2017/07/21 Advisory: BusyWinman Linux intrusions

This page covers ongoing attacks and may be updated (latest: 2017-07-24).

This information has been released TLP:WHITE and may be distributed without limitation.

BusyWinman Malware is a two-component malicious software including:

  • A Linux Bew Backdoor variant
  • A UPX Packed BusyBox binary
  • A dedicated malicious infrastructure (C2s)
The initial infection is believed to have occurred no later than mid 2015.
The infection vector might be tied to be a drive-by attack in Firefox.
No payload has been discovered so far on the affected hosts.

All victims are Linux Desktop hosts, running various Linux distributions (Ubuntu, Kubuntu, Mint, Fedora, Suse, etc.).

Attacker’s tactics, techniques, and procedures (TTP)

Typically:

  • Devices are seen contacting IP 46.22.220.21, on port 443, using TLS v1.0. The domains associated are tw.gcache.net and storage.gcontent.org (valid Comodo certificates used). This is a likely drive-by download.
  • A UPX Packed BusyBox binary is dropped on the device (~/.tar)
  • A Linux Bew Backdoor variant (may be UPX packed) is dropped on the device (in ~/.config)
  • Persistence is established via a cron job
  • Information on the victim's system is collected:
    • OS distribution and version
    • Apache configuration and modules (if applicable)
    • Firefox stored passwords
    • Firefox stored certificates
    • Firefox stored intermediate certificates
    • Firefox security module database
    • Firefox browsing history
    • Presence of the /usr/bin/bzip2 binary
  • The attacker does not seem to attempt to escalate privileges
  • Persistent, clear-text connections, with sporadic data transfer packets of ~50 bytes, are observed to malicious IPs associated with hfir.u230.org on port 443 (again, this is NOT a SSL/TLS connection). This is likely a C2 host.

Indicators of compromise

Network:

  • Check for connections to 46.22.220.21
  • Check for persistent connections on port 443 to any of the following IPs:
    (note: different samples show different hardcoded IP addresses)
    • 45.58.49.98 (hardcoded in backdoor binary)
    • 192.211.49.214 (hardcoded in backdoor binary)
    • 185.120.34.177 (hardcoded in backdoor binary)
    • 91.219.239.156 (hardcoded in backdoor binary)
    • 46.36.37.169 (hardcoded in backdoor binary)
    • 193.68.47.49 (in process memory)
    • 107.155.120.181 (hardcoded in backdoor binary)
    • 107.155.118.175 (hardcoded in backdoor binary)
  • Check for connections to any of the following domains:
    • tw.gcache.net
    • storage.gcontent.org
    • hfir.u230.org
    • e.update3.org (possibly related indicator)
    • images.gistatic.org (possibly related indicator)
    • pd.update3.org (possibly related indicator)
    • a.update3.org (possibly related indicator)
    • share.update3.org (possibly related indicator)
    • se.update3.org (possibly related indicator)
    • est.just-cloud-it.com (possibly related indicator)

Filesystem

  • Check for binary files in ~/.config such as
    ~/.config/gnome-pty-helper and ~/.config/kdeinit4
  • Check for a ~/.tar executable
  • Check for a cron job such as
    */10 * * * * sh -c "/home/xxxx/.config/gnome-pty-helper"
  • Check for a ~/.config/.checkfs archive
  • Check for traces of the process .config/tempfile-x11session{conf,cache,id,pid}

Indicators of compromise

Indicators of compromise are also available in MISP format:

Technical details

Linux Bew Backdoor Variant

The backdoor is dropped into a hidden directory, ~/.config. It is named according to the system’s windows manager, such as:

  ~/.config/gnome-pty-helper
  ~/.config/kdeinit4
      

Each sample tested has a unique hash and hard coded IPs appear to vary. Persistence is established by a cron job for the local user under /var/spool/cron/, launched every 10 minutes if the process is not running.

    
  */10 * * * * sh -c " /home/xxxx/.config/gnome-pty-helper"
  */10 * * * * sh -c " /home/xxxx/.config/kdeinit4"
    
  

Strings in the Linux Bew Backdoor variant vary between samples, largely in the IPs. One example is included here:

  /bin/sh
  /bin/busybox
  /proc/self/exe
  tempfile-x11session
  46.36.37.169
  91.219.239.156
  185.120.34.177
  hfir.u230.org
  %s:%d
  [%s]:%d
  %s: -%s
  User-Agent
  www.google.com
  Linux
  UNIQID
  %s%sid
  %s.tar
  %star
        

UPX Packed BusyBox binary

A UPX Packed BusyBox binary is dropped into the user's home directory. It is believed to be included to provide a uniform toolkit across infected devices.

  ~/.tar
  MD5 31434dd977f962ea0d555f20c89f207b
        

Remediation

Identify infected machines using the Indicators of Compromise provided. Since the malware is not fully understood, we recommend installing a clean version of the required OS on a new drive and selectively copying necessary files from the infected drive.

Related links

Credits