DEV Community

Cover image for Analyzing a Linux malware binary
Paula
Paula

Posted on • Edited on

Analyzing a Linux malware binary

I encountered an interesting file in my honeypot a couple of days ago and it's not on virustotal or similar so I decided to take advantage of the situation a take a closer look myself.

Before going further let me tell you I'm not whatsoever a reversing expert, just a messy curious threat intel/threat hunting expert, and this article was a for-fun activity. I do like it and I wish I could properly do reversing! Someday, maybe.

The attacker uploaded the file through sftp:

Image description

Before anything else I used radare2 so to get some general info about the file:

rabin2 -I mymalware
Enter fullscreen mode Exit fullscreen mode

And found out the following things:

arch     x86
baddr    0x400000
binsz    30048232
bintype  elf
bits     64
canary   false
injprot  false
class    ELF64
crypto   false
endian   little
havecode true
intrp    /lib64/ld-linux-x86-64.so.2
laddr    0x0
lang     c
linenum  false
lsyms    false
machine  AMD x86-64 architecture
nx       true
os       linux
pic      false
relocs   false
relro    partial
rpath    NONE
sanitize false
static   true
stripped true
subsys   linux
va       true
Enter fullscreen mode Exit fullscreen mode

And:

rabin2 -Ir mymalware
Enter fullscreen mode Exit fullscreen mode
e cfg.bigendian=false
e asm.bits=64
e asm.dwarf=true
e asm.codealign=1
e bin.lang=c
e file.type=elf
e asm.os=linux
e asm.arch=x86
Enter fullscreen mode Exit fullscreen mode

So it's pretty clear that we are taking a look at a linux binary. Why is it interesting? What I usually find in my honeypot are IRC based miners, scripts for initial deployment and some keys, but this is slightly different.

I took a very quick look at the strings, and realized it used Golang. The file itself is stripped, as I realized when using >afl | head -n20 (just 20 lines so to take a look) even when using a pipe with redress.

Image description

This didn't stop me. I took a quick look around. I used binwalk and `strings. I proceeded to note down some general clear ideas:

  • It uses Golang
  • It's an elf for AMD x86-64 architecture

Anyway I tried to look for executable paths and exfiltration traces or maybe C2, since those are the common things found in bots or maybe stealers. I have a bunch of key-words that help me dive through these sort of things, and I found a suspicious hardcoded IP in /etc/services:


100.64.0[.]0

Using a really quick search over VT, it revealed a pulse related with GoScanSSH family, which pretty much fits in this situation.

I keep searching:

Realized that it also tries to identify the IP using some legit IP info services online, such as


http://ipgrab[.]io
https://ident[.]me
https://ip.seeip[.]org
http://inet-ip[.]info

And saves it all into a zip file. I wondered where did it meant to send it and I found a hardcoded discord api location, so that must be it, since discord (as well as Telegram) is currently being used a lot for exfiltration.

Image description

Then I found some command lines (for example chmod attempts, but not for example chattr or ulimit, which usually goes together in regular miner families) that grabbed my attention:


service systemd-worker enable || systemctl enable systemd-worker.service

Basically because that "systemd-worker" thing sounded familiar. I remember reading about this before so a quick search and yep! It reminded my of Panchan.

"(...)Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, which is likely used for monitoring the victim.

To establish persistence, the malware copies itself to `/bin/systemd-worker and creates a new systemd service to launch after reboot while masquerading as a legitimate system service.(..)"

it adds up.

This definitely rang a bell and looked for some more info about it and I found some "look and destroy"-like (as I like to call it) function:

current_preset_xmrig_enabled *bool; current_preset_xmrig_nicehash
Enter fullscreen mode Exit fullscreen mode

Yeah this totally looked like Panchan. And, according to Bleeping Computer:

"The malware also features an anti-kill system that detects process termination signals and ignores them unless it's SIGKILL which isn't handled."

I also saw this before going around, so I rechecked:

SIGKILL: kill
SIGQUIT: quit
Enter fullscreen mode Exit fullscreen mode

And... yeah after reading the article that akamai I saw this:

Image description

Image description

If you are wondering: yes, I checked previously with an automated genetic analysis and static analysis vendors, but it wasn't very helpful and didn't point me to the actual threat (mostly because it was corrupted, but that doesn't mean it doesn't have information in it!).

Anyway this has been fun. I totally have to sharpen my reversing abilities so to make this "the proper way" and not "string | grep" it.

You can check the IoCs in my AlienVault pulse!
If you want to read the japanese version, check here
日本語の記事はここにです

Top comments (5)

Collapse
 
syxaxis profile image
George Johnson

Golang is now the go-to malware lang I'll borrow a well known phrase, "The price we pay for the ease and adapability of Golang is eternal vigilance.".

Great little article and chock full of interesting snippets which I'm going to do some further reading on.

Collapse
 
terceranexus6 profile image
Paula

Well thank you! I'm glad you enjoyed

Collapse
 
phlash profile image
Phil Ashby

Good detective work! Use of your prior experience and leaning on your strengths is the way to go when rummaging in the void like this 👏 There is no shame in hitting the strings and grep tools early on, they often provide a lot of insight (fingerprints, whole or partial) and starting points for more detailed work (eg: going backwards from an IP address string through the code that uses it, finding out what get's sent where). As a previously-professional security person I often followed a very similar path to this, before picking a battle and diving in with IDA or JADX etc. Keep going!

Some comments may only be visible to logged-in visitors. Sign in to view all comments.