Threat Intel | SSHPsychos/Group 93 Follow-Up Analysis
To summarize, there is a group of actors performing a significant amount of SSH brute force attacks, these actors use a separate class C network to attempt to log in to a server, then use another class C to log in, using those harvested credentials, they then download malware from various hosts.
Talos goes on to identify the range 22.214.171.124/23 as the first group, who perform the brute force attacks for the 'root' user. They also identify 126.96.36.199 as the address where the malware gets downloaded from. Right around, March 30th, they noticed the group pivoted to a new network range, 188.8.131.52/23, as well as the IP hosting malware changed to 184.108.40.206.
I wanted to see how much information I was able to see on our sensors related to these attacks, so I started digging...
First, let's confirm the switch from the 220.127.116.11/23 netblock to the 18.104.22.168/23 by the group scanning hosts:
We can achieve this by:
search sourcetype=kippojson src_ip="22.214.171.124/23" OR src_ip="126.96.36.199/23" | eval group=if(searchmatch("src_ip=188.8.131.52/23"),"184.108.40.206/23","220.127.116.11/23") | timechart count by group
Next, let's see what hosts they are using to log into the sensors, after grabbing the right credentials:
First, let's get the hashes of the files that were downloaded by the two groups:
sourcetype=kippojson [search sourcetype=kippojson src_ip="18.104.22.168/23" OR src_ip="22.214.171.124/23" | stats count by session | fields session ] | transaction session | stats count by shasum
Then we can search for only those hashes and what attacker IP's attempted to downloaded it:
search sourcetype=kippojson [search sourcetype=kippojson shasum=e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc OR shasum=54e4e86a9c809e57e754411a4b735241dce631006310252e55aeed2663cbce7d OR shasum=2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba OR shasum=d4a3da512c576552a40c7aa4b366af54b98141bf023959528d479aeeab09a7b4 OR shasum=a6b8d218bfa051b3234977290ad6c9af6c3ea7dcf26b643b381f8876f12e7d68 OR shasum=64eee462375810e00d0b262523a53ee405b274f29451f85cb1f9bcd1497b1f33 OR shasum=d8ebf75697902e883006fc46410558d98c667bc50ebf374d2acd5cc3bfcdc2ff OR shasum=74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520 | stats count by session | fields session ] | transaction session | stats count by src_ip
Below is a table showing the attackers that grabbed the malware, and the number of times they downloaded this malware on a sensor.
Here are the files and corresponding hashes from the above searches:
URL: http://126.96.36.199/install/8000 SHASUM: e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc URL: http://188.8.131.52/install/8001 SHASUM: 54e4e86a9c809e57e754411a4b735241dce631006310252e55aeed2663cbce7d URL: http://184.108.40.206/install/8002 SHASUM: 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba SHASUM: d4a3da512c576552a40c7aa4b366af54b98141bf023959528d479aeeab09a7b4 URL: http://220.127.116.11/install/8003 SHASUM: a6b8d218bfa051b3234977290ad6c9af6c3ea7dcf26b643b381f8876f12e7d68 URL: http://18.104.22.168/install/8005 SHASUM: 64eee462375810e00d0b262523a53ee405b274f29451f85cb1f9bcd1497b1f33 URL: http://22.214.171.124/install/8006 SHASUM: d8ebf75697902e883006fc46410558d98c667bc50ebf374d2acd5cc3bfcdc2ff URL: http://126.96.36.199/install/8008 SHASUM: 74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520 URL: http://188.8.131.52/install/8002 SHASUM: 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba
Onto the new host serving malware, I'm noticing that this host isn't serving the same files (well, at least file hashes) as the 184.108.40.206/24 range. Below are the files seen thus far:
URL: http://220.127.116.11/i/a06 SHASUM: c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc URL: http://18.104.22.168/i/a07 SHASUM: 61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521
Below is a table of the hosts downloading the two files above and the number of times it was downloaded.
If this post serves as anything, it's just identifying some new attacker IP's that have been seen logging into the boxes after the credentials are known and downloading the XOR.DDoS malware.
Lastly, here is a visualization of the various hosts grabbing the malware from the 22.214.171.124/24 domains:
As well as the hosts grabbing the malware from 126.96.36.199: