Attackers use Linux / Mumblehard to compromise servers, part 2
The Mumblehard component, which deals with spamming (daemon), is also written in Perl and is located inside the ELF file of the malware. The daemon itself requests spamming tasks from the C & C server and supports most of the bot features that specialize in spamming: templates, reports, SMTP protocol implementation, etc. We will limit ourselves to describing those Mumblehard functions that are unique to this malware family.
Perl scripts are cross-platform and can be executed on any platforms that are supported by this interpreter. However, using the EWOULDBLOCK and EINPROGRESS constants, the authors limit the cross-platform nature of this component by operating systems such as Linux, FreeBSD, Windows. Below is a fragment of a malicious script that determines the OS version.
')
We observed a situation in which attackers ran a spam script through the backdoor Mumblehard. This script works until the first reboot and does not include mechanisms for ensuring its autoload. A bot can receive commands to send spam in two ways, through a C & C server and a proxy.
Managing C & C server Mumblehard listens on port number 25 and waits for an HTTP POST request with the appropriate data as content. This content is represented by various parameters, which are listed in the table below.
Tab. The format of the spam bot request to the managing C & C server.
The Extra data field contains additional request data, but it seems that it is used only to provide statistics to the server about how many emails were sent by the bot. In this case, it has a special header consisting of 4-byte fields:
The operator can also set the level of detail sent by the bot report (verbosity). There are three such levels. The lowest level corresponds to the minimum information sent about the number of emails, the next level instructs the bot to send email addresses in each of the above categories. The third level allows the operator to receive a report on the reasons for the successful and unsuccessful execution of the operation.
The server sends a response message with the HTTP 200 OK status and contains settings sent to the bot, a list of email addresses for distribution, and a template for mail spam messages.
Tab. The format of the C & C server response to the spam module.
Tab. The format of the C & C server response to the spam module (continued).
Tab. The format of the C & C server response to the spam module (continued).
Most of the samples we analyzed for the Mumblehard component, which specializes in spamming, had another component in their composition that specializes in serving proxy connections. The scheme of his work is quite simple: he opens the incoming TCP port and listens for incoming connections.
Then it sends a special notification to the C & C server with the number of this port. Thus, it informs the server that it is ready to accept connections. At the time of sending the notification to the C & C server, only the C & C server is in the list of computers allowed to connect to the proxy. Further, the bot can be instructed to add other hosts to the list of allowed. The bot supports only two proxy commands: add the IP address to the list of allowed hosts and create a new TCP tunnel.
These commands have a specific structure, which is listed below in the tables.
Tab. The format of the “Add authorized host” command of the proxy component.
Tab. The format of the "Create Connection" command of the proxy component.
The command to create a connection is actually an implementation of the SOCKS4 protocol. Server response codes also comply with this specification. The proxy component allows attackers to set up a tunnel to transmit the necessary traffic through a compromised computer. However, we did not observe the use of such an operation by an attacker on an infected computer, so it’s hard to say how much the proxy function is relevant for them.
The contents of electronic spam letters indicate their use in order to promote pharmaceutical products. The letters contain links to various online stores with the specified subject. An example of such a message is shown below.
Fig. An example of a spam letter sent out by Mumblehard.
The link leads to an online store specializing in the sale of drugs for erectile dysfunction.
Fig. The website of the online pharmacy retailer to which the user is directed.
This Canadian pharmaceutical site is well documented on spamtrackers.eu .
An interesting feature of the bot's work with spam message templates is that it uses arbitrary message headers that are built using two or three random words, such as:
Perhaps such a function of using randomly chosen words was added by the authors in order to circumvent anti-spam solutions.
Statistics of infected computers
The list of C & C server managers used by the Mumblehard backdoor contains domains that were busy, but now they are free and available for purchase. We purchased one of these domains to get statistics on infected computers. Such computers (bots) are fairly easy to identify by the User Agent line, which we mentioned above. Two features of the backdoor that were set by the authors helped us collect statistics on the victims of this malicious program:
Our domain received a report from each bot four times per hour with a frequency of 15 minutes. This corresponds to the time period with which the task scheduler runs the backdoor script in the system, as indicated above. We collected data between September 19, 2014 and April 22, 2015, but the server itself, which received statistics, was unavailable between December 7, 2014 and January 6, 2015. During the collection time period data, we observed requests from 8,867 unique IP addresses. Most of these IP addresses belonged to the servers hosting the websites.
Fig. Statistics of the number of unique IP addresses that were observed every day.
As we can see, the number of infected computers slowly decreased, but increased periodically. This indicates that the attackers from time to time initiated waves of malware distribution and server compromise, instead of continuously distributing Mumblehard in a continuous mode.
We were able to calculate the number of successful commands sent to the remote C & C server bots. As mentioned above, the command includes the URL where the executable ELF file is located. In response to a request received from the C & C server, the backdoor sent HTTP status codes to all C & C servers in the User Agent line, so our registered server was also able to receive them. Successful execution of the command by the bot corresponds to the HTTP status 200 OK.
In fact, C & C servers did not always send bots the above download-and-execute commands, that is, download and execute an ELF file. It can be seen that most of the time they did not even listen on TCP port 80. There were also peak traffic values ​​when the bots showed high activity. For example, on March 27th we observed 2,508 bots, which received 49,729 teams. If the operators constantly sent bots download-and-execute commands at 15-minute intervals, this means that the botnet’s network was used continuously for hours. The days when the backdoor was not involved in the work at all were also recorded. Of the 187 days while data was being collected, the bots received commands for 120 days, which is 64% of the total time.
Such delays are difficult to explain. It is possible that the operators specifically limited the amount of spam sent by bots. This was done to disguise the malicious functions of the infected servers and maintain the good reputation of their IP addresses. On the other hand, based on the mechanisms of Mumblehard, the spam daemon component on these systems will still receive instructions from the C & C server, even if the backdoor C & C servers are already inactive.
Connection with Yellsoft
The IP addresses of the managers of C & C servers that are hardcoded into the malware code are in the range of addresses from 194.54.81.162 to 194.54.81.164.
If you check the following two IP addresses, 194.54.81.165 and 194.54.81.166, you will find out that both of them are name servers yellsoft.net. In addition, the yellsoft.net web server is also located at 194.54.81.166. These IP addresses are located close to the Mumblehard C & C servers listed in the table. Further verification shows that the five IP addresses from 162 to 166 have identical NS and SOA DNS records, despite the fact that in fact this address range is served by the rx-name.com domain. This fact indicates that all five addresses are located on one server.
The company itself specializes in the sale of special software for the mass distribution of e-mails called DirectMailer. According to the description on the company's website, this software is written in Perl and is designed to run on systems like UNIX. Mumblehard scripts are also written in Perl.
Fig. Yellsoft home page.
The company's home page states that it does not support copies of its software, which are downloaded by the user from the web page of another site called softexp.narod.ru.
Fig. Download DirectMailer on softexp.narod.ru webpage as of 2014
Today, this software is not available for download from softexp.narod.ru and is detected by ESET AV products as malicious. The archive with this software does not contain a Perl script, but an executable ELF file called dm.pl. An interesting fact is that this ELF file is packaged by the same packer that was used for the Mumblehard malware. An analysis of the Perl script shows that a function called bdrp is called before the main program is launched directly. This function has another dropper, which, after decryption, generates another ELF file. The file is a packed Perl script containing the Mumblehard backdoor. The script is reset to the file system directory and run using the task scheduler every 15 minutes. Such a mechanism has already been described above for Mumblehard malware.
Fig. Function code bdrp with comments.
The dm.pl program fork () to create a new process and starts listening for incoming TCP connections. After this, the script code sends a message to the C & C server that it is ready to accept proxy connections. This code fragment, like its capabilities, is identical to the proxy mechanism of the Mumblehard spam component. Such “cracked” copies of DirectMailer provide backdoor operators with the ability to create a channel on a compromised computer to pass traffic through it, for example, to send spam.
Conclusion
Malicious software for systems running Linux and BSD is becoming increasingly complex. The fact that the authors used their own wrapper to hide the source of Perl scripts inside the executable file adds a certain level of complexity to Mumblehard. However, this malware is not as sophisticated as the Windigo malware we previously described .
Compromise Indicators (IOCs)
UDP traffic to:
TCP connections on:
HTTP requests with the next line User Agent.
YARA rules
mumblehard_packer.yara
Malware Samples
SHA-1: 65a2dc362556b55cf2dbe3a10a2b337541eea4eb (ELF)
Linux / Mumblehard.K.Gen (spam component)
SHA-1: 331ca10a5d1c5a5f3045511f7b66340488909339 (ELF)
Linux / Mumblehard.E.Gen (spam component)
SHA-1: 2f2e5776fb7405996feb1953b8f6dbca209c816a (ELF)
Linux / Mumblehard.D.Gen (backdoor)
SHA-1: 95aed86918568b122712bdbbebdd77661e0e6068 (ELF)
Linux / Mumblehard.J.Gen (backdoor)
SHA-1: c83042491efade4a4a46f437bee5212033c168ee (ZIP)
Linux / Mumblehard.E.Gen (pirated copy of the DirectMailer archive with the dm.pl Mumblehard script)
SHA-1: e62c7c253f18ec7777fdd57e4ae500ad740183fb (ELF)
Linux / Mumblehard.E.Gen (pirated copy of DirectMailer with dm.pl Mumblehard script)
SHA-1: 58d4f901390b2ecb165eb455501f37ef8595389a (ZIP)
Linux / Mumblehard.M.Gen (pirated copy of DirectMailer 1.5 archive with dm.cgi script, which specializes in opening proxies)
SHA-1: 4ae33caebfd9f1e3481458747c6a0ef3dee05e49 (ELF)
Linux / Mumblehard.M.Gen (pirated copy of DirectMailer 1.5 with dm.cgi script that specializes in opening proxies)
Perl scripts are cross-platform and can be executed on any platforms that are supported by this interpreter. However, using the EWOULDBLOCK and EINPROGRESS constants, the authors limit the cross-platform nature of this component by operating systems such as Linux, FreeBSD, Windows. Below is a fragment of a malicious script that determines the OS version.
')
We observed a situation in which attackers ran a spam script through the backdoor Mumblehard. This script works until the first reboot and does not include mechanisms for ensuring its autoload. A bot can receive commands to send spam in two ways, through a C & C server and a proxy.
Managing C & C server Mumblehard listens on port number 25 and waits for an HTTP POST request with the appropriate data as content. This content is represented by various parameters, which are listed in the table below.
Tab. The format of the spam bot request to the managing C & C server.
The Extra data field contains additional request data, but it seems that it is used only to provide statistics to the server about how many emails were sent by the bot. In this case, it has a special header consisting of 4-byte fields:
- Task ID;
- number of successfully sent letters;
- Number of emails that were sent with an error due to problems with the network connection;
- number of emails that were rejected by the SMTP server.
The operator can also set the level of detail sent by the bot report (verbosity). There are three such levels. The lowest level corresponds to the minimum information sent about the number of emails, the next level instructs the bot to send email addresses in each of the above categories. The third level allows the operator to receive a report on the reasons for the successful and unsuccessful execution of the operation.
The server sends a response message with the HTTP 200 OK status and contains settings sent to the bot, a list of email addresses for distribution, and a template for mail spam messages.
Tab. The format of the C & C server response to the spam module.
Tab. The format of the C & C server response to the spam module (continued).
Tab. The format of the C & C server response to the spam module (continued).
Most of the samples we analyzed for the Mumblehard component, which specializes in spamming, had another component in their composition that specializes in serving proxy connections. The scheme of his work is quite simple: he opens the incoming TCP port and listens for incoming connections.
Then it sends a special notification to the C & C server with the number of this port. Thus, it informs the server that it is ready to accept connections. At the time of sending the notification to the C & C server, only the C & C server is in the list of computers allowed to connect to the proxy. Further, the bot can be instructed to add other hosts to the list of allowed. The bot supports only two proxy commands: add the IP address to the list of allowed hosts and create a new TCP tunnel.
These commands have a specific structure, which is listed below in the tables.
Tab. The format of the “Add authorized host” command of the proxy component.
Tab. The format of the "Create Connection" command of the proxy component.
The command to create a connection is actually an implementation of the SOCKS4 protocol. Server response codes also comply with this specification. The proxy component allows attackers to set up a tunnel to transmit the necessary traffic through a compromised computer. However, we did not observe the use of such an operation by an attacker on an infected computer, so it’s hard to say how much the proxy function is relevant for them.
The contents of electronic spam letters indicate their use in order to promote pharmaceutical products. The letters contain links to various online stores with the specified subject. An example of such a message is shown below.
Fig. An example of a spam letter sent out by Mumblehard.
The link leads to an online store specializing in the sale of drugs for erectile dysfunction.
Fig. The website of the online pharmacy retailer to which the user is directed.
This Canadian pharmaceutical site is well documented on spamtrackers.eu .
An interesting feature of the bot's work with spam message templates is that it uses arbitrary message headers that are built using two or three random words, such as:
Perhaps such a function of using randomly chosen words was added by the authors in order to circumvent anti-spam solutions.
Statistics of infected computers
The list of C & C server managers used by the Mumblehard backdoor contains domains that were busy, but now they are free and available for purchase. We purchased one of these domains to get statistics on infected computers. Such computers (bots) are fairly easy to identify by the User Agent line, which we mentioned above. Two features of the backdoor that were set by the authors helped us collect statistics on the victims of this malicious program:
- to receive the command, the bot polls each C & C server from its list, the bot continues to poll the rest of the list, even if one of the servers has already answered;
- The bot sends the report back to each C & C server in case of success or failure when executing a command received from one of them.
Our domain received a report from each bot four times per hour with a frequency of 15 minutes. This corresponds to the time period with which the task scheduler runs the backdoor script in the system, as indicated above. We collected data between September 19, 2014 and April 22, 2015, but the server itself, which received statistics, was unavailable between December 7, 2014 and January 6, 2015. During the collection time period data, we observed requests from 8,867 unique IP addresses. Most of these IP addresses belonged to the servers hosting the websites.
Fig. Statistics of the number of unique IP addresses that were observed every day.
As we can see, the number of infected computers slowly decreased, but increased periodically. This indicates that the attackers from time to time initiated waves of malware distribution and server compromise, instead of continuously distributing Mumblehard in a continuous mode.
We were able to calculate the number of successful commands sent to the remote C & C server bots. As mentioned above, the command includes the URL where the executable ELF file is located. In response to a request received from the C & C server, the backdoor sent HTTP status codes to all C & C servers in the User Agent line, so our registered server was also able to receive them. Successful execution of the command by the bot corresponds to the HTTP status 200 OK.
In fact, C & C servers did not always send bots the above download-and-execute commands, that is, download and execute an ELF file. It can be seen that most of the time they did not even listen on TCP port 80. There were also peak traffic values ​​when the bots showed high activity. For example, on March 27th we observed 2,508 bots, which received 49,729 teams. If the operators constantly sent bots download-and-execute commands at 15-minute intervals, this means that the botnet’s network was used continuously for hours. The days when the backdoor was not involved in the work at all were also recorded. Of the 187 days while data was being collected, the bots received commands for 120 days, which is 64% of the total time.
Such delays are difficult to explain. It is possible that the operators specifically limited the amount of spam sent by bots. This was done to disguise the malicious functions of the infected servers and maintain the good reputation of their IP addresses. On the other hand, based on the mechanisms of Mumblehard, the spam daemon component on these systems will still receive instructions from the C & C server, even if the backdoor C & C servers are already inactive.
Connection with Yellsoft
The IP addresses of the managers of C & C servers that are hardcoded into the malware code are in the range of addresses from 194.54.81.162 to 194.54.81.164.
If you check the following two IP addresses, 194.54.81.165 and 194.54.81.166, you will find out that both of them are name servers yellsoft.net. In addition, the yellsoft.net web server is also located at 194.54.81.166. These IP addresses are located close to the Mumblehard C & C servers listed in the table. Further verification shows that the five IP addresses from 162 to 166 have identical NS and SOA DNS records, despite the fact that in fact this address range is served by the rx-name.com domain. This fact indicates that all five addresses are located on one server.
The company itself specializes in the sale of special software for the mass distribution of e-mails called DirectMailer. According to the description on the company's website, this software is written in Perl and is designed to run on systems like UNIX. Mumblehard scripts are also written in Perl.
Fig. Yellsoft home page.
The company's home page states that it does not support copies of its software, which are downloaded by the user from the web page of another site called softexp.narod.ru.
Fig. Download DirectMailer on softexp.narod.ru webpage as of 2014
Today, this software is not available for download from softexp.narod.ru and is detected by ESET AV products as malicious. The archive with this software does not contain a Perl script, but an executable ELF file called dm.pl. An interesting fact is that this ELF file is packaged by the same packer that was used for the Mumblehard malware. An analysis of the Perl script shows that a function called bdrp is called before the main program is launched directly. This function has another dropper, which, after decryption, generates another ELF file. The file is a packed Perl script containing the Mumblehard backdoor. The script is reset to the file system directory and run using the task scheduler every 15 minutes. Such a mechanism has already been described above for Mumblehard malware.
Fig. Function code bdrp with comments.
The dm.pl program fork () to create a new process and starts listening for incoming TCP connections. After this, the script code sends a message to the C & C server that it is ready to accept proxy connections. This code fragment, like its capabilities, is identical to the proxy mechanism of the Mumblehard spam component. Such “cracked” copies of DirectMailer provide backdoor operators with the ability to create a channel on a compromised computer to pass traffic through it, for example, to send spam.
Conclusion
Malicious software for systems running Linux and BSD is becoming increasingly complex. The fact that the authors used their own wrapper to hide the source of Perl scripts inside the executable file adds a certain level of complexity to Mumblehard. However, this malware is not as sophisticated as the Windigo malware we previously described .
Compromise Indicators (IOCs)
UDP traffic to:
- IP address 194.54.81.162, port 53
TCP connections on:
- IP address 194.54.81.163, port 80 (backdoor)
- IP address 194.54.81.163, port 54321 (proxy)
- IP address 194.54.81.163, port 25 (spam component)
- IP address 194.54.81.164, port 25 (spam component)
HTTP requests with the next line User Agent.
- Mozilla / 5.0 (Windows NT 6.1; rv: 7.0.1) Gecko / <1_or_more_digit>. <1_or_more_digit>. <1_or_e_digger> Firefox / 7.0.1
YARA rules
mumblehard_packer.yara
Malware Samples
SHA-1: 65a2dc362556b55cf2dbe3a10a2b337541eea4eb (ELF)
Linux / Mumblehard.K.Gen (spam component)
SHA-1: 331ca10a5d1c5a5f3045511f7b66340488909339 (ELF)
Linux / Mumblehard.E.Gen (spam component)
SHA-1: 2f2e5776fb7405996feb1953b8f6dbca209c816a (ELF)
Linux / Mumblehard.D.Gen (backdoor)
SHA-1: 95aed86918568b122712bdbbebdd77661e0e6068 (ELF)
Linux / Mumblehard.J.Gen (backdoor)
SHA-1: c83042491efade4a4a46f437bee5212033c168ee (ZIP)
Linux / Mumblehard.E.Gen (pirated copy of the DirectMailer archive with the dm.pl Mumblehard script)
SHA-1: e62c7c253f18ec7777fdd57e4ae500ad740183fb (ELF)
Linux / Mumblehard.E.Gen (pirated copy of DirectMailer with dm.pl Mumblehard script)
SHA-1: 58d4f901390b2ecb165eb455501f37ef8595389a (ZIP)
Linux / Mumblehard.M.Gen (pirated copy of DirectMailer 1.5 archive with dm.cgi script, which specializes in opening proxies)
SHA-1: 4ae33caebfd9f1e3481458747c6a0ef3dee05e49 (ELF)
Linux / Mumblehard.M.Gen (pirated copy of DirectMailer 1.5 with dm.cgi script that specializes in opening proxies)
Source: https://habr.com/ru/post/257293/
All Articles