Attackers are constantly changing their behaviors to attempt to avoid detection. The best way to combat this is a strong threat research and intelligence discipline. One tactic we have observed attackers using recently is exfiltration over DNS. A recent campaign—which as of writing is not detected by VirusTotal or the vendors tested against—uses a backdoored SSH (Secure Shell) client to extract and send credentials from the infected machine to domains across the internet.
Alert Logic is sharing this information so that others may be aware of these behaviors and their indicators and can help better protect their infrastructure.
We have seen activity related to this client since around August 9, 2019, the hashes for which can be found in the Indicators of Compromise section below. Exfiltration can be seen to at least two domains—also mentioned in the Indicators of Compromise section.
Once executed, the client exfiltrates data to at least two malicious nameservers via a DNS query on connecting to a remote host. The exfiltrated query structure has this format:
Encoded string containing the current user on the client machine, the server IP address and username/password credentials. This string unencoded is in the format '["myuser -> remoteuser", "firstname.lastname@example.org"]' where 0.0.0.0 is the remote IP the client is connecting to.
The MAC address of the network card making the SSH connection
Domains listed at the end
String1 is encoded by a cumulative base-n type mechanism. This is reversible based on the information in the binary and doesn't require any external key.
One interesting thing about the charset used to encrypt string1 is that it only uses a subset of standard characters - i,l,o and u are not used. This restricted character set effectively acts as a key, preventing standard base decoders from automatically reversing this without this knowledge.
We have supplied code for decoding the string1 as part of this article. As a test to confirm that this decoding is working, we have also generated the following test string
bch6yx38cns7awv5e8g2tfh0e9qpyx125gh76sb3e9jq8w31edsqevvjch074sbddxt6awv5e9v6awh2bm.<MAC address>.<Malicious Domain>
Combine the code supplied with the string1 above as follows:
You should be returned with the following literal dummy data:
["otheruser -> root","secretpassword@remoteserver"]
Observation of any traffic of logs which are consistent with DNS requests described above to the noted domains should be considered highly suspicious and worthy of immediate investigation. Given the files hashes (as of current writing) are not detected by endpoint agents (as dictated by VirusTotal) this should not be considered a sufficient control at this time.
Indicators of Compromise
CnC (Command and Control) Domains
About Alert Logic Threat Research
Alert Logic routinely tracks emerging vulnerabilities and active use of new exploits in the wild. This allows us to keep up with the latest tools, techniques, and practices of attackers and provide protection for our customers for their most critical threats.