After reading the blog post from Talos about SSHPsychos, I wanted to see if we could verify the same information on the @Threat_Inc honeypots.

To summarize, there is a group of actors performing a significant amount of SSH brute force attacks, these actors use a separate class C network to attempt to log in to a server, then use another class C to log in, using those harvested credentials, they then download malware from various hosts.

Talos goes on to identify the range as the first group, who perform the brute force attacks for the 'root' user. They also identify as the address where the malware gets downloaded from. Right around, March 30th, they noticed the group pivoted to a new network range,, as well as the IP hosting malware changed to

I wanted to see how much information I was able to see on our sensors related to these attacks, so I started digging...

First, let's confirm the switch from the netblock to the by the group scanning hosts:

We can achieve this by:

search sourcetype=kippojson src_ip="" OR src_ip=""  
| eval group=if(searchmatch("src_ip="),"","")
| timechart count by group


Next, let's see what hosts they are using to log into the sensors, after grabbing the right credentials:

First, let's get the hashes of the files that were downloaded by the two groups:

sourcetype=kippojson [search sourcetype=kippojson src_ip="" OR  
src_ip="" | stats count by session | fields session ]  
| transaction session | stats count by shasum

Then we can search for only those hashes and what attacker IP's attempted to downloaded it:

search sourcetype=kippojson [search sourcetype=kippojson  
OR shasum=54e4e86a9c809e57e754411a4b735241dce631006310252e55aeed2663cbce7d  
OR shasum=2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba  
OR shasum=d4a3da512c576552a40c7aa4b366af54b98141bf023959528d479aeeab09a7b4  
OR shasum=a6b8d218bfa051b3234977290ad6c9af6c3ea7dcf26b643b381f8876f12e7d68  
OR shasum=64eee462375810e00d0b262523a53ee405b274f29451f85cb1f9bcd1497b1f33  
OR shasum=d8ebf75697902e883006fc46410558d98c667bc50ebf374d2acd5cc3bfcdc2ff  
OR shasum=74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520  
| stats count by session | fields session ] | transaction session
| stats count by src_ip

Below is a table showing the attackers that grabbed the malware, and the number of times they downloaded this malware on a sensor.

Attacker Count 137 49 46 43 43 39 38 33 31 7 6 6 3 3 2

Here are the files and corresponding hashes from the above searches:

SHASUM: e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc

SHASUM: 54e4e86a9c809e57e754411a4b735241dce631006310252e55aeed2663cbce7d

SHASUM: 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba  
SHASUM: d4a3da512c576552a40c7aa4b366af54b98141bf023959528d479aeeab09a7b4

SHASUM: a6b8d218bfa051b3234977290ad6c9af6c3ea7dcf26b643b381f8876f12e7d68

SHASUM: 64eee462375810e00d0b262523a53ee405b274f29451f85cb1f9bcd1497b1f33

SHASUM: d8ebf75697902e883006fc46410558d98c667bc50ebf374d2acd5cc3bfcdc2ff

SHASUM: 74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520

SHASUM: 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba  

Onto the new host serving malware, I'm noticing that this host isn't serving the same files (well, at least file hashes) as the range. Below are the files seen thus far:

SHASUM: c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

SHASUM: 61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521  

Below is a table of the hosts downloading the two files above and the number of times it was downloaded.

Attacker Count 17 11 9 8 7 6 4 4 4 3 3 3

If this post serves as anything, it's just identifying some new attacker IP's that have been seen logging into the boxes after the credentials are known and downloading the XOR.DDoS malware.

Lastly, here is a visualization of the various hosts grabbing the malware from the domains:

As well as the hosts grabbing the malware from