Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse — Elastic Security Labs
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 9005ff48-08e3-4b11-bad6-59878d3fb66b |
| Fingerprint | b4201923e5898781 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 27, 2024, midnight |
| Added to db | Sept. 27, 2024, 8:02 a.m. |
| Last updated | Nov. 17, 2024, 7:44 p.m. |
| Headline | Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse |
| Title | Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 218/3/123 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.elastic.co/security-labs/betting-on-bots |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 60 | cve-2021-4034 |
|
| Details | Domain | 2 | 00.sh |
|
| Details | Domain | 4 | download.sh |
|
| Details | Domain | 2 | nishabii.xyz |
|
| Details | Domain | 2 | c3pool.org |
|
| Details | Domain | 2 | auto.c3pool.org |
|
| Details | Domain | 2 | id.services |
|
| Details | Domain | 1 | libd1rpcld.so |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 1 | whatserver.sh |
|
| Details | Domain | 2 | gcp.pagaelrescate.com |
|
| Details | Domain | 1 | unmineable.com |
|
| Details | Domain | 55 | process.name |
|
| Details | Domain | 101 | www.elastic.co |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 1 | ifindyou.sh |
|
| Details | Domain | 1 | cycnet.sh |
|
| Details | Domain | 2 | hfs.t1linux.com |
|
| Details | Domain | 13 | blog.lumen.com |
|
| Details | Domain | 8 | www.aquasec.com |
|
| Details | File | 3 | defunct.dat |
|
| Details | File | 31 | 404.php |
|
| Details | File | 1 | img.config |
|
| Details | File | 2 | gk.php |
|
| Details | File | 49 | process.exe |
|
| Details | File | 12 | parent.exe |
|
| Details | File | 2 | hjvhg.exe |
|
| Details | File | 2 | mvhhvcp3.exe |
|
| Details | File | 1 | vdfgb.exe |
|
| Details | File | 1 | enviador_slot.py |
|
| Details | File | 1 | xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html |
|
| Details | Github username | 1 | nicocha30 |
|
| Details | Github username | 1 | hackerschoice |
|
| Details | sha256 | 3 | 72ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f |
|
| Details | sha256 | 2 | 82c55c169b6cb5e348be6e202163296b2b5d80fff2be791c21da9a8b84188684 |
|
| Details | sha256 | 3 | 0fede7231267afc03b096ee6c1d3ded479b10ab235e260120bc9f68dd1fc54dd |
|
| Details | sha256 | 3 | 9ee695e55907a99f097c4c0ad4eb24ae5cf3f8215e9904d787817f1becb9449e |
|
| Details | sha256 | 2 | 1cdfb522acb1ad0745a4b88f072e40bf9aa113b63030fe002728bac50a46ae79 |
|
| Details | sha256 | 3 | d0ef2f020082556884361914114429ed82611ef8de09d878431745ccd07c06d8 |
|
| Details | sha256 | 2 | ad36cf59b5eb08799a50e9aece6f12cdfe8620062606ac6684d3b4509acc681b |
|
| Details | sha256 | 2 | 792a84a5bc8530285e2f6eb997054edb3d43460a99a089468e2cf81b5fd5cde6 |
|
| Details | sha256 | 2 | e19fb249db323d2388e91f92ff0c8a7a169caf34c3bdaf4d3544ce6bfb8b88b4 |
|
| Details | sha256 | 2 | 3847c06f95dd92ec482212116408286986bb4b711e27def446fb4a524611b745 |
|
| Details | sha256 | 2 | fffee23324813743b8660282ccd745daa6fb058f2bf84b9960f70d888cd33ba0 |
|
| Details | sha256 | 2 | 6d40b58e97c7b4c34f7b5bdac88f46e943e25faa887e0e6ce5f2855008e83f55 |
|
| Details | sha256 | 2 | 0c3442b8c49844a1ee41705a9e4a710ae3c7cde76c69c2eab733366b2aa34814 |
|
| Details | sha256 | 2 | 310973f6f186947cb7cff0e7b46b4645acdd71e90104f334caa88a4fa8ad9988 |
|
| Details | sha256 | 2 | 0d24a2e7da52bad03b0bda45c8435a29c4e1c9b483e425ae71b79fd122598527 |
|
| Details | sha256 | 2 | 36fc8eef2e1574e00ba3cf9e2267d4d295f6e9f138474e3bd85eb4d215f63196 |
|
| Details | sha256 | 2 | 3c25a4406787cc5089e83e00350e49eb9f192d03d69e7a61b780b6828db1344f |
|
| Details | sha256 | 2 | 7c16149db7766c6fd89f28031aa123408228f045e90aa03828c02562d9f9d1d7 |
|
| Details | sha256 | 3 | 09f935acbac36d224acfb809ad82c475d53d74ab505f057f5ac40611d7c3dbe7 |
|
| Details | sha256 | 3 | ea0068702ea65725700b1dad73affe68cf29705c826d12a497dccf92d3cded46 |
|
| Details | sha256 | 3 | 160f232566968ade54ee875def81fc4ca69e5507faae0fceb5bef6139346496a |
|
| Details | sha256 | 3 | 89b60cedc3a4efb02ceaf629d6675ec9541addae4689489f3ab8ec7741ec8055 |
|
| Details | sha256 | 3 | 20899c5e2ecd94b9e0a8d1af0114332c408fb65a6eb3837d4afee000b2a0941b |
|
| Details | sha256 | 3 | 728dce11ffd7eb35f80553d0b2bc82191fe9ff8f0d0750fcca04d0e77d5be28c |
|
| Details | sha256 | 3 | 47ceca049bfcb894c9a229e7234e8146d8aeda6edd1629bc4822ab826b5b9a40 |
|
| Details | sha256 | 3 | e89f4073490e48aa03ec0256d0bfa6cf9c9ac6feb271a23cb6bc571170d1bcb5 |
|
| Details | sha256 | 3 | d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60 |
|
| Details | sha256 | 3 | 54a5c82e4c68c399f56f0af6bde9fb797122239f0ebb8bcdb302e7c4fb02e1de |
|
| Details | sha256 | 3 | 9e32be17b25d3a6c00ebbfd03114a0947361b4eaf4b0e9d6349cbb95350bf976 |
|
| Details | IPv4 | 2 | 61.160.194.160 |
|
| Details | IPv4 | 2 | 107.178.101.245 |
|
| Details | IPv4 | 2 | 91.92.241.103 |
|
| Details | IPv4 | 2 | 62.72.22.91 |
|
| Details | IPv4 | 2 | 38.54.125.192 |
|
| Details | IPv4 | 2 | 3.147.53.183 |
|
| Details | MITRE ATT&CK Techniques | 56 | T1587 |
|
| Details | MITRE ATT&CK Techniques | 145 | T1588 |
|
| Details | MITRE ATT&CK Techniques | 46 | T1608 |
|
| Details | MITRE ATT&CK Techniques | 542 | T1190 |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 480 | T1053 |
|
| Details | MITRE ATT&CK Techniques | 43 | T1546 |
|
| Details | MITRE ATT&CK Techniques | 67 | T1505 |
|
| Details | MITRE ATT&CK Techniques | 208 | T1068 |
|
| Details | MITRE ATT&CK Techniques | 504 | T1140 |
|
| Details | MITRE ATT&CK Techniques | 265 | T1222 |
|
| Details | MITRE ATT&CK Techniques | 107 | T1564 |
|
| Details | MITRE ATT&CK Techniques | 247 | T1070 |
|
| Details | MITRE ATT&CK Techniques | 348 | T1036 |
|
| Details | MITRE ATT&CK Techniques | 627 | T1027 |
|
| Details | MITRE ATT&CK Techniques | 433 | T1057 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 6 | T1061 |
|
| Details | MITRE ATT&CK Techniques | 119 | T1049 |
|
| Details | MITRE ATT&CK Techniques | 100 | T1007 |
|
| Details | MITRE ATT&CK Techniques | 111 | T1119 |
|
| Details | MITRE ATT&CK Techniques | 534 | T1005 |
|
| Details | MITRE ATT&CK Techniques | 444 | T1071 |
|
| Details | MITRE ATT&CK Techniques | 96 | T1132 |
|
| Details | MITRE ATT&CK Techniques | 75 | T1001 |
|
| Details | MITRE ATT&CK Techniques | 163 | T1573 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 115 | T1571 |
|
| Details | MITRE ATT&CK Techniques | 95 | T1572 |
|
| Details | MITRE ATT&CK Techniques | 149 | T1102 |
|
| Details | MITRE ATT&CK Techniques | 107 | T1496 |
|
| Details | Url | 1 | http://61.160.194.160:35130 |
|
| Details | Url | 1 | http://107.178.101.245:5488/l64 |
|
| Details | Url | 1 | http://107.178.101.245:5488/l86 |
|
| Details | Url | 1 | http://107.178.101.245:5488 |
|
| Details | Url | 2 | http://91.92.241.103:8002/gk.php |
|
| Details | Url | 2 | http://62.72.22.91/apache2 |
|
| Details | Url | 2 | http://62.72.22.91/apache2v86 |
|
| Details | Url | 24 | https://twitter.com |
|
| Details | Url | 2 | http://gcp.pagaelrescate.com:8080/ifindyou |
|
| Details | Url | 2 | http://gcp.pagaelrescate.com:8080/t9r/systemdxc |
|
| Details | Url | 2 | http://gcp.pagaelrescate.com:8080/cycnet |
|
| Details | Url | 2 | http://gcp.pagaelrescate.com:8080/testslot/enviador_slot |
|
| Details | Url | 1 | https://www.elastic.co/security-labs/betting-on-bots |
|
| Details | Url | 1 | https://github.com/nicocha30/ligolo-ng |
|
| Details | Url | 2 | http://38.54.125.192:8080/nginx-rc |
|
| Details | Url | 2 | http://hfs.t1linux.com:7845/scdsshfk |
|
| Details | Url | 1 | https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html |
|
| Details | Url | 1 | https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware |
|
| Details | Url | 2 | https://www.fortinet.com/blog/threat-research/multiple-threats-target-adobe-coldfusion-vulnerabilities |
|
| Details | Url | 1 | https://www.aquasec.com/blog/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack |
|
| Details | Url | 1 | https://github.com/hackerschoice/gsocket |
|
| Details | Yara rule | 1 | rule Linux_Trojan_Generic {
meta:
author = "Elastic Security"
creation_date = "2024-09-20"
last_modified = "2024-09-20"
os = "Linux"
arch = "x86"
threat_name = "Linux.Trojan.Generic"
reference = "https://www.elastic.co/security-labs/betting-on-bots"
license = "Elastic License v2"
strings:
$enc1 = { 74 73 0A 1C 1A 54 1A 11 54 0C 18 43 59 5B 3A 11 0B 16 14 10 0C 14 5B }
$enc2 = { 18 1A 1A 1C 09 0D 43 59 0D 1C 01 0D 56 11 0D 14 15 55 18 09 09 15 10 }
$enc3 = { 18 1A 1A 1C 09 0D 54 15 18 17 1E 0C 18 1E 1C 43 59 0B 0C }
$enc4 = { 34 16 03 10 15 15 18 56 4C 57 49 59 51 2E 10 17 1D 16 0E 0A 59 37 }
$key = "yyyyyyyy"
condition:
1 of ($enc*) and $key
} |
|
| Details | Yara rule | 1 | rule Multi_Hacktool_Gsocket {
meta:
author = "Elastic Security"
creation_date = "2024-09-20"
last_modified = "2024-09-23"
os = "Linux, MacOS"
arch = "x86"
threat_name = "Multi.Hacktool.Gsocket"
reference = "https://www.elastic.co/security-labs/betting-on-bots"
license = "Elastic License v2"
strings:
$str1 = "gsocket: gs_funcs not found"
$str2 = "/share/gsocket/gs_funcs"
$str3 = "$GSOCKET_ARGS"
$str4 = "GSOCKET_SECRET"
$str5 = "GS_HIJACK_PORTS"
$str6 = "sftp -D gs-netcat"
$str7 = "GS_NETCAT_BIN"
$str8 = "GSOCKET_NO_GREETINGS"
$str9 = "GS-NETCAT(1)"
$str10 = "GSOCKET_SOCKS_IP"
$str11 = "GSOCKET_SOCKS_PORT"
$str12 = "gsocket(1)"
$str13 = "gs-sftp(1)"
$str14 = "gs-mount(1)"
condition:
3 of them
} |
|
| Details | Yara rule | 1 | rule Linux_Hacktool_LigoloNG {
meta:
author = "Elastic Security"
creation_date = "2024-09-20"
last_modified = "2024-09-20"
os = "Linux"
arch = "x86"
threat_name = "Linux.Hacktool.LigoloNG"
reference = "https://www.elastic.co/security-labs/betting-on-bots"
license = "Elastic License v2"
strings:
$a = "https://github.com/nicocha30/ligolo-ng"
$b = "@Nicocha30!"
$c = "Ligolo-ng %s / %s / %s"
condition:
all of them
} |