Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: From Microtik with Love SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
From Microtik with Love

We've found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband). The username and password combination being used is root / root, and they are executing all of the following ssh commands:

/ip cloud print
help
ifconfig
uname -a
show ip
cat /proc/cpuinfo
uptime
ls -la
ls /data/data/com.android.providers.telephony/databases
echo Hi | cat -n
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'

While searching for the "/ip cloud print" command,  I've found this command to be related to Microtik routers. Since RouterOS v6.27 the command has been changed, so the targetted devices are Microtik routers running RouterOS before v6.27. The username and password pair being used to gain access isn't a specific Microtik default username / password combination.

Because not all of the above commands are programmed to return the output expected by the script, it could be just probing for specifics about the attacked server.

One command we are not seeing very often is the check for Android databases, "ls /data/data/com.android.providers.telephony/databases". This is a bit weird, especially because of the combination RouterOS / Android, but it could be that the script is just trying to identify the os the device is running.

Another interesting command is the "echo Hi | cat -n" which just counts the number of output lines the echo command, which could be all fingerprinting. There is also a check for running miner processes, but we have seen more thorough checks in for example the Redis worm.

All ip addresses are located roughly at the same netblock / location, which could be an indication that this worm / script is explicitly targetting a vulnerability in the routers being used by the provider, while scanning a broader area not limited to their netblock(s).

Complete list of source addresses:

178.140.147.32
178.140.219.221
178.140.34.125
188.255.18.44
188.255.81.2
188.32.136.109
188.32.213.175
37.110.106.231
37.110.40.221
37.110.82.81
37.110.84.127
37.204.101.93
37.204.104.247
37.204.164.191
37.204.225.46
37.204.253.200
37.204.5.142
46.242.37.169
46.242.4.236
46.242.63.75
5.228.185.9
5.228.214.22
5.228.246.91
77.37.145.89
77.37.149.50
77.37.230.37
77.37.236.152
77.37.237.82
77.37.247.102
90.154.76.78
95.84.212.217

Let me know if you have additional information about this case.

Remco Verhoef (@remco_verhoef)
ISC Handler - Founder of DutchSec
PGP Key

 Remco

24 Posts
ISC Handler
Jun 13th 2018
Thread locked Subscribe Jun 13th 2018
2 years ago
Hey there,

This is certainly an interesting find, and which seems to be a massive push to create a massive bot-net if this is part of the same group that is also doing this:
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

and this:
https://www.us-cert.gov/ncas/alerts/TA18-106A

or I could be just paranoid and connecting dots where they do not fit?
 Anonymous
Quote Jun 13th 2018
2 years ago

Sign Up for Free or Log In to start participating in the conversation!