Attackers are constantly changing their behaviors to attempt to avoid detection. The best way to combat this is a strong threat research and intelligence discipline. One tactic we have observed attackers using recently is exfiltration over DNS. A recent campaign—which as of writing is not detected by VirusTotal or the vendors tested against—uses a backdoored SSH (Secure Shell) client to extract and send credentials from the infected machine to domains across the internet.

Alert Logic is sharing this information so that others may be aware of these behaviors and their indicators and can help better protect their infrastructure.

Exfiltration

We have seen activity related to this client since around August 9, 2019, the hashes for which can be found in the Indicators of Compromise section below. Exfiltration can be seen to at least two domains—also mentioned in the Indicators of Compromise section.

Once executed, the client exfiltrates data to at least two malicious nameservers via a DNS query on connecting to a remote host. The exfiltrated query structure has this format:

<string1><string2><string3>

<string1>:
Encoded string containing the current user on the client machine, the server IP address and username/password credentials. This string unencoded is in the format '["myuser -> remoteuser", "[email protected]"]' where 0.0.0.0 is the remote IP the client is connecting to.

<string2>:
The MAC address of the network card making the SSH connection

<string3>: (hardcoded)
Domains listed at the end

String1 is encoded by a cumulative base-n type mechanism. This is reversible based on the information in the binary and doesn’t require any external key.

One interesting thing about the charset used to encrypt string1 is that it only uses a subset of standard characters – i,l,o and u are not used. This restricted character set effectively acts as a key, preventing standard base decoders from automatically reversing this without this knowledge.

We have supplied code for decoding the string1 as part of this article. As a test to confirm that this decoding is working, we have also generated the following test string

bch6yx38cns7awv5e8g2tfh0e9qpyx125gh76sb3e9jq8w31edsqevvjch074sbddxt6awv5e9v6awh2bm.<MAC address>.<Malicious Domain>

Combine the code supplied with the string1 above as follows:

./decode bch6yx38cns7awv5e8g2tfh0e9qpyx125gh76sb3e9jq8w31edsqevvjch074sbddxt6awv5e9v6awh2bm

You should be returned with the following literal dummy data:

["otheruser -> root","secretpassword@remoteserver"]

Summary

Observation of any traffic of logs which are consistent with DNS requests described above to the noted domains should be considered highly suspicious and worthy of immediate investigation. Given the files hashes (as of current writing) are not detected by endpoint agents (as dictated by VirusTotal) this should not be considered a sufficient control at this time.

Indicators of Compromise

CnC (Command and Control) Domains

  • weberdut\[.]co
  • icdn-cloud\[.]com

IP Addresses

  • 164[.]132[.]181[.]85
  • 194[.]99[.]23[.]199

Hashes

  • cca561fe23233bfc6553435c11a6c19f5864c0028f7dd6466940c3818cdc5131
  • 68d4b6af4f961f323b57b7e43e2004a11a59b4910271d9b3e9731fc992f51c55

About Alert Logic Threat Research

Alert Logic routinely tracks emerging vulnerabilities and active use of new exploits in the wild. This allows us to keep up with the latest tools, techniques, and practices of attackers and provide protection for our customers for their most critical threats.

Fortra's Alert Logic
About the Author
Fortra's Alert Logic

Related Post

Ready to protect your company with Alert Logic MDR?