoding the second Base64 revealed two IP address in it. However, the interesting part after decoding it was the IPs were already in the traffic payload. The first IP was the source of the traffic (60.191.52.254) TmpBdU1Ua3hMalV5TGpJMU5Dd3hNVEl1TVRjdU1USTFMakU0TUE9PQ== → NjAuMTkxLjUyLjI1NCwxMTIuMTcuMTI1LjE4MA== → 60.191.52.254,112.17.125.180 60.191.52.254 → ISC reports shows scanning for 1723 and 3128 Another search of my logs revealed this kind of activity had been happening for quite a while and it is always the exact same query down to the IPs and ports. I have logs for this activity since February this year on port 80 and 8088. and the same high port (63435) used in all the traffic. A search in for BS_REAL_IP shows other honeypots[2]. Here is a copy of the raw log: tcp-honeypot-20191019-075047.log:20191025-222956: 192.168.25.9:8088-60.191.52.254:49110 data 'HEAD http://112.124.42.80:63435/ HTTP/1.1\r\nAccept-Encoding: gzip\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\r\nBS_REAL_IP: TmpBdU1Ua3hMalV5TGpJMU5Dd3hNVEl1TVRjdU1USTFMakU0TUE9PQ==\r\nHost: 112.124.42.80:63435\r\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\nProxy-Connection: keep-alive\r\n\r\n' Generic Code beautify by CyberChef: HEAD http://112.124.42.80:63435/ HTTP/1.1 [1] https://isc.sans.edu/ipdetails.html?ip=60.191.52.254 ----------- |
Guy 486 Posts ISC Handler Oct 27th 2019 |
Thread locked Subscribe |
Oct 27th 2019 1 year ago |
very interesting
|
Poptima 1 Posts |
Quote |
Oct 28th 2019 1 year ago |
That is... different.
An attempt to further obfuscate information about the C2 environment(s) maybe? |
AlSitte 30 Posts |
Quote |
Oct 28th 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!