Linux.Ngioweb分析报告
背景介绍
2019年5月27号,360Netlab 未知威胁检测系统发现一个可疑的ELF文件,目前仅有一款杀毒引擎检测识别。通过详细分析,我们确定这是一款Proxy Botnet,并且是Win32.Ngioweb[1]恶意软件的Linux版本变种,我们将它命名为Linux.Ngioweb。它与Win32.Ngioweb共用了大量代码,不同的是它新增了DGA特性。我们注册了其中一个DGA C2域名(enutofish-pronadimoful-multihitision.org),并对它进行Sinkhole处理以此来观察Bot连接情况。
此外,我们还观察到大量部署WordPress的Web服务器被植入Linux.Ngioweb 恶意软件。尽管Bot程序由Web容器对应的用户组运行并且权限很小但还是能够正常工作,并被充当Rotating Reverse Proxy[2]节点。
目前,我们还没有看清楚Linux.Ngioweb攻击者的目的,但我们猜测他可能会监听代理网络流量。
Linux.Ngioweb概览
Linux.Ngioweb Bot样本的主要功能是在受害者的机器上实现Back-Connect Proxy[3]。攻击者将多个Bot构建为一个Proxies Pool,并通过双层C2协议控制,然后提供Rotating Reverse Proxy Service。
Linux.Ngioweb逆向分析
样本信息
- MD5: 827ecf99001fa66de513fe5281ce064d
ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped
样本对抗技巧
-
使用双层C2协议,其中Stage-2 C2由Stage-1 C2的CONNECT指令确定
-
Stage-2 C2使用双层加密的通信协议
Stage-1 C2协议分析
在此阶段样本的主要行为是和Stage-1 C2建立通信,根据C2返回的指令进行下一步的操作。
通信尝试
-
每隔60秒尝试和以下硬编码C2 IP建立通信
169.239.128.166:443
185.244.149.73:443 -
每隔73秒尝试和DGA (Domain Generation Algorithm) 生成的域名建立通信。当DGA域名数达到300时,Seed会重置,所以DGA域名总数只有300。
DGA实现
uint64_t GenSeed(uint32_t& seed, uint32_t mod)
{
uint32_t tmp = 0x41C64E6D * seed + 0x3039;
seed = tmp;
return tmp % mod;
}
string dga(uint32_t& seed)
{
char* HeadBuf[] = { "un", "under", "re", "in", "im", "il", "ir", "en", "em",
"over", "mis", "dis", "pre", "post", "anti","inter",
"sub", "ultra", "non", "de","pro", "trans", "ex",
"macro", "micro", "mini","mono", "multi", "semi", "co" };
char* BodyBufA[] = {"able","ant","ate","age","ance","ancy","an","ary",
"al","en","ency","er","etn", "ed", "ese","ern","ize",
"ify","ing","ish","ity","ion","ian","ism","ist","ic","ical",
"ible","ive","ite","ish","ian","or","ous","ure" };
char* BodyBufB[] = {"dom","hood","less","like","ly","fy","ful","ness",
"ment","sion","ssion","ship","ty","th","tion","ward" };
char* TailBuf[] = { ".net",".info",".com",".biz",".org",".name" };
string BlockBufA = "aeiou";
string BlockBufB = "bcdfghklmnprstvxz";
string domain;
uint32_t dashloop = GenSeed(seed, 3) + 1;
while (dashloop--)
{
domain += HeadBuf[GenSeed(seed, 0x1e)];
int flag = 0;
int i = 0;
if (BlockBufA.find(domain.back()) == string::npos)
flag = 1;
int fillcnt = GenSeed(seed, 0x3) + 4;
while (fillcnt > i)
{
if (flag + i & 1)
domain += BlockBufA[GenSeed(seed, 0x5)];
else
domain += BlockBufB[GenSeed(seed, 0x11)];
i++;
}
if (BlockBufA.find(domain.back()) == string::npos)
domain += BodyBufA[GenSeed(seed, 0x23)];
else
domain += BodyBufB[GenSeed(seed, 0x10)];
if (dashloop != 0)
domain += "-";
}
return domain += TailBuf[GenSeed(seed, 0x6)];
}
通信协议
此阶段通信是基于HTTP协议,并将参数内容进行了Base64编码。
数据包概览
发包解析
将参数内容通过Base64解码后可以看到以下信息
-
id=machine-id[0:15]
-
v=x86_64,硬编码,架构
-
sv=5003,硬编码,版本号
-
&qlohmzalwdepupwf,随机16字节数据,算法如下
-
User-Agent,硬编码
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
收包解析
支持的指令
- WAIT
- CONNECT
- DISCONNECT
- CERT
Stage-2 C2协议分析
在此阶段样本的主要行为是和Stage-2的C2建立通信,开启Back-Connect Proxy功能。
通信协议
此阶段通信是经过双层加密组合合成,内层为XOR,外层为AES。
数据包概览
加密算法
XOR的Key由随机算法产生
算法为
AES使用ECB模式,无填充,Key为qwerasdfzxcqwerasdftyuirfdsdsdss
数据包结构
数据包由header和msg俩部分组成
header结构
#le->little endian
#be->big endian
struct header
{
uint32_le xorkey;
uint32_be msgcrc32;
uint32_be len;
uint16_be msgcode
uint16_be magic
};
msg由chunk构成,样本支持的chunk如下
Chunk Type | Chunk Length | Description |
---|---|---|
1 | 1 | BYTE |
2 | 2 | WORD big endian |
3 | 4 | DWORD big endian |
4 | 8 | QWORD big endian |
5 | N+4 | Bytes array.The first 4 bytes of chunk are the big endian-encoded length (N) of the array |
一个msg可以有一个或多个chunk,不同的msg有不同的格式。
样本支持的msg类型分recv和send 两种
汇总见下表
msgcode | Driection | Description | Fromat |
---|---|---|---|
0x1010 | recv | set channel id | 3 chunks:(QWORD ConnId, Array IPAddr,WORD Port) |
0x1011 | recv | start proxy request | 5 chunks:(QWORD RequestId, BYTE reason,BYTE AddrType,Array Addr, WORD port) |
0x1012 | recv | close connection | 1 chunk:(QWORD ConnId) |
0x10 | send | check-in | 1 chunk:(QWORD BotId) |
0x11 | send | set-channel ack | 1 chunk:(DWORD VersionId) |
0x14 | send | tcp server started | 5 chunks:(DWORD ConnectionId, QWORD RequestId, BYTE AddrType, Array Addr, WORD Port) |
0x15 | send | error | 2 chunks:(DWORD RequestId,BYTE reason ) |
0x16 | send | udp server started | 5 chunks:(DWORD ConnectionId, QWORD RequestId, BYTE AddrType, Array Addr, WORD Port) |
发包解析样例
-
原始数据(数据包结构)
packet[0:31]: 6c 52 8c 08 3e 80 a9 3c 00 00 00 10 00 10 fa 51 04 dd b0 b4 9d 10 ec 42 c3 00 00 00 00 00 00 00 header --->packet[0:15] xorkey --->0x088c526c msgcrc32 --->0x3e80a93c msglen --->0x00000010 msgcode --->0x0010,check-in magic --->0xfa51 msg --->packet[16:31] 1st chunk chunktype --->0x4 content --->0xddb0b49d10ec42c3
-
XOR加密后
6c 52 8c 08 36 0c fb 50 08 8c 52 7c 08 9c a8 3d 0c 51 e2 d8 95 9c be 2e cb 8c 52 6c 08 8c 52 6c
-
AES加密后
c1 d3 78 71 2d f6 5b bb 16 ca ff 8b ef 69 bb 26 3b 01 f0 22 70 09 38 dc e7 06 89 de 2b 55 eb 8e
收包解析样例
-
原始数据
c5 ad 4a bf 30 C2 3a 43 9b 6e 22 08 73 e0 b9 5d 3c e6 b7 f0 74 76 53 43 3a 79 0e 82 80 1a c3 84 ba a4 85 05 4a 63 b1 d6 d1 94 ad 53 be 7a 9a 88
-
AES解密后
59 8b e5 6d 4a ee bf ef 6d e5 8b 79 7d f5 71 08 69 b8 81 aa 92 ed 65 fb 29 e0 8b 59 6d e1 51 47 19 e1 89 d8 29 e5 8b 59 6d e5 8b 59 6d e5 8b 59
-
XOR解密后(数据包结构)
packet[0:47] 59 8b e5 6d 27 0b 34 b6 00 00 00 20 10 10 fa 51 04 5d 0a f3 ff 08 ee a2 44 05 00 00 00 04 da 1e 74 04 02 81 44 00 00 00 00 00 00 00 00 00 00 00 header --->packet[0:15] xorkey --->0x6de58b59 msgcrc32 --->0x270b34b6 msglen --->0x00000020 msgcode --->0x1010,set channel id magic --->0xfa51 msg --->packet[16:47] 1st chunk chunktype --->0x04 content --->0x5d0af3ff08eea244 2nt chunk chunktype --->0x05 content --->len:0x00000004 buf:0xda1e7404 3rd chunk chunktype --->0x02 content --->0x8144
Stage-2 C2关联分析
我们通过访问Stage-1 C2 URL (http://185.244.149.73:443/min.js) 共得到以下6个Stage-2 C2的地址。
5.135.58.119
5.135.58.121
5.135.58.123
5.135.58.124
91.134.157.11
193.70.73.115
通过我们的图系统关联test.zip的MD5(9017804333c820e3b4249130fc989e00)得到了更多的URL并对他们进行指纹识别,确认了另外18个存活的Stage-2 C2。
5.135.35.160
5.196.194.209
51.254.57.83
54.36.244.84
54.36.244.85
54.36.244.91
91.121.36.212
91.121.236.219
92.222.151.63
145.239.108.241
163.172.201.184
163.172.202.116
178.33.101.176
178.33.101.177
178.33.101.178
178.33.101.182
188.165.5.123
188.165.163.20
我们在free-socks.in网站上可以检索到Stage-2 C2 IP地址正在提供Socks5代理服务。
我们测试这些Socks5代理IP均正常工作,同时它们也通过Stage-1 C2协议访问了我们Sinkhole 的C2域名(enutofish-pronadimoful-multihitision.org),所以可以说明他们都是Linux.Ngioweb Bot。
root@localhost:~# curl --socks5 91.134.157.11:50880 ifconfig.me
31.170.123.49
root@localhost:~# curl --socks5 91.134.157.11:62012 ifconfig.me
208.113.197.88
root@localhost:~# curl --socks5 91.134.157.11:18278 ifconfig.me
45.58.190.100
root@localhost:~# curl --socks5 91.134.157.11:64380 ifconfig.me
72.29.64.29
root@localhost:~# curl --socks5 91.134.157.11:47067 ifconfig.me
54.38.101.17
root@localhost:~# curl --socks5 91.134.157.11:63862 ifconfig.me
88.99.212.97
root@localhost:~# curl --socks5 91.134.157.11:49475 ifconfig.me
23.91.65.240
被感染的IP信息
通过Sinkhole C2域名(enutofish-pronadimoful-multihitision.org),我们目前共观察到有2692个Bot IP。
以下是被感染的IP 国家/地区详细列表
US 1306
BR 156
RU 152
DE 133
FR 102
SG 98
NL 80
GB 66
CA 66
IT 64
VN 42
AU 36
PL 31
TR 28
JP 26
IN 26
ZA 21
ID 19
ES 18
UA 15
通过对被感染IP指纹识别,我们观察到几乎所有Bot IP都是Web服务器,同时都部署了WordPress程序,但是我们还不能确定攻击者是如何入侵WordPress网站。
我们通过联系一些受感染者用户,并在他们的Web服务器上发现了多种类型的WebShell,这些WebShell都是高度混淆,但是混淆手法,加密方式以及编码特征相似。结合被感染IP访问Sinkhole时序特征,我们猜测攻击者会周期性地对受害者网站WebShell下发指令并运行Linux.Ngioweb程序。
处置建议
Linux.Ngioweb攻击者可能会监听代理网络流量,我们建议读者不要使用Stage-2 C2 IP提供的Socks5代理服务。
我们建议WordPress用户备份网站文章数据库(删除wp.service.controller.*等后门用户),重新安装最新版本WordPress程序,增强用户密码复杂度,增强WebShell检测能力,并禁止PHP命令执行相关函数;
相关安全和执法机构,可以邮件联系netlab[at]360.cn获取被感染的IP地址列表。
联系我们
感兴趣的读者,可以在 twitter 或者在微信公众号 360Netlab 上联系我们。
IoC list
样本MD5
827ecf99001fa66de513fe5281ce064d
Stage-1 C2 (硬编码IP)
169.239.128.166 South Africa ASN 61138 Zappie Host LLC
185.244.149.73 Romania ASN 60117 Host Sailor Ltd.
Stage-2 C2
163.172.201.184 France ASN 12876 Online S.a.s.
163.172.202.116 France ASN 12876 Online S.a.s.
5.135.35.160 France ASN 16276 OVH SAS
5.135.58.119 France ASN 16276 OVH SAS
5.135.58.121 France ASN 16276 OVH SAS
5.135.58.123 France ASN 16276 OVH SAS
5.135.58.124 France ASN 16276 OVH SAS
5.196.194.209 France ASN 16276 OVH SAS
51.254.57.83 France ASN 16276 OVH SAS
54.36.244.84 France ASN 16276 OVH SAS
54.36.244.85 France ASN 16276 OVH SAS
54.36.244.91 France ASN 16276 OVH SAS
91.121.36.212 France ASN 16276 OVH SAS
91.121.236.219 France ASN 16276 OVH SAS
91.134.157.11 France ASN 16276 OVH SAS
92.222.151.63 France ASN 16276 OVH SAS
145.239.108.241 Germany ASN 16276 OVH SAS
178.33.101.176 Ireland ASN 16276 OVH SAS
178.33.101.177 Ireland ASN 16276 OVH SAS
178.33.101.178 Ireland ASN 16276 OVH SAS
178.33.101.182 Ireland ASN 16276 OVH SAS
188.165.5.123 Ireland ASN 16276 OVH SAS
188.165.163.20 France ASN 16276 OVH SAS
193.70.73.115 France ASN 16276 OVH SAS
Stage-1 C2 (DGA)
enutofish-pronadimoful-multihitision.org
exaraxexese-macrobacaward-exafosuness.net
nonafudazage.name
demigelike.net
emuvufehood.net
subolukobese.biz
inogepicor-prorarurument.biz
overahudulize-unazibezize-overuzozerish.org
imunolance-postodinenetn-antifipuketn.net
antizerolant-monogevudom.info
transavecaful-transinenation-transikaduhern.com
subogonance.info
inoxodusor-misehupukism.info
devikoviward-semibazegily-copaxugage.name
eniguzeless-inecimanable.net
subilebesion-irogipate.biz
colozosion-antigobunaful.name
inudiduty-dezaviness.org
irelizaring-enipulical-monovuxehossion.info
ilenudavous-monoxoxapal-semimihupution.info
ultrapadupize.biz
covategal-dezakedify-enebugassion.name
transivesudom-macropimuship.org
rezolezation-transapupirify-seminecation.name
macrolutoxous-overefimety.name
coxumumage-dexolalite.name
cotexafical-postirutuvian-emimimous.biz
copubuloness-misumusal-disokozian.com
nonecuzuking-enekopofen-imakozity.info
dezohipal-ultrazebebive.name
cosazalike-antifoxirer-subudikic.biz
underotutilism-monoceraretion-underosociful.name
overugiror.net
emuzixucize.biz
disicevament-desizigasion-recadihuful.biz
decehoward-microhikodely-overokerezant.com
microlasokadom-ultralarumous.info
minixecision-iruzaxuhood.net
profusonuty.info
multifipakency-conovofy-prorakikate.com
antiseramoment.info
postavutetn-emedarevous.biz
inolugoty-inidiverible.com
prodipamament.biz
overogobity-imivocurify-disovizution.biz
decozaness-antihazation-overetalovical.net
nonesolafy.com
unihatosancy.name
interiragocern-micropuxotion-transogorion.org
seminamatity-enogibely.name
inosebovion.net
exofifure-postirexument.info
transirirenern-semizafunic-nonivubed.biz
enegizize-microtizobity.name
macrohuseded-multipazaseship.com
imefihured-macrohixuhood.org
microlulition-macrokiguxable.biz
multizesumefy-emebefion.biz
underebelassion-postizoziless.info
dezuvazen.name
decotusion-exexavihood-exevozebant.name
disuzepuly.info
inuviging-antizoluly.biz
multisotiren-ilazufist.org
predepussion.info
inidozadom.name
interikuhaful.info
cozuheming.biz
multiruxuth.org
monozogeced.org
mononoredom.info
postarubixage-monocinamety-overogefesal.com
prebekokian-misadepepive-transilogify.com
monohatodom-cohotiship.com
exebasusion.org
unahodoness-emevuzeward-emuzeduness.com
exemidexous-underiposapite-unegatature.name
interocugopist-misugexadic-ilobipegency.org
monokifomancy-misagefism-macrobepoth.com
antizekussion-minipusaral-copofuxoship.com
relutodom-comakitize.name
multikezusion.org
emopumical-enohecical.org
semitegopish.net
recepatission.info
inoluvary.com
seminitotuful.info
interanubing-emelulotal-transugotuzern.com
subefehity-iledutession.name
ultrapapiten.biz
transuvarusish-prozumoxety.info
transisigern.org
imirotiship-microhopulive-emotomeship.com
presefavution.info
enevifaking.org
misidogive-coxecovor-dexefoxan.name
overazadudom-deliromohood.com
emakanuward.com
emitohage-overasuhorure-antitipenoless.info
ultrasesebible.biz
multihadekite.name
iluvused-iravoxish.info
postobagoly-detovaward-unixohible.biz
underasusogen.com
imovaman-multimihivoship-imeduxian.biz
dedunuguhood.com
prevukition.info
underehugavish.org
misoxomelical-iluxubism.net
microcolacoful-postabitition.name
overurohely-overadolure-iruraluness.org
unurodable-dekipuhic-postuxufous.org
unitucihern-postadagen-imupuduth.org
imukokuship.org
prenubocetion-ultrahahohood.com
monofugition-underefogukic.org
irofetufy.com
irobigelike.org
presifament.biz
overetigution.info
enuvopan-imixesoward-irarupipary.biz
inorofizian.com
monopadecotion-multicecihood-imuzicasion.com
exofosehance-minimezazofy.org
monokacofudom-inuvinable.com
emisucosion-prohosexite-imorekusion.net
semiledoduly.info
multivapufy-promumuly-enonuben.net
subebodency.info
cofexasish-inodehed.net
unutexupify-conofubusion.com
misebonure-iluborize-rezericify.com
exunaxian.info
colanizity-postosecive-nonuresible.info
dedaliward-imipusen-inacaliver.com
refusovize.org
monokuvission-transodigical-semihehamussion.biz
transalavudom-multilavezuhood.net
exusizeward.net
unisimor.name
minipihagaship.com
recusigetion-transubeviful.info
multixizitufy-microtomuly-multixoleward.com
microxulodish-semibahoty.biz
macrokunith-proxobivive.net
preginaxodom.name
transimapeful-cotalision.com
prefinazuly.name
inucasazing-microhesunian-semidikokement.biz
disitirotion-transekarenate.org
unehihify-antimepavable-nonubovafy.net
misunotelike-nonugidant.info
enogosudom-macrogekabive.biz
postozokipetn-microdomobaly.biz
interunavission-ininibecist.org
microhinoler.org
prosihamish-noneguhaness.com
preberekous-microkagibant-imemahal.name
iletegifage.org
emikuraran.biz
overokigoty-ilecavish.net
nonikofucable-postelihuzism-rexecigism.net
imixifure.info
minirabupeness-nonitefuward.org
misasugegify-underazosuzish-exuvexezical.info
multipocihood-monomuhunible.org
nonohacutancy-postuxikitan-microseditoless.info
overasobament.info
overulurotion.biz
disepadely-disuzirovor.net
repetepian-irelucify.biz
enikobadom-postolixement.name
inunatogite-imoboraness.net
irimarefy.net
monohiloless-demodefy.com
previbetian-misunohigate.info
multivunuhance-inabiber.com
semicasinaty-ilibaholy.biz
transupovetn-monozeruduless.biz
debapesetn-underisaxufical-imukugamism.info
multibibetefy.com
exanonish.name
interanulish-imazekalike-unisukugate.info
inokevidage.org
monofipuly-underubihal.net
profobekify-subebobefy-exozufous.name
macrovetecuship-emebudemical-underaxakament.biz
demeficiward-retitisily-macromuvaward.org
monosumuly-ilenusuty-dedabaness.net
exapofaran-postulusadify.com
microhobament-postevofafity.com
rebezusaly-overidirity-ultrahiseness.org
unafacigage-transihicical-prebokity.info
interazution-irudegufy-antinefoly.biz
minizecidish-macrolafukish-depovased.biz
derirepous-cosideship-semibiseless.biz
overupazadity-irativorical.name
coseviness-nonikunant-macrorasihood.net
nonesocern-macrotocipity.info
interuzoputy.info
inicinic-misuluzan-ultrakuxuness.com
sububesebism-ultrabutath.com
misacireship.org
exuxuburan-miniravuhood-exosoxen.info
macrozigahood-monosulopancy.com
unegoping-detunusion-antimuruseful.biz
macrozixaward-semivanimoly-underekutoty.biz
ultratipuxian-inosilission-multiridith.net
microtonagament.info
cobemesion-redacocoful.name
disicogure-seminedasoly.biz
dekacify.net
emegamilike-imupogazance-ultrapanacesion.org
unocelibable-underelatucance.com
irodetolike-imisocatite-inecolafian.com
antikuzucen-irokarance-transitupikible.org
semiralety-macrorobinant-ultrapixutency.biz
transisomuless.name
ilebigument-macroripakesion.org
profebarable.org
nonixigefy-protisumiless.biz
corahicohood.com
pretuvution-disafatutical-irehopuvese.name
miniregath-anticesuty-postudagily.biz
coguvilaship-recakubodom.name
overipugoful-interizihing.org
imipadaness-iralikoward-semitolicoly.info
interupefity-semigiduly.info
macromosoriship.net
antigizepist.net
subuluhic-disomokate.net
irunucudor-macrogocudern-comoxizish.name
underedofobate.net
prolapuzern-progobutiful-dehifasion.org
irucasian-macrofevasion.net
unogoxeness-semixocapency.org
rehofocese.org
exebutian-interomifenism.org
subihefahood-subenopure-ultramoherihood.net
nonezogeward.com
exasavate-minidevilefy-subanevous.biz
enodenission-overucelancy-microvitasission.info
ultrafakitesion-misesuzahical-transanafetion.biz
interinipoly-minimorovor-debininess.com
prenedelission-interugefable-repekosossion.name
postifozible-irololuship.com
unozolasion.org
unobelaness-prepifavety.info
cofukosable.info
iloletible-imakeben.info
ultraronupity.name
minikisision-monobavunism-micronepavage.org
unufepaness-misedepugance.biz
inafolage.com
semifolofic-unaraxal.biz
enerivosism-imenufanist-macrovonahood.org
monobocution.info
cosuzuness-prepurizor-unasulal.name
inopivic-antimaporary-subavocobive.biz
covogidish-iletinassion.biz
defizalike-unodatage-inarabevous.com
unuvirisern-interusalosize-misucakiness.org
ireninenish-multicemath-prezucetussion.biz
interodekive.com
iramilahood-antirotuxary-misobegesion.name
multidafadite-postagoker.org
monobagehance.net
emixuvidite-ilofikency-subolubify.biz
postugihucency-emademify.name
cotefehood-imocakitency.biz
enikavely-inosifuty-postaviraly.info
transabusossion.biz
interitebure.net
unehumugage-ultraburosion.com
subutavahen-inuhabish.org
subifefer-devufoward-probelalance.org
emefimafible.biz
ilibefudom.biz
postemivaxage.net
monofudumossion.info
inuxazodom-macrodexaxahood.org
semibugegetn-monohifutuly.biz
macromohazaship-subonohion-disonixucing.com
emosacekant-cokebohood-nonetakive.biz
interozecifist-antipinukity-multifekemath.net
refedomous-antifaliless.name
ultraxekevohood-nonizerosion-exovigant.name
interarogous-unuculuhood.org
semipulimian.com
monocalacaless.biz
disevolikency-retipegation.biz
cosituxath-misuxunor.info
ultraporader-conapefy-prolobeziless.info
ilucasure.com
reletohite-misosulahood-antitedudom.info
minivucilous-inafafomism.net
monorifutaless-ilocamussion.name
inohufohese-imufilahood-antifidupite.com
emegemaxed-transigifuty-multitumolith.net
exotacible-denitokolike.com