I encountered an interesting file in my honeypot a couple of days ago and it's not on virustotal or similar so I decided to take advantage of the situation a take a closer look myself.
Before going further let me tell you I'm not whatsoever a reversing expert, just a messy curious threat intel/threat hunting expert, and this article was a for-fun activity. I do like it and I wish I could properly do reversing! Someday, maybe.
The attacker uploaded the file through sftp:
Before anything else I used radare2 so to get some general info about the file:
rabin2 -I mymalware
And found out the following things:
arch x86
baddr 0x400000
binsz 30048232
bintype elf
bits 64
canary false
injprot false
class ELF64
crypto false
endian little
havecode true
intrp /lib64/ld-linux-x86-64.so.2
laddr 0x0
lang c
linenum false
lsyms false
machine AMD x86-64 architecture
nx true
os linux
pic false
relocs false
relro partial
rpath NONE
sanitize false
static true
stripped true
subsys linux
va true
And:
rabin2 -Ir mymalware
e cfg.bigendian=false
e asm.bits=64
e asm.dwarf=true
e asm.codealign=1
e bin.lang=c
e file.type=elf
e asm.os=linux
e asm.arch=x86
So it's pretty clear that we are taking a look at a linux binary. Why is it interesting? What I usually find in my honeypot are IRC based miners, scripts for initial deployment and some keys, but this is slightly different.
I took a very quick look at the strings, and realized it used Golang. The file itself is stripped, as I realized when using >afl | head -n20
(just 20 lines so to take a look) even when using a pipe with redress
.
This didn't stop me. I took a quick look around. I used binwalk
and `strings. I proceeded to note down some general clear ideas:
- It uses Golang
- It's an elf for AMD x86-64 architecture
Anyway I tried to look for executable paths and exfiltration traces or maybe C2, since those are the common things found in bots or maybe stealers. I have a bunch of key-words that help me dive through these sort of things, and I found a suspicious hardcoded IP in /etc/services
:
100.64.0[.]0
Using a really quick search over VT, it revealed a pulse related with GoScanSSH family, which pretty much fits in this situation.
I keep searching:
Realized that it also tries to identify the IP using some legit IP info services online, such as
http://ipgrab[.]io
https://ident[.]me
https://ip.seeip[.]org
http://inet-ip[.]info
And saves it all into a zip file. I wondered where did it meant to send it and I found a hardcoded discord api location, so that must be it, since discord (as well as Telegram) is currently being used a lot for exfiltration.
Then I found some command lines (for example chmod attempts, but not for example chattr or ulimit, which usually goes together in regular miner families) that grabbed my attention:
service systemd-worker enable || systemctl enable systemd-worker.service
Basically because that "systemd-worker" thing sounded familiar. I remember reading about this before so a quick search and yep! It reminded my of Panchan.
"(...)Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, which is likely used for monitoring the victim.
To establish persistence, the malware copies itself to `/bin/systemd-worker and creates a new systemd service to launch after reboot while masquerading as a legitimate system service.(..)"
it adds up.
This definitely rang a bell and looked for some more info about it and I found some "look and destroy"-like (as I like to call it) function:
current_preset_xmrig_enabled *bool; current_preset_xmrig_nicehash
Yeah this totally looked like Panchan. And, according to Bleeping Computer:
"The malware also features an anti-kill system that detects process termination signals and ignores them unless it's SIGKILL which isn't handled."
I also saw this before going around, so I rechecked:
SIGKILL: kill
SIGQUIT: quit
And... yeah after reading the article that akamai I saw this:
If you are wondering: yes, I checked previously with an automated genetic analysis and static analysis vendors, but it wasn't very helpful and didn't point me to the actual threat (mostly because it was corrupted, but that doesn't mean it doesn't have information in it!).
Anyway this has been fun. I totally have to sharpen my reversing abilities so to make this "the proper way" and not "string | grep" it.
You can check the IoCs in my AlienVault pulse!
If you want to read the japanese version, check here
日本語の記事はここにです
Top comments (5)
Golang is now the go-to malware lang I'll borrow a well known phrase, "The price we pay for the ease and adapability of Golang is eternal vigilance.".
Great little article and chock full of interesting snippets which I'm going to do some further reading on.
Well thank you! I'm glad you enjoyed
Good detective work! Use of your prior experience and leaning on your strengths is the way to go when rummaging in the void like this 👏 There is no shame in hitting the strings and grep tools early on, they often provide a lot of insight (fingerprints, whole or partial) and starting points for more detailed work (eg: going backwards from an IP address string through the code that uses it, finding out what get's sent where). As a previously-professional security person I often followed a very similar path to this, before picking a battle and diving in with IDA or JADX etc. Keep going!
Some comments may only be visible to logged-in visitors. Sign in to view all comments.