[unixfreaxjp]

Attacker (SSH): 111.73.46.231
CNC: http://qian.333u.net (122.10.112.193) port: 12027
Sample: https://www.virustotal.com/en/file/d17f ... 437203608/
panel:

[FafZee]

Sample there :
hxxp://125.88.181.43:8989/
with name : S24100
MD5 f92eccfaaae0f861232757315c5e5c6e
SHA1 0c86275d0eb56f1876406725827eae6b15f4972b
SHA256 9dce643aec7352b303be3adbca9a986855d6d5f45e7bcd391d88195dd1330c5f

[unixfreaxjp]

Just a little share of my research. the full list of BillGates project source code for reference.
More to come soon..

[unixfreaxjp]

fresh ones..

cnc

poc

this is the jerk who serves it, he serves Mr. Black too, the Tsung-Yu Ko (Johnny) <Ko.John@gmail.com> http://www.kernelmode.info/forum/viewto ... =30#p26363

Samples:
https://www.virustotal.com/en/file/cb9d ... /analysis/
https://www.virustotal.com/en/file/0bc1 ... /analysis/
https://www.virustotal.com/en/file/20d8 ... /analysis/

[tWiCe]

HFS http://168.235.251.156:2211/

chinaz_hfs.jpg (418.69 KiB) Viewed 507 times

Win32/Linux samples of BillGates malware family.

HFS dump also includes LPE exploits, SH scripts for installing BillGates, mimikatz & some shitty Win32 DDoS trojan.

C&Cs:
www.ddos960.com:1111 (Win32 DDoS trojan)
183.60.110.83:8001 (Win32/Linux BillGates)
183.60.110.83:8000 (Linux BillGates)
fk.appledoesnt.com:30000 (Linux BillGates)
115.231.218.64:8226 (Linux BillGates)
lixianddos.com:10991 (Linux BillGates)
183.60.110.238:10991 (Linux BillGates)
syn110.com:10777 (Linux BillGates)

[tWiCe]

HFS : http://123.131.52.179:888/

Code: Select all

 .bashnl 	1.08 MB	2015-8-5 11:34:13	1804
.bashxl 	1.10 MB	2015-6-7 18:14:29	4645
.bsshme 	1.08 MB	2015-8-9 14:59:25	1062
.bsshxr 	1.10 MB	2013-12-13 18:12:58	895 

[unixfreaxjp]

HFS : http://123.131.52.179:888/

Code: Select all

 .bashnl 	1.08 MB	2015-8-5 11:34:13	1804
.bashxl 	1.10 MB	2015-6-7 18:14:29	4645
.bsshme 	1.08 MB	2015-8-9 14:59:25	1062
.bsshxr 	1.10 MB	2013-12-13 18:12:58	895 

bashxl and bsshxr are Elknot stripped (packed too)
https://www.virustotal.com/en/file/54a6 ... /analysis/
https://www.virustotal.com/en/file/9c67 ... /analysis/

[unixfreaxjp]

New variant. Linux/BillGates.Lite。Re: http://www.kernelmode.info/forum/postin ... 29#pr26517
analysis: http://blog.malwaremustdie.org/2015/08/ ... lware.html
Samples:
x86 32: https://www.virustotal.com/en/file/6ec5 ... 440249503/
x86 64: https://www.virustotal.com/en/file/d006 ... 440249531/

[unixfreaxjp]

Linux/BillGates backdoor type.

The malware actors (from PRC/China) are utilizing AS40676 Psychz Networks,USA for making attacks on SSH, shellshock and etc exploits (including windows malware too), this ASN is VERY BAD. Don't know why US letting this network to keep on abusing us for a year by now..

The case of http://www.kernelmode.info/forum/viewto ... 581#p26578 is also having same attacker source too..

BOOM! the panel


In this case. The actors are operated so happy ever after even can fix the miss in their code and uploaded that again peacefully:


BOOM! the panel was updated too..


Sample for both:
https://www.virustotal.com/en/file/e5d4 ... /analysis/
https://www.virustotal.com/en/file/607e ... /analysis/

[sysopfb]

Attacker(SSH): 219.235.0.174

HFS 198.15.216.27:2015


gydm.exe https://www.virustotal.com/en/file/d3fa ... /analysis/

• linux.xinhuamei.net 61.160.194.62
  yigu520131420.f3322.net 183.60.109.89
  qlsb.f3322.net 45.64.75.152

xdsy https://www.virustotal.com/en/file/dccf ... /analysis/

• 61.160.194.62

xdwl https://www.virustotal.com/en/file/3aa7 ... /analysis/

• 61.160.194.62

xdwl appears to be a upx packed version of BillGates.Lite that you wrote about on MMD?