Threat Intel | SSHPsychos/Group 93 Follow-Up Analysis
After reading the blog post from Talos about SSHPsychos, I wanted to see if we could verify the same information on the @Threat_Inc honeypots.
To summarize, there is a group of actors performing a significant amount of SSH brute force attacks, these actors use a separate class C network to attempt to log in to a server, then use another class C to log in, using those harvested credentials, they then download malware from various hosts.
Talos goes on to identify the range 103.41.124.0/23 as the first group, who perform the brute force attacks for the 'root' user. They also identify 23.234.60.140 as the address where the malware gets downloaded from. Right around, March 30th, they noticed the group pivoted to a new network range, 43.255.190.0/23, as well as the IP hosting malware changed to 23.234.19.202.
I wanted to see how much information I was able to see on our sensors related to these attacks, so I started digging...
First, let's confirm the switch from the 103.41.124.0/23 netblock to the 43.255.190.0/23 by the group scanning hosts:
We can achieve this by:
search sourcetype=kippojson src_ip="103.41.124.0/23" OR src_ip="43.255.190.0/23"
| eval group=if(searchmatch("src_ip=103.41.124.0/23"),"103.41.124.0/23","43.255.190.0/23")
| timechart count by group
Next, let's see what hosts they are using to log into the sensors, after grabbing the right credentials:
First, let's get the hashes of the files that were downloaded by the two groups:
sourcetype=kippojson [search sourcetype=kippojson src_ip="103.41.124.0/23" OR
src_ip="43.255.190.0/23" | stats count by session | fields session ]
| transaction session | stats count by shasum
Then we can search for only those hashes and what attacker IP's attempted to downloaded it:
search sourcetype=kippojson [search sourcetype=kippojson
shasum=e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc
OR shasum=54e4e86a9c809e57e754411a4b735241dce631006310252e55aeed2663cbce7d
OR shasum=2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba
OR shasum=d4a3da512c576552a40c7aa4b366af54b98141bf023959528d479aeeab09a7b4
OR shasum=a6b8d218bfa051b3234977290ad6c9af6c3ea7dcf26b643b381f8876f12e7d68
OR shasum=64eee462375810e00d0b262523a53ee405b274f29451f85cb1f9bcd1497b1f33
OR shasum=d8ebf75697902e883006fc46410558d98c667bc50ebf374d2acd5cc3bfcdc2ff
OR shasum=74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520
| stats count by session | fields session ] | transaction session
| stats count by src_ip
Below is a table showing the attackers that grabbed the malware, and the number of times they downloaded this malware on a sensor.
| Attacker | Count |
|---|---|
| 23.107.16.3 | 137 |
| 23.251.63.56 | 49 |
| 23.251.63.84 | 46 |
| 107.151.197.77 | 43 |
| 23.251.63.46 | 43 |
| 107.182.140.139 | 39 |
| 23.251.63.234 | 38 |
| 104.143.5.13 | 33 |
| 162.218.112.46 | 31 |
| 107.182.140.36 | 7 |
| 107.189.130.3 | 6 |
| 192.184.57.4 | 6 |
| 148.163.17.68 | 3 |
| 192.184.41.43 | 3 |
| 23.228.196.60 | 2 |
Here are the files and corresponding hashes from the above searches:
URL: http://23.234.60.140/install/8000
SHASUM: e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc
URL: http://23.234.60.140/install/8001
SHASUM: 54e4e86a9c809e57e754411a4b735241dce631006310252e55aeed2663cbce7d
URL: http://23.234.60.140/install/8002
SHASUM: 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba
SHASUM: d4a3da512c576552a40c7aa4b366af54b98141bf023959528d479aeeab09a7b4
URL: http://23.234.60.140/install/8003
SHASUM: a6b8d218bfa051b3234977290ad6c9af6c3ea7dcf26b643b381f8876f12e7d68
URL: http://23.234.60.140/install/8005
SHASUM: 64eee462375810e00d0b262523a53ee405b274f29451f85cb1f9bcd1497b1f33
URL: http://23.234.60.140/install/8006
SHASUM: d8ebf75697902e883006fc46410558d98c667bc50ebf374d2acd5cc3bfcdc2ff
URL: http://23.234.60.140/install/8008
SHASUM: 74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520
URL: http://23.234.60.142/install/8002
SHASUM: 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba
Onto the new host serving malware, I'm noticing that this host isn't serving the same files (well, at least file hashes) as the 23.234.60.0/24 range. Below are the files seen thus far:
URL: http://23.234.19.202/i/a06
SHASUM: c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc
URL: http://23.234.19.202/i/a07
SHASUM: 61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521
Below is a table of the hosts downloading the two files above and the number of times it was downloaded.
| Attacker | Count |
|---|---|
| 107.182.140.139 | 17 |
| 162.218.112.46 | 11 |
| 198.15.152.100 | 9 |
| 38.68.20.127 | 8 |
| 23.107.16.3 | 7 |
| 198.15.190.95 | 6 |
| 104.143.5.13 | 4 |
| 23.251.63.234 | 4 |
| 23.251.63.56 | 4 |
| 107.151.197.77 | 3 |
| 107.182.141.25 | 3 |
| 198.15.131.137 | 3 |
If this post serves as anything, it's just identifying some new attacker IP's that have been seen logging into the boxes after the credentials are known and downloading the XOR.DDoS malware.
Lastly, here is a visualization of the various hosts grabbing the malware from the 23.234.60.0/24 domains:
As well as the hosts grabbing the malware from 23.234.19.202:
