{"id":576,"date":"2023-12-14T02:16:36","date_gmt":"2023-12-14T02:16:36","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=576"},"modified":"2023-12-14T02:16:36","modified_gmt":"2023-12-14T02:16:36","slug":"threat-profile-red-berryminer","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2023\/12\/14\/threat-profile-red-berryminer\/","title":{"rendered":"Threat Profile: Red BerryMiner"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-840\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/Red-BerryMiner.png\" alt=\"\" width=\"272\" height=\"272\" \/><\/p>\n<h2 style=\"text-align: center;\"><strong>Red BerryMiner<\/strong><a name=\"_Toc151640273\"><\/a><\/h2>\n<h1><a name=\"_Toc152195120\"><\/a>Objective<\/h1>\n<p>This report analyses the modus operandi, TTPs, infrastructure, and tools used by a threat group named by SCILabs as <em>Red BerryMiner<\/em>, which exploits vulnerabilities in servers of various organizations exposed on the Internet to infect them with the <em>Mirai<\/em> malware families, <em>ShellBot<\/em>, and predominantly the crypto-miner <em>XMRig<\/em>.<a name=\"_Toc151640274\"><\/a><\/p>\n<h1><a name=\"_Toc152195121\"><\/a>Overview<\/h1>\n<p>The initial access vector of this adversary is primarily the exploitation of Internet-exposed server vulnerabilities, predominantly the vulnerability registered with the identifier <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-3722\"><strong>CVE-2023-3722<\/strong><\/a>(<strong>CVSS:3.0 &#8211; 9.8<\/strong>), which affects the Avaya Aura Device web application Services.<\/p>\n<p>SCILabs identified in its own and <a href=\"https:\/\/www.deepwatch.com\/labs\/customer-advisory-awareness-deepwatch-observes-unauthenticated-remote-code-execution-vulnerability-exploitation-in-avaya-aura-device-services\/\">public<\/a> investigations that <em>Red<\/em> <em>BerryMiner<\/em> exploits other vulnerabilities like the one registered with the identifiers <a href=\"https:\/\/www.akamai.com\/blog\/security\/thinkphp-exploit-actively-exploited-in-the-wild\"><strong>CVE-2018-20062<\/strong><\/a>(<strong>CVSS:3.0 &#8211; 9.8<\/strong>) and <a href=\"https:\/\/www.trendmicro.com\/en_th\/research\/22\/d\/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\"><strong>CVE-2022-22965<\/strong><\/a>(<strong>CVSS:3.0 &#8211; 9.8<\/strong>) to install malware such as <em>Mirai<\/em> and <em>XMRig<\/em>.<\/p>\n<p>Based on the SCILabs telemetry study, we observed that <em>Red<\/em> <em>BerryMiner<\/em> directs its attacks to organizations in different countries (without targeting a specific sector) to use the compromised infrastructure for crypto-mining activities. According to our research, <em>Red<\/em> <em>BerryMiner<\/em> could operate as early as February 2023.<a name=\"_Toc151640275\"><\/a><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<h1><a name=\"_Toc152195122\"><\/a>Region of operation<\/h1>\n<p>According to the evidence collected by SCILabs, the countries where activity related to <em>Red BerryMiner<\/em> attacks has been observed are Mexico, the United States, Spain, Russia, and South Africa.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-842\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f1-1.jpg\" alt=\"\" width=\"923\" height=\"547\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 1. Red BerryMiner operating region, identified so far by SCILabs.<\/strong><\/em><\/p>\n<p>SCILabs identified part of the <em>Red BerryMiner<\/em> infrastructure used as a malware repository by this threat actor geolocated in some countries around the world, highlighting the Netherlands. Due to its IP address it belongs to the infrastructure of <a href=\"https:\/\/www.alsycon.nl\/\">Alsycon B.V<\/a>. Therefore, it is hypothesized with a low level of confidence that the operators behind <em>Red BerryMiner<\/em> are located mainly in that country.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-843\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f2.jpg\" alt=\"\" width=\"661\" height=\"493\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 2. Red BerryMiner domains registration regions<\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-844\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f3.jpg\" alt=\"\" width=\"703\" height=\"171\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 3. Domain information download[.]asyncfox[.]xyz used by Red BerryMiner<\/em><\/strong><\/p>\n<p>The following figure shows a timeline with the most relevant <em>Red BerryMiner<\/em> activity according to the events observed and analyzed by SCILabs since February 2023.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-578\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/ff4.png\" alt=\"\" width=\"598\" height=\"434\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 4. Red BerryMiner campaigns timeline<\/strong><\/em><a name=\"_Toc151640276\"><\/a><\/p>\n<h1><a name=\"_Toc152195123\"><\/a>Who can it affect?<\/h1>\n<p>According to SCILabs telemetry, the leading affected organizations are those that use or have public services on the Internet with unmitigated vulnerabilities. The most exploited vulnerabilities by <em>Red<\/em> <em>BerryMiner<\/em> are the following:<\/p>\n<table style=\"height: 585px;\" width=\"987\">\n<tbody>\n<tr>\n<td><strong>#<\/strong><\/td>\n<td><strong>Technology<\/strong><\/td>\n<td><strong>Vulnerability<\/strong><\/td>\n<td><strong>Criticality Level<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td><strong>\u00a0Avaya Aura Device Services<\/strong><\/td>\n<td>\n<p style=\"text-align: center;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-3722\"><strong>CVE-2023-3722<\/strong><\/a><\/p>\n<\/td>\n<td>CVSS:3.0 &#8211; 9.8 CRITICAL<\/td>\n<td>Operating system command injection vulnerability in the Avaya Aura Device Services web application could allow remote code execution as a user of the web server via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td><strong>ThinkPHP<\/strong><\/td>\n<td>\n<p style=\"text-align: center;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-20062\"><strong>CVE-2018-20062<\/strong><\/a><\/p>\n<\/td>\n<td>CVSS:3.0 \u2013 9.8 CRITICAL<\/td>\n<td>Allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">3<\/td>\n<td style=\"text-align: center;\"><strong>Spring Shell<\/strong><\/td>\n<td style=\"text-align: center;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2022-22965\"><strong>CVE-2022-22965<\/strong><\/a><\/td>\n<td style=\"text-align: center;\">CVSS:3.0 &#8211; 9.8 CRITICAL<\/td>\n<td>\n<p style=\"text-align: center;\">A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><em><strong>Table 1. Exploited vulnerabilities by Red BerryMiner<\/strong><\/em><a name=\"_Toc151640277\"><\/a><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<h1><a name=\"_Toc152195124\"><\/a>How can it affect an organization?<\/h1>\n<p>The main risk associated with this threat group is that they tend to exploit vulnerabilities in technology commonly used by all types of organizations to distribute the <em>XMRig<\/em> crypto-miner and integrate the victim devices into the <em>Mirai<\/em> Botnet network. This can cause severe consequences on an organization&#8217;s infrastructure. Furthermore, known for its DDoS attacks, <em>Mirai<\/em> can cause massive disruptions to services and systems, damaging reputation and causing financial losses. On the other hand, <em>XMRig<\/em> consumes resources from compromised systems to mine cryptocurrencies, leading to a slowdown in operations, increased energy costs, and potential additional security breaches.<a name=\"_Toc151640278\"><\/a><\/p>\n<h1><a name=\"_Toc152195125\"><\/a>Analysis<\/h1>\n<p><strong>First campaign identified by SCILabs<\/strong><\/p>\n<p>During the first attack analyzed by SCILabs identified in July, which affected a government sector organization, the use of different droppers developed with PHP to download a shell script and the <em>ShellBot<\/em> malware was identified. The downloaded shell script is named <strong>start.sh<\/strong> and it aims to deploy two additional scripts and the <em>XMRig<\/em> crypto mining software. One of the scripts is responsible for terminating specific processes, and the other collects SSH keys, hosts, and users to perform lateral movement within the affected organization&#8217;s network.<\/p>\n<p><strong><u>Droppers<\/u><\/strong><\/p>\n<p><strong><em>sh <\/em><\/strong><strong>script Droppers<\/strong><\/p>\n<ul>\n<li>First variant of the PHP dropper:\n<ul>\n<li>It downloads a file with <strong>curl<\/strong> or <strong>wget<\/strong> from the URLs <strong>hxxp[:]\/\/178[.]62[.]44[.]152\/start[.]sh<\/strong> or <strong>hxxp[:]\/\/45[.]81[.] 243[.]128\/start[.]sh<\/strong>, stored in <strong>\/tmp<\/strong> under the name <strong>sh<\/strong>. It uses the -k option to allow connections over HTTPS without validating SSL certificates.<\/li>\n<li>When the download is complete, it runs the file \/tmp\/start.sh using bash.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-846\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f5.jpg\" alt=\"\" width=\"790\" height=\"87\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 5. PHP dropper<\/strong><\/em><\/p>\n<ul>\n<li>Second variant of the PHP dropper:\n<ul>\n<li>It downloads a file with <strong>curl<\/strong> or <strong>wget<\/strong> from the URL <strong>hxxp[:]\/\/45[.]81[.]243[.]128\/start[.]sh<\/strong>, which is stored in <strong>\/tmp<\/strong> with the name <strong>sh<\/strong>. It uses the -k option to allow connections over HTTPS without validating SSL certificates.<\/li>\n<li>Upon download completion, grant it execute permissions using the <strong>chmod +x<\/strong><\/li>\n<li>It runs the downloaded file, with the &#8216;.&#8217; command indicating that it should be run in the current context.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-847\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f6.jpg\" alt=\"\" width=\"766\" height=\"115\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 6. Code of the second variant of the script<\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>start.sh: <\/em><\/strong><strong>Dropper for<em> kill.sh, ssh.sh <\/em>and<em> XMRig <\/em>scripts<\/strong><\/p>\n<p>The <strong>start.sh<\/strong> artifact is intended to download the <em>XMRig<\/em> software and two additional scripts; its operation is explained in general terms below.<\/p>\n<ul>\n<li>The dropper performs several processes checks, validating its name or the CPU consumption of that process, and then kills them using the <strong>kill -9<\/strong><\/li>\n<li>With the <strong>curl<\/strong> and <strong>wget <\/strong>commands, it downloads the following files:\n<ul>\n<li><strong>xmrig-6.19.2-linux-static-x64.tar.gz<\/strong>: from URL <strong>hxxp[:]\/\/45[.]81[.]243[.]128\/xmrig-6[.]19[.]2 -linux-static-x64[.]tar[.]gz<\/strong> is a compressed file containing the <em>XMRig<\/em> crypto-miner. The file is stored in \/tmp\/$file_name.tar.gz.<\/li>\n<li><strong>kill.sh<\/strong>: from the URL <strong>hxxp[:]\/\/45[.]81[.]243[.]128\/kill[.]sh<\/strong>, which aims to kill specific processes on the system. The file is stored in \/tmp\/kill.sh.<\/li>\n<li><strong>ssh.sh<\/strong>: from the URL <strong>hxxp[:]\/\/45[.]81[.]243[.]128\/ssh[.]sh<\/strong>, which aims to collect SSH keys, hosts, and users to try to connect to computers additional information on the organization&#8217;s internal network. The file is stored in \/tmp\/ssh.sh.<\/li>\n<\/ul>\n<\/li>\n<li>The dropper grants read, write, and execute permissions to all files downloaded with the \u201c<strong>chmod 777<\/strong>\u201d command and execute them in the background.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-848\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f7.jpg\" alt=\"\" width=\"731\" height=\"354\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 7. start.sh script<\/strong><\/em><\/p>\n<p><strong>Dropper for<em> ShellBot <\/em><\/strong><\/p>\n<p>This script aims to download a version of the <em>ShellBot<\/em>, AKA <em>PerlBot<\/em> malware. The operation of the dropper is explained below.<\/p>\n<ul>\n<li>The dropper uses the <strong>system()<\/strong> function for command execution and changes the directory to \/tmp using the cd command.<\/li>\n<li>With the <strong>curl<\/strong> utility, it downloads the contents of a remote file located at <strong>85[.]239[.]33[.]32\/ruby<\/strong>, and uses the -s option to activate silent mode so it does not show information or progress in the console. The download result is then processed and executed by the Perl interpreter.<\/li>\n<li>As with curl, the script attempts to download and execute the remote file using the <strong>wget <\/strong><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-849\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f8.jpg\" alt=\"\" width=\"442\" height=\"92\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 8. ShellBot dropper<\/strong><\/em><\/p>\n<p>The following image illustrates the droppers identified in this attack and their respective payload.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-579\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/ff9.png\" alt=\"\" width=\"602\" height=\"378\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 9. Droppers\u2019 execution flow<\/strong><\/em><\/p>\n<p><strong><u>Process manipulation and lateral movement<\/u><\/strong><\/p>\n<p>Once the <strong>start.sh<\/strong> script is downloaded and executed, the additional shell scripts are deployed for manipulating processes and performing lateral movement within the internal network. Below is a general description of how it works:<\/p>\n<p><strong><em>kill.sh<\/em><\/strong><\/p>\n<p>This script searches and terminates various processes, deletes files, and checks if a running process is related to <em>XMRig<\/em>; if it does not find it, it performs a series of actions to download and execute the file. Its operation is explained below.<\/p>\n<ul>\n<li>A series of commands are performed within the while loop to stop processes, delete files, and other actions.<\/li>\n<li>The <strong>killall<\/strong> and <strong>pkill<\/strong> commands are used to kill the following processes: kdevtmpfsi, kinsing, xmrig, xmr, qwer, system, \/tmp\/.ssh\/redis.sh, kthreaddk, kwolker, mini, kacpi_notifyd, vim, mym, network, .libs, javase, libexec, system y redis.sh<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\"><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-851\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f10.jpg\" alt=\"\" width=\"312\" height=\"298\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 10. kill.sh script fragment<\/strong><\/em><\/p>\n<ul>\n<li>The script uses the <strong>rm<\/strong> command and the -rf option to remove the following directories and files:\n<ul>\n<li>\/usr\/lib\/vmware-vsphere-ui\/server\/postgres<\/li>\n<li>\/usr\/lib\/vmware-vsphere-ui\/server\/postgres_start.sh<\/li>\n<li>\/usr\/lib\/vmware-vsphere-ui\/server\/kvm.sh<\/li>\n<li>\/usr\/lib\/vmware-vsphere-ui\/server\/elastic.sh<\/li>\n<li>$HOME\/postgres<\/li>\n<li>$HOME\/kvm.sh<\/li>\n<li>$HOME\/elastic.sh<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-852\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f11.jpg\" alt=\"\" width=\"476\" height=\"117\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 11. kill.sh script fragment<\/strong><\/em><\/p>\n<ul>\n<li>Then it looks for processes containing specific text strings to kill those processes with the <strong>kill -9<\/strong> command; and for processes using more than 40% of the CPU.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-853\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f12.jpg\" alt=\"\" width=\"556\" height=\"212\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 12. kill.sh<\/strong><\/em><\/p>\n<ul>\n<li>It performs a series of validations to verify if there is a process related to <em>XMRig<\/em>; if not, proceeds to download it from the URL <strong>hxxp[:]\/\/45[.]81[.]243[.]128\/xmrig-6[ .]19[.]2-linux-static-x64[.]tar[.]gz<\/strong> using the <strong>curl <\/strong>or <strong>wget<\/strong> The file is stored in <strong>\/tmp\/log_rotari2.tar.gz<\/strong>.<\/li>\n<li>The file is unzipped and executed with a series of arguments to define the algorithm and the URL of the mining server; then, it redirects the output to \/dev\/null to discard it, and runs the process in the background.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-858\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f13-2.jpg\" alt=\"\" width=\"750\" height=\"244\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 13. kill.sh script fragment<\/strong><\/em><\/p>\n<p><strong><em>ssh.sh<\/em><\/strong><\/p>\n<p>This script looks for SSH keys and hosts in various directories and configuration files to iterate over user, host, and SSH key combinations and establish a connection. This artifact aims to infect more computers on the organization&#8217;s internal network.<\/p>\n<ul>\n<li>The script performs several validations in search of directories and files containing SSH keys and host names stored in different variables. Existing users are also collected.<\/li>\n<li>Various text transformations are performed to format and organize user information, SSH keys, and host names.<\/li>\n<li>A loop is started to grant permissions, establish SSH connections to remote hosts, and execute a file downloaded from the <strong>URL hxxp[:]\/\/45[.]81[.]243[.]128\/start[.]sh<\/strong> in the directory <strong>\/tmp<\/strong> on remote hosts.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-856\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f14.jpg\" alt=\"\" width=\"638\" height=\"260\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 14. ssh.sh script<\/strong><\/em><\/p>\n<p><strong><u>WebShells and Backdoors script<\/u><\/strong><\/p>\n<p>Different PHP scripts that served as web shells and backdoors for the attackers were also identified during the investigation.<\/p>\n<p><strong><em>info.php<\/em><\/strong><\/p>\n<p>This artifact is a WebShell that aims to execute the code that is provided in an HTTP request through the $_POST argument.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-860\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f15-1.png\" alt=\"\" width=\"538\" height=\"228\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 15. Obfuscated script info.php<\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-859\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f15.png\" alt=\"\" width=\"438\" height=\"111\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 16. Deobfuscated script info.php<\/em><\/strong><\/p>\n<p><strong><em>avayabing.php<\/em><\/strong><\/p>\n<p>This script is a WebShell designed to decode and execute base64 data using the eval function. Below is a general explanation of how the script works.<\/p>\n<ul>\n<li>It defines a function called <strong>Decrypt<\/strong> that takes a parameter called <strong>$data<\/strong>. This function is used to decrypt data.<\/li>\n<li>Within the function, an encryption key is defined in the variable <strong>$key<\/strong> with the value &#8220;<strong>e45e329feb5d925b<\/strong>&#8220;, as well as the variable <strong>$bs<\/strong>, which is assigned the value of two concatenated strings that result in &#8220;<strong>base64_decode<\/strong>&#8220;.<\/li>\n<li>The result of the function defined in <strong>$bs<\/strong> is assigned to the variable <strong>$after<\/strong> passing the parameter <strong>$data<\/strong>.<\/li>\n<li>In the \u201cfor\u201d loop, it is iterated over each character of the string <strong>$after<\/strong>. In each iteration an XOR operation is performed between the current character and the corresponding character of the key using the expression <strong>$key[$i+1&amp;15]<\/strong>. The result is returned as the return value of the <strong>Decrypt<\/strong><\/li>\n<li>The <strong>$post<\/strong> variable is assigned by calling the previously defined function, passing the content of a POST request received through <strong>php:\/\/input<\/strong> as a parameter.<\/li>\n<li>Finally, the \u201ceval\u201d function executes the contents of the <strong>$post<\/strong><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-861\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f17.png\" alt=\"\" width=\"405\" height=\"250\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 17. avayabing.php<\/strong><\/em><\/p>\n<p><strong><em>avayadirini.php<\/em><\/strong><\/p>\n<p>This artifact is a WebShell that processes a POST request, decoding the base64 content and an XOR operation. The result is executed with the \u201ceval\u201d function. Below is a general explanation of how the script works.<\/p>\n<ul>\n<li>Receives the error parameter value sent via a <strong>POST<\/strong> request and assigns it to the variable <strong>$a<\/strong>.<\/li>\n<li>Uses the <strong>base64_decode()<\/strong> function to decode the content of the variable <strong>$a<\/strong>; the result is stored in <strong>$string<\/strong>.<\/li>\n<li>Unpacks the variable <strong>$string<\/strong> with the <strong>unpack()<\/strong> function; the \u201c<strong>C*<\/strong>\u201d specifier indicates that the data is unsigned integers, and the result is stored in<strong> $arr<\/strong> as an array.<\/li>\n<li>Starts a \u201cfor\u201d loop that iterates over each number in the array <strong>$arr<\/strong>. In each iteration, it performs an <strong>XOR<\/strong> operation between the current element of <strong>$arr<\/strong> and the result of the expression (($i-1)%256); the % operator is used to ensure that the value of <strong>($i-1)<\/strong> stays within the range 0 to 255. Then, the result is converted to a character using the <strong>chr()<\/strong> function, and concatenated to the value of the <strong>$str<\/strong><\/li>\n<li>Finally, it uses the \u201ceval\u201d function to execute the contents of the <strong>$str<\/strong><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-580\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f18.png\" alt=\"\" width=\"334\" height=\"168\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 18. avayadirini.php<\/strong><\/em><\/p>\n<p><strong><em>avayatunnel.php<\/em><\/strong><\/p>\n<p>This script can be used as a backdoor on a server, performs different configurations to allow opening remote URLs, and defines a function to retrieve custom HTTP request headers. Depending on the value of the &#8220;Cz&#8221; header in the HTTP request, it performs different actions, such as establishing a connection to a remote server, terminating the established connection, and retrieving data from the attacker&#8217;s server to decode and save it in the session.<\/p>\n<p>The first block of code performs configurations and definitions necessary for handling remote URLs, error reporting, and obtaining HTTP request headers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-581\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f19.png\" alt=\"\" width=\"540\" height=\"272\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 19. avayatunnel.php (I)<\/strong><\/em><\/p>\n<p>The second block of code sets the script execution time limit to 0 (unlimited), gets the HTTP request headers, defines character strings for encryption\/decryption, and processes the header to get a command and split it into relevant parts.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-582\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f20.png\" alt=\"\" width=\"641\" height=\"208\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 20. avayatunnel.php (II)<\/strong><\/em><\/p>\n<p>The third block of code evaluates the value of the variable <strong>$cmd<\/strong> using a switch sentence; in the first case, it establishes a connection (Reverse Shell) with a specific target; the target and the port are obtained from the decoding and manipulation of a header HTTP specifies. If the connection is not established correctly, non-blocking options are configured, and a session is started to store information related to the execution and communication with the socket.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-583\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f21.png\" alt=\"\" width=\"584\" height=\"281\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 21. avayatunnel.php (III)<\/strong><\/em><\/p>\n<p>The fourth block of code controls bidirectional communication over a socket that reads data from the write buffer, sends it through the socket, checks if the write was successful, and ends the loop if an error occurs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-584\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f22.png\" alt=\"\" width=\"460\" height=\"388\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 22. avayatunnel.php (IV)<\/strong><\/em><\/p>\n<p>The fifth block of code is responsible for reading data from a socket in blocks and accumulating it in the <strong>$_SESSION[$readbuf]<\/strong> read buffer during each iteration of the loop. Additionally, it checks if the read was successful and ends the loop if an error occurs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-585\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f23.png\" alt=\"\" width=\"497\" height=\"276\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 23. avayatunnel.php (V)<\/strong><\/em><\/p>\n<p>The sixth block of code is responsible for cleaning and eliminating the variables <strong>$_SESSION[$run]<\/strong>, <strong>$_SESSION[$readbuf]<\/strong>, and <strong>$_SESSION[$writebuf], <\/strong>ending with the execution of the reverse Shell established in the previous case.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-586\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f24.png\" alt=\"\" width=\"542\" height=\"170\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 24. avayatunnel.php (VI)<\/strong><\/em><\/p>\n<p>The seventh block of code is responsible for sending HTTP responses based on the execution status of the loop. If the loop is still running, specific headers are sent, and the base64 encoded content of the read buffer is printed; if the loop has stopped, a particular header indicates the status.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-587\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f25.png\" alt=\"\" width=\"534\" height=\"218\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 25. avayatunnel.php (VII)<\/em><\/strong><\/p>\n<p>The eighth block of code is responsible for handling POST requests, storing the content in the session&#8217;s write buffer if the execution loop is running, and sending specific HTTP responses depending on the state of the execution loop and the content of the POST request.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-588\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f26.png\" alt=\"\" width=\"530\" height=\"261\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 26. avayatunnel.php (VIII)<\/strong><\/em><\/p>\n<p>The last block of code is executed when no match is found in the previous cases. In that case, the session is closed, and a message is displayed before completing the execution of the script.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-589\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/f27.png\" alt=\"\" width=\"709\" height=\"134\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 27. avayatunnel.php (IX)<\/strong><\/em><\/p>\n<p><strong><em><u>XMRig<\/u><\/em><\/strong><strong><u> and <em>ShellBot<\/em><\/u><\/strong><\/p>\n<p>As mentioned, a compressed <em>XMRig<\/em> software file is downloaded using the <strong>start.sh<\/strong> script, and another dropper is responsible for downloading the <em>ShellBot<\/em> malware. The purpose of these artifacts is explained in general terms below.<\/p>\n<p><strong><em>XMRig<\/em><\/strong><\/p>\n<p>The <strong>xmrig-6.19.2-linux-static-x64.tar.gz<\/strong> archive contains the open-source software <strong><em>XMRig<\/em><\/strong>, designed for cryptocurrency mining.<\/p>\n<p>An attacker can use the computing power provided by infected computers. A well-known example is the case of the <strong><em>8220 Gang<\/em> group<\/strong>, which uses a customized version of this software (<strong><em>PwnRig<\/em><\/strong>); SCILabs documented this threat group in report ID <strong>TP2304-086<\/strong>.<\/p>\n<p><strong><em>ShellBot<\/em><\/strong><\/p>\n<p>The downloaded version of the <em>ShellBot<\/em>, AKA <strong><em>PerlBot<\/em><\/strong> malware, is <em>LiGhT&#8217;s Modded <strong>Perlbot v2<\/strong><\/em>; this threat mainly affects Linux servers with weak SSH credentials. <em>ShellBot<\/em> is a malware developed in Perl that uses the Internet <strong>Relay Chat (IRC)<\/strong> protocol to communicate with a remote server through IRP over TCP. This variant offers a variety of commands to carry out DDoS attacks using HTTP TCP protocols and UDP, as well as commands that allow control of infected systems so they can be used in other attacks.<\/p>\n<p>Listed below are the commands used by this threat:<\/p>\n<table class=\"aligncenter\" style=\"height: 261px;\" width=\"664\">\n<tbody>\n<tr>\n<td width=\"85\"><strong>Command<\/strong><\/td>\n<td width=\"561\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"85\">help<\/td>\n<td width=\"561\">Help menu for the explanation of each command.<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">flooding<\/td>\n<td width=\"561\">Commands specifically designed to perform IRC <a href=\"https:\/\/academic-accelerator.com\/encyclopedia\/irc-flood\">Flooding<\/a>.<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">irc<\/td>\n<td width=\"561\">Commands related to IRC control <a href=\"https:\/\/www.radware.com\/security\/ddos-knowledge-center\/ddospedia\/irc-internet-relay-chat\/\">IRC<\/a>.<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">ddos<\/td>\n<td width=\"561\">Commands for <a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/what-is-a-ddos-attack\/\">DDoS<\/a>\u00a0attacks include TCP, UDP, HTTP, and SQL Flooding.<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">news<\/td>\n<td width=\"561\">Consult security web pages (packetstorm and wilw0rm).<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">hacking<\/td>\n<td width=\"561\">Different commands to perform scans or attacks (multiscan, socks5, logcleaner, nmap)<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">extras<\/td>\n<td width=\"561\">Install additional scripts (install-syn Syn.c and install-50x 50x.c )<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><em><strong>Table 2. Commands description<\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-862\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f28.png\" alt=\"\" width=\"641\" height=\"416\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 28. ShellBot source code<\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>The second campaign identified by SCILabs<\/strong><\/p>\n<p>The second attack registered by SCILabs during September similarly affected a government sector organization. Different droppers were also identified downloading the shell script <strong>start.sh<\/strong>, which had already been observed in the first campaign, as well as files responsible for downloading a Reverse Shell and the <em>Mirai<\/em> malware.<\/p>\n<p><strong><u>Droppers<\/u><\/strong><\/p>\n<p><strong><em>sh dropper<\/em><\/strong><\/p>\n<p>It is essential to mention that different PHP scripts were identified to download the start.sh artifact, with slight variations in its code, so SCILabs has the hypothesis that the attackers tried other scripts to download this file.<\/p>\n<p><strong>First variant:<\/strong><\/p>\n<ul>\n<li>This script is designed to download a file with wget from the URL hxxp[:]\/\/45[.]81[.]243[.]128\/start[.]sh. Upon completion of the download, it runs the downloaded content with the bash command interpreter.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-863\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f29.png\" alt=\"\" width=\"718\" height=\"69\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 29. First variant source code<\/strong><\/em><\/p>\n<p><strong>Second variant:<\/strong><\/p>\n<ul>\n<li>The script is designed to download a file with curl or wget from the URLs hxxp[:]\/\/178[.]62[.]44[.]152\/start[.]sh or hxxp[:]\/\/45[. ]81[.]243[.]128\/start[.]sh, which is stored in the \/tmp folder. When the download is complete, the file can be executed using bash.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-864\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f30.png\" alt=\"\" width=\"722\" height=\"94\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 30. Second variant source code<\/strong><\/em><\/p>\n<p><strong>Third variant:<\/strong><\/p>\n<ul>\n<li>Like the second variant, this artifact performs the same actions, but in this case, it also grants execution permissions to the file downloaded with the chmod +x command.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-865\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f31.png\" alt=\"\" width=\"678\" height=\"74\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 31. 2PeF5b7j96MgewoFOWEXzEpo1fz.php script<\/strong><\/em><\/p>\n<p><strong><em>QkflHwJE0s file dropper of type <\/em><\/strong><\/p>\n<p>The artifact aims to download a file from the URL <strong>hxxp[:]\/\/84[.]54[.]50[.]110[:]8080\/QkflHwJE0s<\/strong>, which is ELF type and a reverse shell, then grants execution permissions and runs it in the background.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-866\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f32.png\" alt=\"\" width=\"686\" height=\"70\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 32. Dropper of ELF file<\/strong><\/em><\/p>\n<p><strong><em>Mirai dropper<\/em><\/strong><\/p>\n<p>This script aims to download the Mirai malware. The file is named x86 and it is downloaded from the URL <strong>hxxp[:]\/\/45[.]90[.]161[.]122\/bins\/x86<\/strong>. It grants read, write, and execute permissions to all files in the current directory with the <strong>chmod 777 *<\/strong> command, and executes the x86 file with the test argument.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-867\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f33.png\" alt=\"\" width=\"744\" height=\"73\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Figure 33. Mirai dropper<\/strong><\/p>\n<p>The following image illustrates the droppers identified in this attack and their respective payload.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-590\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/ff34.png\" alt=\"\" width=\"659\" height=\"329\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 34. Droppers identified in this campaign<\/strong><\/em><\/p>\n<p><strong><u>Enumeration<\/u><\/strong><\/p>\n<p>During this investigation, PHP scripts were also identified to obtain information about the user and the system so SCILabs could confidently ensure these scripts were used during the recognition phase.<\/p>\n<p><strong><em>User privileges<\/em><\/strong><\/p>\n<p>Several PHP scripts that use the <strong>system()<\/strong> function to execute the id command, which displays information about the current user and the group to which they belong, were identified. This code could be used to validate the user&#8217;s permissions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-869\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f35.png\" alt=\"\" width=\"337\" height=\"62\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 35. Script code to obtain user information<\/strong><\/em><\/p>\n<p><strong><em>System information<\/em><\/strong><\/p>\n<p>This script uses the<strong> system()<\/strong> function to execute the <strong>uname -a<\/strong> command, and to display information about the system kernel and hardware architecture. This command could be used to determine what types of scripts and executables to use during the attack.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-870\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f36.png\" alt=\"\" width=\"359\" height=\"72\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 36. Script code to obtain system information<\/strong><\/em><\/p>\n<p><strong><u>WebShells and Scripts<\/u><\/strong><\/p>\n<p>PHP scripts that served as a backdoor WebShell for the adversary were identified, as in the first attack observed by SCILabs.<\/p>\n<p><strong><em>730.php<\/em><\/strong><\/p>\n<p>This script allows an attacker to send arbitrary code in an HTTP request via the <strong>&#8220;123&#8221;<\/strong> parameter and execute it using the <strong>eval()<\/strong> function.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-871\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f37.png\" alt=\"\" width=\"413\" height=\"77\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 37. Script 730.php<\/strong><\/em><\/p>\n<p><strong><em>jquery.php<\/em><\/strong><\/p>\n<p>Like the previous script, an attacker can send arbitrary code in an HTTP request via the &#8220;<strong>cmd<\/strong>&#8221; parameter and execute it using the <strong>eval()<\/strong> function.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-872\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f38.png\" alt=\"\" width=\"355\" height=\"76\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Figure 38. Script\u00a0 jquery.php<\/strong><\/p>\n<p><strong><em>2U2NOwQKCiHp5k0zwjTcIXwECOg.php<\/em><\/strong><\/p>\n<p>This artifact is designed to receive obfuscated data through a <strong>POST<\/strong> request; this data is decrypted depending on whether the <strong>OpenSSL<\/strong> extension is loaded. If it is loaded, the <strong>AES-128<\/strong> algorithm and the key defined in the <strong>$key<\/strong> variable are used, otherwise they are decrypted using the <strong>base64_decode()<\/strong> function. Finally, the decrypted content is executed using the <strong>eval()<\/strong> function.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-873\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f39.png\" alt=\"\" width=\"329\" height=\"343\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 39. WebShell 2U2NOwQKCiHp5k0zwjTcIXwECOg.php<\/strong><\/em><\/p>\n<p><strong><em>7e9e344d962070a5a4b7d7926c919ced.php<\/em><\/strong><\/p>\n<p>This artifact corresponds to a WebShell generated with the <a href=\"https:\/\/www.kali.org\/tools\/weevely\/\">Weevely<\/a> tool , and its objective is to decrypt and execute arbitrary code received through a POST request.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-874\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f40.png\" alt=\"\" width=\"679\" height=\"265\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 40. WebShell 7e9e344d962070a5a4b7d7926c919ced.php<\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-875\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f41.png\" alt=\"\" width=\"557\" height=\"323\" \/><\/p>\n<p style=\"text-align: center;\"><strong>Figure 41. WebShell 7e9e344d962070a5a4b7d7926c919ced.php<\/strong><\/p>\n<p><strong><u>Reverse Shell<\/u><\/strong><\/p>\n<p>Additionally, in this investigation, the use of a PHP script and an ELF-type executable was also observed, which aimed to establish a Reverse Shell towards the IP address <strong>84[.]54[.]50[.]110<\/strong>.<\/p>\n<p><strong><em>Scripts PHP<\/em><\/strong><\/p>\n<p>During the investigation, different scripts that aim to initiate a Reverse Shell towards the IP address <strong>84[.]54[.]50[.]110<\/strong> on port 9000 were identified.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-876\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f42.png\" alt=\"\" width=\"629\" height=\"73\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 42. Reverse Shell<\/strong><\/em><\/p>\n<p><strong><em>Archivo ELF<\/em><\/strong><\/p>\n<p>The artifact downloaded by one of the scripts is an ELF-type file that aims to establish a Metasploit Reverse Shell towards the IP address <strong>84[.]54[.]50[.]110<\/strong> through port <strong>4444<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-877\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f43.png\" alt=\"\" width=\"574\" height=\"219\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 43. Reverse Shell (ELF File)<\/strong><\/em><\/p>\n<p><strong><em><u>XMRIG<\/u><\/em><\/strong><strong><u> y <\/u><\/strong><strong><em><u>Mirai<\/u><\/em><\/strong><\/p>\n<p>In this second attack recorded by SCILabs, the attempt to download the <em>XMRig<\/em> software was also identified as downloading the <em>Mirai<\/em> malware, which can add the infected computer to a botnet.<\/p>\n<p><strong><em>XMRig<\/em><\/strong><\/p>\n<p>During the investigation, SCILabs identified several HTTP request records that contain Base64 obfuscated source code. Once this string is decoded, the attempt to download the <em>XMRig<\/em> software can be observed.<\/p>\n<p>One of the logs aims to kill any process whose name contains .foxm using the <strong>pkill -9<\/strong> command, then it downloads an artifact from the URL <strong>hxxp[:]\/\/download[.]asyncfox[.]xyz\/download\/xmrig[. ]x86_64<\/strong>, renames it to .foxm, grants execution permissions with the <strong>chmod +x<\/strong> command, and executes it.<\/p>\n<p>Additionally, this request <a href=\"https:\/\/www.akamai.com\/blog\/security\/thinkphp-exploit-actively-exploited-in-the-wild\">exploits<\/a> a known <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2018-20062\">ThinkPHP <\/a>vulnerability, allowing a remote attacker to execute arbitrary PHP code by manipulating the \u201cfilter\u201d parameter<a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-878\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f44.png\" alt=\"\" width=\"780\" height=\"50\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 44. Obfuscated source code<\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-879\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f45.png\" alt=\"\" width=\"810\" height=\"128\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 45. Registration of the request with the deobfuscated code<\/strong><\/em><\/p>\n<p>When deobfuscating the code from another record, it performs the same activities as the code explained above, only changing the download URL, which in this case is <strong>hxxp[:]\/\/185[.]225[.]75[. ]242\/download\/xmrig[.]x86_64<\/strong>.<\/p>\n<p>Additionally, this request attempts to exploit the <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-22965\">vulnerability<\/a> known as <a href=\"https:\/\/www.trendmicro.com\/en_th\/research\/22\/d\/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html\"><em>Spring4Shell<\/em><\/a>, which allows an attacker to perform remote code execution (RCE).<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-880\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f46.png\" alt=\"\" width=\"777\" height=\"42\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 46. Registration of the request with the obfuscated code<\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-881\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f47.png\" alt=\"\" width=\"663\" height=\"176\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 47. Registration of the request with the deobfuscated code<\/strong><\/em><\/p>\n<p><strong><em>Mirai<\/em><\/strong><\/p>\n<p>The downloaded artifact named x86 belongs to the <em>Mirai<\/em> malware family; this threat aims to add the compromised device to its botnet. This botnet is commonly used to launch DDoS attacks.<\/p>\n<p>Additionally, a script called <strong>proxy_xml.php<\/strong>, published on <a href=\"https:\/\/github.com\/zounar\/php-proxy\/blob\/master\/Proxy.php\">Github<\/a> by Zounar, was also identified. It allows all HTTP\/HTTPS requests to be forwarded to another server.<\/p>\n<p><strong>Documented campaign on an open source identified by SCILabs<\/strong><\/p>\n<p>SCILabs identified a public investigation that <a href=\"https:\/\/www.deepwatch.com\/labs\/customer-advisory-awareness-deepwatch-observes-unauthenticated-remote-code-execution-vulnerability-exploitation-in-avaya-aura-device-services\/\">documented <\/a>the exploitation of a remote code execution (RCE) vulnerability on an Avaya Aura Device Services device during February to load several PHP-type WebShells, which were stored in the PhoneBackup directory. In addition to these scripts, requests were observed with curl or wget towards the IP address <strong>178[.]62[.]44[.]152<\/strong> for the download of Shell-type scripts. This IP address and the name of some of the artifacts were also observed in attacks documented by SCILabs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-882\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f48.png\" alt=\"\" width=\"472\" height=\"111\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 48. start.sh script download<\/em><\/strong><\/p>\n<p>In this investigation, it was also observed that some devices attempted to download the <em>XMRig<\/em> crypto-mining software, and the device also had a Mirai malware infection, which are characteristics observed in the attacks documented by SCILabs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-883\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f49.png\" alt=\"\" width=\"739\" height=\"71\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 49. XMRig Download<\/strong><\/em><\/p>\n<p><strong>Artifacts recovered from a public investigation<\/strong><\/p>\n<p>During monitoring and threat hunting in the search of campaigns or artifacts that were related to the infrastructure observed in the attacks documented by SCILabs, artifacts stored at IP address <strong>45[.]81[.]243[.]128<\/strong> were recovered. It is essential to mention that this malware repository was exposed in July when the first attack recorded by SCILabs occurred.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-884\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f50.png\" alt=\"\" width=\"266\" height=\"286\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 50. Artifacts stored in 45[.]81[.]243[.]128<\/strong><\/em><\/p>\n<p>In the same way as the artifacts observed in the two attacks documented by SCILabs, some are responsible for downloading scripts or additional malware, others for managing processes, or searching for SSH keys and hosts to infect more computers within the network, and even scripts that have the objective of establishing a reverse shell. The operation of the artifacts is explained in general terms in the next page.<\/p>\n<p><strong><u>Droppers<\/u><\/strong><\/p>\n<p><strong><em>logotate_bsd file dropper<\/em><\/strong><\/p>\n<p>The objective of the <strong>bsd.sh<\/strong> artifact is to download the achievement_bsd file, which is the <em>XMRig<\/em> software. Below, its operation is explained in general terms.<\/p>\n<ul>\n<li>It performs several process checks, validating its name or the CPU consumption of that process, and then kills them using the <strong>kill -9<\/strong><\/li>\n<li>With the <strong>curl<\/strong> command, it downloads a file from the URL <strong>hxxp[:]\/\/45[.]81[.]243[.]128\/logrotate_bsd<\/strong>.<\/li>\n<li>Grants read, write, and execute permissions to the downloaded file with the <strong>chmod 777<\/strong> command, and runs it in the background.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-885\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f51.png\" alt=\"\" width=\"780\" height=\"252\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 51. bsd.sh<\/strong><\/em><\/p>\n<p><strong><em>sh: xmirgARM file dropper<\/em><\/strong><\/p>\n<p>Like the previous one, this script aims to download the <em>XMRig<\/em> software, grant read, write, and execute permissions, and then run it in the background.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-886\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f52.png\" alt=\"\" width=\"747\" height=\"258\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 52. start_arm.sh<\/strong><\/em><\/p>\n<p><strong><em>sh: Dropper for kill.sh, ssh.sh, and XMRig scripts<\/em><\/strong><\/p>\n<p>The start.sh script is the same that was observed in the campaigns documented by SCILabs: its objective is to download the <em>XMRig<\/em> <em>crypto-miner<\/em> and the additional scripts, <strong>kill.sh<\/strong> and <strong>ssh.sh<\/strong>, which are responsible for managing the processes and carrying out lateral movements within the internal network.<\/p>\n<p><strong><em>sh: Dropper for kill.sh and XMRig<\/em><\/strong><\/p>\n<p>The <strong>start1.sh<\/strong> script is very similar to the start.sh artifact&#8217;s main objective, which is to download the <em>XMRig<\/em> crypto-miner and the additional <strong>kill.sh<\/strong>. The <strong>kill.sh<\/strong> script is used to manage processes on the infected computer.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-887\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f53.png\" alt=\"\" width=\"633\" height=\"263\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 53. start1.sh<\/strong><\/em><\/p>\n<p>The following image illustrates the droppers recovered from the exposed malware repository and their respective payloads.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-591\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/ff54.png\" alt=\"\" width=\"602\" height=\"343\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 54. Droppers recovered from exposed malware repository<\/em><\/strong><\/p>\n<p><strong><u>Scripts for Process Management and Lateral Movement<\/u><\/strong><\/p>\n<p>As in the attacks documented by SCILabs, the <strong>kill.sh<\/strong> and <strong>ssh.sh<\/strong> scripts are responsible for terminating specific processes, searching for SSH keys and hosts in various directories, and configuring files to infect more computers on the internal network.<\/p>\n<p><strong><u>Reverse Shell<\/u><\/strong><\/p>\n<p>The rev.sh script executes a Perl language expression to establish a connection to IP address <strong>84[.]54[.]50[.]110<\/strong> on port <strong>9000<\/strong>. If the connection is successful, it executes an interactive shell.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-889\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f55.png\" alt=\"\" width=\"781\" height=\"43\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 55. rev.sh<\/strong><\/em><\/p>\n<p>Throughout this investigation, SCILabs identified two additional artifacts. As of now, their role in the attack chain remains uncertain. However, given their alignment with <em>Red BerryMiner&#8217;s<\/em> modus operandi, it is very likely that they are also part of the arsenal of this threat group. Below, we present a brief description of these artifacts:<\/p>\n<p><strong><em>Ligolo-ng<\/em><\/strong><\/p>\n<p>The <strong>gigolo-ng_agent_0.3.3_Linux_64bit.tar.gz<\/strong> archive contains the Ligolo-ng tool, which is used by pen-testers to establish tunnels over a reverse TCP\/TLS connection.<\/p>\n<p><strong><em>Webserver.py<\/em><\/strong><\/p>\n<p>This Python file implements a basic web server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-890\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/f56.png\" alt=\"\" width=\"437\" height=\"367\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 56. webserver.py<\/strong><\/em><a name=\"_Toc151640279\"><\/a><\/p>\n<h1><a name=\"_Toc152195126\"><\/a>Overlaps between Campaigns identified by SCILabs and the campaign documented on a public site (key indicators)<\/h1>\n<p>The following tables compare the campaigns identified by SCILabs and the ones documented in a public investigation. This exercise was carried out to confirm that the adversary behind these attacks was the same.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-592\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/ttable3.png\" alt=\"\" width=\"557\" height=\"521\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Table 3. Overlaps between Red BerryMiner campaigns<\/strong><\/em><a name=\"_Toc151640280\"><\/a><\/p>\n<h1><a name=\"_Toc152195127\"><\/a>Attack Flow<\/h1>\n<p>General attack flow in <em>Red BerryMiner<\/em> campaigns observed by SCILabs:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-593\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/ff57.png\" alt=\"\" width=\"642\" height=\"402\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 57. Red BerryMiner Attack Flow<\/strong><\/em><a name=\"_Toc151640281\"><\/a><\/p>\n<h1><a name=\"_Toc152195128\"><\/a>Technical Summary<\/h1>\n<ul>\n<li><em>Red BerryMiner<\/em> exploits vulnerabilities in servers exposed on the Internet to start its infection process, mainly the <strong>CVE-2023-3722<\/strong> vulnerability that affects the Avaya Aura Device Services web application.<\/li>\n<li>Based on the evidence found, <em>Red BerryMiner<\/em> can exploit the vulnerabilities <strong>CVE-2018-20062<\/strong> (<em>ThinkPHP<\/em>) and <strong>CVE-2022-22965<\/strong> (<em>Spring Shell<\/em>) to download artifacts to the compromised device.<\/li>\n<li>Among the artifacts used by this group of threats are PHP and bash scripts that aim to download additional artifacts, obtain user and system information, establish a reverse shell WebShell\/Backdoor capability, manage the processes of the infected system, and collect SSH keys and hosts to infect more computers on the internal network.<\/li>\n<li>The goal of <em>Red BerryMiner<\/em> is to install the <em>XMRig<\/em> software to carry out crypto-mining activities and infect the compromised computers with malware such as <em>Mirai<\/em> or <em>ShellBot<\/em>, allowing it to integrate these devices into a Bonet.<\/li>\n<\/ul>\n<h1><a name=\"_Toc152195129\"><\/a>Diamond Model<\/h1>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-595\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/12\/ff58-1.png\" alt=\"\" width=\"797\" height=\"459\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Figure 58. Diamond model<\/strong><\/em><a name=\"_Toc151640283\"><\/a><\/p>\n<h1><a name=\"_Toc152195130\"><\/a>PRE-ATT&amp;CK TTP<\/h1>\n<p>The following TTP matrix based on the MITER PRE-ATT&amp;CK Framework was obtained from the analysis of the different <em>Red BerryMiner<\/em> campaigns.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-895\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/tabla4.png\" alt=\"\" width=\"442\" height=\"219\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Table 4. PRE-ATT&amp;CK Matrix<\/strong><\/em><a name=\"_Toc151640284\"><\/a><\/p>\n<h1><a name=\"_Toc152195131\"><\/a>MITER ATT&amp;CK Framework TTP<\/h1>\n<p>The following TTP matrix based on the MITRE Framework was obtained from analyzing the different <em>Red BerryMiner<\/em> campaigns.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-897\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2023\/12\/tabla5-1.png\" alt=\"\" width=\"765\" height=\"209\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong>Table 5.\u00a0 MITRE ATT&amp;CK matrix<\/strong><\/em><a name=\"_Toc151640286\"><\/a><\/p>\n<h1><a name=\"_Toc152195133\"><\/a>Assessment<\/h1>\n<p><em>Red BerryMiner<\/em> exhibits distinct characteristics marked by the deployment of the <em>XMRig<\/em> crypto-miner and additional malware such as the <em>Mirai<\/em> Botnet and <em>ShellBot<\/em> in addition to the use of languages such as PHP and Bash. Moreover, it takes advantage of &#8220;living-off-the-land&#8221; techniques to download additional malicious artifacts and install backdoors and reverse shells. This represents a challenge, particularly in Latin America (LATAM), where cybersecurity maturity varies significantly between organizations. A <em>Red BerryMiner<\/em> attack can not only result in additional operational costs but also expose organizations to data security breaches, which can lead to legal and compliance consequences and damage to corporate reputation.<\/p>\n<p>The threat landscape in Latin America is constantly evolving. Attackers continually refine their methods to exploit emerging vulnerabilities and employ more sophisticated evasion and persistence techniques, so organizations need to be aware of the modus operandi of this type of threat group. Based on SCILabs telemetry, we consider that for the remainder of the year, we will continue to observe <em>Red BerryMiner<\/em> campaigns exploiting the vulnerabilities mentioned in this document and adding others to its arsenal to strengthen its Bot network and abuse the infrastructure of organizations to carry out crypto-mining activities.<\/p>\n<p><strong>Based on our research, SCILabs makes the following recommendations.<\/strong><\/p>\n<ul>\n<li>The vulnerability <strong>CVE-2023-3722<\/strong>, reported in this document, affects all versions of Avaya Aura Device Services 8.1.4.0 and earlier, so it is suggested to update to the version <a href=\"https:\/\/support.avaya.com\/css\/public\/documents\/101076366\">recommended<\/a> by the manufacturer, considering the implications.<\/li>\n<li>Periodically perform offline backups of information considered critical or essential for the operation and continuity of the business.<\/li>\n<li>Keep all the organization&#8217;s computer equipment updated to the latest version of the operating system.<\/li>\n<li>Ensure all existing applications are kept up-to-date with the most stable versions following manufacturers&#8217; recommendations.<\/li>\n<li>Apply critical patches to the systems. Otherwise, implement a shielding system at the hypervisor level that allows the implementation of virtual patches to immediately mitigate the vulnerability without incurring the risk of altering or directly damaging the operating system and impacting the operation.<\/li>\n<li>Implement a file integrity agent to alert and block any attempted manipulation of selected files within the security policies defined to protect critical business processes.<\/li>\n<li>Evaluate the perimeter firewall configuration to generate allowlists that include only legitimate ports and services used by applications related to the operation and management of administrators.<\/li>\n<li>Implement a permanent monitoring for all network communications involving critical servers to your operations to get alerts for any deviations from the defined and authorized rules by the corresponding information security area.<\/li>\n<li>Review the application tasks configured in the Linux Cron service to identify any suspicious tasks that could be scheduled for execution, particularly related to the TTPs or IoCs provided in this report.<\/li>\n<li>Implement an application firewall (WAF) or, if they have one, evaluate its configuration according to the manufacturer&#8217;s best practices and apply them in the short term.<\/li>\n<li>Integrate security policies at all levels of the organization that consider using EDR systems with high research capabilities, always keeping them updated and correctly configured under the best practices issued by the manufacturers.<\/li>\n<li>Create strong password policies and apply the principle of least privilege for all users within the organization, consider disabling &#8220;admin&#8221; or &#8220;root&#8221; users, and create custom and limited roles for different types of system administrators, according to their specific functions.<\/li>\n<li>Do not use default passwords, as they represent a high security risk. Set strong, unique passwords for each system and server using a complex mix of uppercase and lowercase letters, numbers, and symbols: ideally, passwords should be at least 12 characters long. Additionally, implement a regular password change policy and consider using multi-factor authentication to add an extra layer of security.<\/li>\n<li>To identify possible WebShell infections in the \/tmp\/ directory, perform a focused search for suspicious files with .php or .sh extensions. Examine these files for typical webshell commands such as exec, shell_exec, passthru, system, and base64_decode, along with networking tools such as wget or curl.<\/li>\n<li>Consider the commitment indicators contained in this document.<\/li>\n<\/ul>\n<h1>IoCs<\/h1>\n<p><strong>SHA256 <\/strong><\/p>\n<p>B8350B82A06D8F627045961E6FFFEA1C8D61C78A427379BEC6BA0795FB5FB233<\/p>\n<p>3D16B6639BA3995B14D4D54214DE7F03A99913AD27A30F48AE8F18E9401F1B5C<\/p>\n<p>F5FC4D5AA45B19AEE0E03B845883EB5085ECE684F2A2B9819AD4FB12B398B6E6<\/p>\n<p>43DE9C19040AC8B6B26773CD84C24CBB8DC1B6E15FC9A6F75CAEA8EC9077852A<\/p>\n<p>FCED6082FC11FA16CA230D662183B77CF968DEBD836156A4BF9A393174C7C067<\/p>\n<p>6432B6037BFC85CD57F65CAB446D8D68D17AFCB1DEB7F9ACF658096CFB86D6E0<\/p>\n<p>5BB68239EED2989B9FF88E62277392BF6D918F0A190ECD1242F22D6AE1E050FB<\/p>\n<p>8602DF7D01BE4F3DB26F29F3ACBC538E480FDAE5CAE498A473F142CB2CA7A07F<\/p>\n<p>9D544236DD7543F53BD01BF3F75384642730969F0DB8ACE19D43CAA05243073F<\/p>\n<p>924DFD425C1AF78D21B77A1001471EBCA9DBB9AB488DA961B96B972403F397F8<\/p>\n<p>4D482E131DD8D0C8847CBA60DB394D774C377C7D86D9970AAC5C7B05AF19B284<\/p>\n<p>D5E9D9CF5779A805EF0FBA844E79334A1D8D98DAD6F691D9F40BDFEFFD1EA493<\/p>\n<p>6209FF7C794862CBFE550739A440A9C7E2B4A7F078F8667F5DAC9112072B9519<\/p>\n<p>367A32551FC99C42ADE9E3CAEA382AA3DC4C5E868EA1A61AE6353F515B94DE2F<\/p>\n<p>EF306A0DE129D0FCB919EF3F25BFB170A1E359047C4F3EC48E073C098658E9D0<\/p>\n<p>B453A7400DC66318601DC923662B7C9F7D151BC1D159968914F3FEC81F7B4D58<\/p>\n<p>F0F9D18CD9631A8CCFDC8DF13448C22AD35E5DFDDA58B1008687AB0E838F3206<\/p>\n<p>56D0739A75AAE5D3D63A408F0DEA43B3B6D4A22F4E53130CD04A8E1B77CEC6D4<\/p>\n<p>D00781A5D823DD2D3CC200609F3D67981D01FCCEC260BF37D41AC993F4E6C627<\/p>\n<p>429BEBD585E8632786A9C2A85A7CF61ABE6D55B670FAC1194A0EE5659D11413E<\/p>\n<p>AC2194E15DD3F4DF26E74F1A9B886461D5AACE50A32C1C53CF0DB23DB87FB19D<\/p>\n<p>AFCA79570FDD9543776150A6F88EE0D3CF6084C710473211E2FB360D16C982AB<\/p>\n<p>57236B2EC7F44A077945FDA56CE151953FF0A62E65B5611F56042E9EAD9A9FA6<\/p>\n<p>067896678A537669DFA2F1A9B5EDB36BDE4960C1DF2CAD986F02BAA570195BE4<\/p>\n<p>C3EAE12D34DDBD00E59D524B5B4B06D4C17D3ABC9144920899F5F0EB24E1F6F0<\/p>\n<p>DC080CAEE6126106D8276A0B587AE9B37624A225C34F792B1C5D91FEAB134D8B<\/p>\n<p>D6BBF6CE4D3B1AD5E109505C3C4BE65E0B063295500D88130BBED34298AA6D39<\/p>\n<p>F1566A37A125474DC8C0F60AF00162CC526E614147612C5CFCCE707AFCCF038D<\/p>\n<p>49D4592A26F5FEC7E5381F6DEDFFF33A8D2C9D72EA5BF4CA9352000E78EBC069<\/p>\n<p>2E33F3718D259179F669C879A830BC8818BAB09AB6ECD6285DA39F9A2422BDB9<\/p>\n<p>C7DE9799873B353F2FEC6A490ED1D4062340EDDDA623AFA0BA8798ACA7CED31D<\/p>\n<p>1E70FE3CDBF8EB1AF6C1FC2380A8FF89A51791632EEA6425585F984D74254ED1<\/p>\n<p>3498FBC888F9EF8C6146AB869B4D38340C209F2817DC4BBBF932E37D772D7B5B<\/p>\n<p>1586100B165AC791ED60FF7B662E2FC2D502D4ABB6418CC1F7BF591C39C84130<\/p>\n<p><strong>IP<\/strong><\/p>\n<p>178[.]62[.]44[.]152<\/p>\n<p>45[.]81[.]243[.]128<\/p>\n<p>84[.]54[.]50[.]110<\/p>\n<p>85[.]239[.]33[.]32<\/p>\n<p>45[.]90[.]161[.]122<\/p>\n<p>185[.]225[.]75[.]242<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>URLS<\/strong><\/p>\n<p>HXXP[:]\/\/85[.]239[.]33[.]32\/RUBY<\/p>\n<p>HXXP[:]\/\/178[.]62[.]44[.]152\/START[.]SH<\/p>\n<p>HXXP[:]\/\/45[.]81[.]243[.]128\/START[.]SH<\/p>\n<p>HXXP[:]\/\/84[.]54[.]50[.]110[:]8080\/TGEHFBIBXO4ZTE<\/p>\n<p>HXXP[:]\/\/84[.]54[.]50[.]110:8080\/QKFLHWJE0S<\/p>\n<p>HXXP[:]\/\/84[.]54[.]50[.]110[:]8080\/HHWXWQTWAYYDQO<\/p>\n<p>HXXP[:]\/\/84[.]54[.]50[.]110[:]8080\/FGHD73W<\/p>\n<p>HXXP[:]\/\/84[.]54[.]50[.]110[:]8080\/CFDGIZXBGG<\/p>\n<p>HXXP[:]\/\/84[.]54[.]50[.]110[:]8080\/5VXEZPFOF5QG<\/p>\n<p>HXXP[:]\/\/45[.]90[.]161[.]122\/BINS\/X86<\/p>\n<p>HXXP[:]\/\/45[.]81[.]243[.]128\/XMRIG-6[.]19[.]2-LINUX-STATIC-X64[.]TAR[.]GZ<\/p>\n<p>HXXP[:]\/\/185[.]225[.]75[.]242\/DOWNLOAD\/XMRIG[.]X86_64<\/p>\n<p>HXXP[:]\/\/45[.]81[.]243[.]128\/KILL[.]SH<\/p>\n<p>HXXP[:]\/\/45[.]81[.]243[.]128\/SSH[.]SH<\/p>\n<p>HXXP[:]\/\/DOWNLOAD[.]ASYNCFOX[.]XYZ\/DOWNLOAD\/XMRIG[.]X86_64<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Red BerryMiner Objective This report analyses the modus operandi, TTPs, infrastructure, and tools used by a threat group named by<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-576","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=576"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/576\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}