Threat Intel | Sit, Ubu, Sit. Bad Dog
Inspired by @Andrew__Morris and his talk "Ballin on a budget", I decided to check out my honeypots I've had running for a few months to see if anything interesting has happened lately. Turns out there were a few thousand attempts recently and I decided to pick one out and do some analysis on it for fun. Although there was nothing super cool in the files, it was some fun little practice to keep occupied.
For my honeypot, I chose to run a fan-favorite Kippo, which has been awesome to work with the last few months, and I really enjoy the Kippo-Playlog feature. So, that's where I started, the playlog. There were a few entries for the last couple of days, so I started with the first one. It was from IP, 77.109.141.138, which according to their WHOIS, is located in Switzerland:
inetnum: 77.109.141.136 - 77.109.141.143
netname: SWISS-PRIVACY-FOUNDATION-CH-NET
descr: Swiss Privacy Foundation
country: NL
admin-c: SPF20-RIPE
tech-c: SPF20-RIPE
status: ASSIGNED PA
mnt-by: MNT-INIT7-HOSTMASTER
source: RIPE # Filtered
person: Swiss Privacy Foundation
address: CH-5620 Bremgarten AG
remarks: -----------------------------------------------------------
remarks: We operate privacy enhancing technologies,
remarks: including Tor exit nodes. In case of abuse or
remarks: other emergencies, contact ONLY
remarks: +41 32 520 42 23 or abuse-ripe@privacyfoundation.ch
remarks: http://www.privacyfoundation.ch/abuse
remarks: -----------------------------------------------------------
phone: +41 32 520 42 23
abuse-mailbox: abuse-ripe@privacyfoundation.ch
nic-hdl: SPF20-RIPE
mnt-by: SPF-MNT
source: RIPE # Filtered
If you didn't notice, in the remarks they provide TOR exit node services, which I suspect this user is using. Here's a screenshot from the Atlas service, confirming the TOR exit node status as well:
Once this user logged in, they begin some basic recon (w, cat auth.log, cat user.log, uname -a, history). The user then does a wget on google.kr (not sure if that means the user is Korean, since there are several Japanese-related artifacts throughout this report, however, it's worth noting). The user then does a wget on an Ubuntu 14.04 ISO. The next wget is for https://infotomb.com/0rprh.xz (MD5: 1a9bfa2e1965e58190c4e161862b689e), when unzipped it contains two files:
MD5:7b82cef63295ff1d1972d15d8f8382ea sousa.py
MD5:79e52c0b4e97ddee3696d688769a5ffb fuga.txt
fuga.txt is a list of 20,000 IP addresses. Below I break out the first two octects of the IP addresses:
root@kali:~# cat fuga.txt | awk -F "." '{print $1,$2}' | sed 's/ /./g' | sort | uniq -c
5477 133.242
2777 219.94
11746 49.212
These are all Japanese IP ranges:
inetnum: 219.94.128.0 - 219.94.255.255
netname: SAKURA-OSAKA
descr: SAKURA Internet Inc.
descr: 1-8-14, Minami Honmachi, Chuo-ku, Osaka 541-0054, Japan
country: JP
admin-c: JNIC1-AP
tech-c: JNIC1-AP
status: ALLOCATED PORTABLE
remarks: Email address for spam or abuse complaints : abuse@sakura.ad.jp
mnt-by: MAINT-JPNIC
mnt-lower: MAINT-JPNIC
changed: hm-changed@apnic.net 20041013
changed: ip-apnic@nic.ad.jp 20070523
changed: ip-apnic@nic.ad.jp 20090109
source: APNIC
inetnum: 49.212.0.0 - 49.212.255.255
netname: SAKURA-OSAKA
descr: SAKURA Internet Inc.
descr: 1-8-14, Minami Honmachi, Chuo-ku, Osaka 541-0054, Japan
country: JP
admin-c: JNIC1-AP
tech-c: JNIC1-AP
status: ALLOCATED PORTABLE
remarks: Email address for spam or abuse complaints : abuse@sakura.ad.jp
changed: hm-changed@apnic.net 20101207
mnt-irt: IRT-JPNIC-JP
mnt-by: MAINT-JPNIC
mnt-lower: MAINT-JPNIC
source: APNIC
inetnum: 133.242.150.0 - 133.242.150.255
netname: SAKURA-NET
descr: SAKURA Internet Inc.
country: JP
admin-c: KT749JP
tech-c: JP00072233
remarks: This information has been partially mirrored by APNIC from
remarks: JPNIC. To obtain more specific information, please use the
remarks: JPNIC WHOIS Gateway at
remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or
remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client
remarks: defaults to Japanese output, use the /e switch for English
remarks: output)
changed: apnic-ftp@nic.ad.jp 20120927
source: JPNIC
Looking at the Python file, sousa.py:
It takes a filename for IP addresses (fuga.txt) and a number of threads. Looking at the code, it contains several Japanese characters:
おすわり - Sit
何かがおかしい - Something is wrong
All the Python script does is take each IP address in the list, then uses urlib and BeautifulSoup to grab the sites title. It then creates a new HTML file, called raidvpsNEW.html, and creates a table with the IP address and the site title if one was found. The resulting HTML file looks something like this (I just used Google's web address for this purpose):
I'm not entirely sure the purpose of this script besides possible reconnaissance activity, so if anyone has any other ideas, please let me know.
This was the only interesting information for this specific session, so I went on to the other sessions for that day. Next up, was a successful login from 77.247.181.162, another TOR exit node.
person: Moritz Bartl
address: Zwiebelfreunde e.V.
address: c/o DID Dresdner Institut fuer Datenschutz
address: Palaisplatz 3
address: 01097 Dresden
address: Germany
phone: +49-351-21296018
fax-no: +49-911-3084466748
abuse-mailbox: abuse@torservers.net
remarks: ---------------------------------
remarks: This network is used for research
remarks: in anonymization services and
remarks: provides Tor exit nodes to end
remarks: users.
remarks: ---------------------------------
remarks: Dieser Netzblock wird zur
remarks: Erforschung von Anonymisierungs-
remarks: techniken genutzt und stellt
remarks: Endnutzern Tor zur Verfuegung.
remarks: ---------------------------------
remarks: http://www.torservers.net/abuse.html
remarks: ---------------------------------
nic-hdl: MB22990-RIPE
mnt-by: ZWIEBELFREUNDE
source: RIPE # Filtered
For this sessions logs I see the language being set to Japanese UTF-8 encoding, which was the same as the previous attack. So, I suspected these to be related to the same actor, due to the relative time-frame and method.
./kippo.log.2:2014-12-16 09:41:21-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1525,77.247.181.162] pty request: xterm (24, 80, 0, 0)
./kippo.log.2:2014-12-16 09:41:21-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1525,77.247.181.162] Terminal size: 24 80
./kippo.log.2:2014-12-16 09:41:21-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1525,77.247.181.162] request_env: '\x00\x00\x00\x04LANG\x00\x00\x00\x0bja_JP.UTF-8'
Which matches the previous attack:
./kippo.log.2:2014-12-16 00:50:39-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1449,77.109.141.138] pty request: xterm (24, 80, 0, 0)
./kippo.log.2:2014-12-16 00:50:39-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1449,77.109.141.138] Terminal size: 24 80
./kippo.log.2:2014-12-16 00:50:39-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1449,77.109.141.138] request_env: '\x00\x00\x00\x04LANG\x00\x00\x00\x0bja_JP.UTF-8'
This time the user doesn't really waste time, he checks the logged in users first, like he did last time, then downloads http://infotomb.com/fn7it.zip (MD5: 63e9f535d0f0e0c834dec11cbdbf576f). The only thing in this file is fuga.txt, which has the same MD5 as the previous fuga.txt included in 0rprh.xz. He tries to unzip it, but has no luck, and then quits the session.
With nothing else to go for these two sessions, I went ahead and looked at the other ones I had. When I started looking at other attacks around the same time, I found one from 133.27.5.14, which resolves to ccx01.sfc.keio.ac.jp:
[Network Number] 133.27.0.0/16
[Network Name] KEIO-SFC-NET
[Organization] Keio University Shonan Fujisawa Campus
[Administrative Contact] JP00097288
[Technical Contact] JP00097288
[Nameserver] ns0.sfc.keio.ac.jp
[Nameserver] kogwy.cc.keio.ac.jp
It's interesting that this attack was so close to the others, and resolved to another probable Japanese actor, but, I couldn't be sure this was the same guy. There were some slight differences in the environment, to include different terminal types (xterm-256color and xterm, and Language settings ja_JP.eucJP and ja_JP.UTF-8).
./kippo.log.1:2014-12-16 21:49:08-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1654,133.27.5.14] pty request: xterm-256color (40, 80, 560, 640)
./kippo.log.1:2014-12-16 21:49:08-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1654,133.27.5.14] Terminal size: 40 80
./kippo.log.1:2014-12-16 21:49:08-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1654,133.27.5.14] request_env: '\x00\x00\x00\x04LANG\x00\x00\x00\x0bja_JP.eucJP'
This user only checked out the logged in users, then bailed. I'm assuming he realized this was the same box he was on twice before with no luck, so, he didn't want to waste his time. It would be interesting if it was him though, since he doesn't try to mask his identity with TOR this time, and comes straight from a University. This server the actor is coming from is a Communication/Calculation Server from the Shonan Fujisawa Information Technology Center. There are plenty of results on google for this server, here's one on how to access this server from home (https://web.sfc.keio.ac.jp/~hattori/script-lang/remote.html). I'm interested if I can contact the University to see if they can identify what user connected to the server at the times of the attack to provide some attribution and/or punish the student if, in fact, he was a student at that University.
Another way I could have possibly tied all three together was if they used the same wordlists (although that would have only increased probability and not been a guarantee), however, each user successfully logged into my honeypot with one attempt. This was because I put my honeypot credentials on pastebin the day before, so I could try and get more activity on them.
There we have it, some basic analysis on a probable actor from Japan. I'm going to reach out to the University regarding the attack and see if they can shed some light on it, and I'll update this post if they get back to me.