In myprevious post I introduced my current Honeypots setup with Raspberry Pi 3 running HonSSH and performing SSH MiTM.
There are lot of attacks against the honeypots: SSH scans, user and password brute force attacks, scanning tools installed in the compromised system, IRC bouncers installed, etc. This set of attacks are happening from different countries, with different accounts, passwords, etc. But I'll leave the statistics analysis for other time. Now, I'm more interested in the tools Cyber Criminals are using :)
During this post and coming ones I'll write about some interesting malicious tools I have analysed.
In this specific post I'm writing about an intrusion involving tools with Trojan , Rootkit, antiforencis, sniffing and C&C capabilities.
IMPORTANT: By the time ofwritingthis post, the malicious tools in the different URLs are still active. Cyber Criminals are still using them in theirmaliciousactivities. I have decided to make them public as I think they are a good resource for security researches. Automatic Scanning and brute force
The first phase of the attack consists on brute forcing, in order to get access to the victim system.
The brute source IP are usually hosts which have been alreadycompromisedand are used to brute force a wide range of IP through automatic tools. In the case of this intrusion, the list of IP used to brute force, before the real intrusion happened, are the following:
116.96.24.144
158.69.84.195
171.234.230.47
185.110.132.201
193.169.53.171
194.203.215.254
195.154.45.84
203.113.167.163
217.243.198.134
42.114.236.217
91.224.160.106
Manual access to the compromised host with valid credentials
Once cyber criminals got some valid credentials from previous step, they will come back and log in manually, but this time from a different IP. In this case, the IP used is 5.189.136.43
016-09-04 10:26:43+0200 [honssh.server.HonsshServerFactory] [PLUGIN][HONEYPOT-STATIC] - GET_PRE_AUTH_DETAILS 2016-09-04 10:26:43+0200 [-] [PRE_AUTH] - Connecting to Honeypot: normando (192.168.16.2:22) 2016-09-04 10:26:43+0200 [-] [ADV-NET] - HonSSH Interface already exists, not re-adding 2016-09-04 10:26:43+0200 [-] [ADV-NET] - HonSSH FakeIP and iptables rules added 2016-09-04 10:26:43+0200 [-] Starting factory <honssh.client.HonsshClientFactory instance at 0x745ccaf8> 2016-09-04 10:26:43+0200 [Uninitialized] [CLIENT] - New client connection 2016-09-04 10:26:43+0200 [HonsshClientTransport,client] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa 2016-09-04 10:26:43+0200 [HonsshClientTransport,client] outgoing: aes256-ctr hmac-sha1 none 2016-09-04 10:26:43+0200 [HonsshClientTransport,client] incoming: aes256-ctr hmac-sha1 none 2016-09-04 10:26:44+0200 [HonsshClientTransport,client] REVERSE 2016-09-04 10:26:44+0200 [HonsshClientTransport,client] NEW KEYS 2016-09-04 10:26:44+0200 [HonsshClientTransport,client] [CLIENT] - Client Connection Secured 2016-09-04 10:26:44+0200 [HonsshServerTransport,76,5.189.136.43] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2016-09-04 10:26:44+0200 [HonsshServerTransport,76,5.189.136.43] outgoing: aes256-ctr hmac-sha1 none 2016-09-04 10:26:44+0200 [HonsshServerTransport,76,5.189.136.43] incoming: aes256-ctr hmac-sha1 none 2016-09-04 10:26:44+0200 [-] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_MADE 2016-09-04 10:26:44+0200 [-] [PRE_AUTH