Bulbature: Exploring the Depths of GobRAT

  • Short Summary: The Sekoia Threat Detection & Research team has been investigating a sophisticated cyber attack infrastructure since mid-2023, focusing on compromised edge devices used as Operational Relay Boxes (ORBs). The infrastructure, believed to be operated by multiple Chinese actors, includes 63 servers and utilizes malware such as GobRAT and Bulbature for offensive cyber operations. The investigation reveals a complex architecture that allows for the management and exploitation of compromised devices to conduct various cyber attacks.
  • Key Points:
    • The investigation began in mid-2023 and is ongoing.
    • A total of 63 servers have been identified and analyzed.
    • Compromised edge devices are transformed into Operational Relay Boxes (ORBs).
    • Malware identified includes GobRAT and Bulbature.
    • The infrastructure is likely operated by multiple Chinese actors.
    • GobRAT is a versatile backdoor with various attack capabilities.
    • Bulbature is used primarily to relay attacks from compromised devices.
    • The infrastructure allows for the execution of DDoS attacks and exploitation of vulnerabilities.
    • Proxies provider interfaces enable the creation of on-demand proxy tunnels.
    • The victimology indicates a significant number of compromised hosts in the United States and Hong Kong.
  • MITRE ATT&CK TTPs – created by AI
    • Remote Access Trojan (RAT) – T1071
      • GobRAT provides standard RAT functionalities and can relay specific attacks.
    • Command and Control – T1071
      • GobRAT and Bulbature communicate with staging servers for commands and updates.
    • Credential Dumping – T1003
      • Scripts used for brute-forcing credentials on various services.
    • Exploitation of Remote Services – T1210
      • Malware exploits vulnerabilities in compromised devices.
    • Distributed Denial of Service – T1499
      • GobRAT is capable of executing DDoS attacks.

Key Takeaways

  • Since mid 2023, Sekoia Threat Detection & Research team (TDR) investigated an infrastructure which controls compromised edge devices transformed into Operational Relay Boxes used to launch offensive cyber attack.
  • The infrastructure has constantly evolved with a total of 63 servers identified and analysed, and is still operating at the time of publication of this report.
  • On some servers, it is possible to find installation scripts as well as the GobRAT and Bulbature malware. Other servers provide a view of the administration interface used to manage compromised hosts and launch attacks.
  • Several traces lead us to suggest that this infrastructure might be used by several operators originating from China.

Table of contents

Context

On 9 October 2023, the Threat Detection & Research (TDR) team published a private report regarding an attack campaign on edge devices also documented by the JPCERT/CC on 29 May 2023. Since then, the network infrastructure has remained active and dozens of new hosts were deployed with the same characteristics as those initially identified. These hosts are monitored via the Sekoia C2 Tracker project and are capitalised within the Sekoia Intelligence Center (IC). 

In our 2023 report, we assessed that this infrastructure was very likely used to support operations of multiple intrusion sets, likely of Chinese origin, due to certain traces attributing the attacks and the victimology observed, which mainly included edge devices transformed into Operational Relay Boxes (ORB). For some years now, we observe that China uses edge devices as ORB to conduct offensive cyber campaigns, as previously reported in link with the Quad7 operator or the APT31 infrastructure. Although there was few open source information on GobRAT, TDR decided to investigate this threat in depth. 

This investigation is still in progress as of September 2024, and we will focus on highlighting the infrastructure and the different types of hosts identified. The cut-off date for indicators included in this report is 5 September 2024. 

Initial findings

The initial findings came from a self-signed certificate that was used on a staging host identified by the JPCERT/CC:

Subject DN C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Issuer DN C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Serial Number Decimal: 587046745646849621397962336094648657285118811505
Validity Period 2021-05-16T06:47:34 to 2031-05-14T06:47:34
SHA-256 3ab014dd8cc7878c4e840be84b111e6fa71de221c42c14b0becaf3827a744ab9
SHA-1 d0d3975b5b900b3af2dce973428475f022b16f60
MD5 af4ad0bd9221ffc63ae5acff4034834a

In 2023, when other staging hosts were analysed, one host was using a second, distinct certificate:

Subject DN O=mkcert development certificate, OU=a@a-virtual-machine
Issuer DN O=mkcert development CA, OU=a@a-virtual-machine, CN=mkcert a@a-virtual-machine
Serial Number Decimal: 77481536472298673143899330019234134150
Validity Period 2021-12-21T01:38:57 to 2024-03-21T01:38:57
SHA-256 27b6567f260dd689200bbda0794341b1edcf6039cfc1ae7adf0bc6477a16a1f9
SHA-1 74fe94844a337da4bdc2988609fb3c4df3f3b78d
MD5 e4b7b3a2610ad706a83667a5bac7cd31

Since we started monitoring the infrastructure, it was the first time – and only occasion – that a second certificate was observed, likely an error by the operator. It led us to uncover two new host types correlating the overall infrastructure. Since 2023, these two certificates were used to identify 63 different hosts, including 20 that were still active at the time of writing.

In this report, we provide a comprehensive analysis of each type of these servers.

Down the rabbit hole: Infrastructure overall

Our analysis revealed a network architecture from staging servers to administration panels. This overall infrastructure was observed following an analysis of over 5,000 files on hosts that used these two self-signed certificates mentioned above. Based on our analysis, we illustrated the different infrastructure components as follows:

This infrastructure involves compromised edge devices that, once infected, download from attackers’ staging servers two different malicious codes: GobRAT and Bulbature. These two codes seem to have different purposes. 

GobRAT, which has been already documented by the JP-CERT, is a swiss-army knife backdoor written in Go which has standard RAT functionalities and is also used to relay specific attacks from the compromised devices such as DDoS or vulnerability exploitation campaigns. It seems to be used to gather intelligence from the networks associated with the compromised edge devices.

Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the compromised edge device into an ORB to relay attacks against final victims networks.

Infection chain used to compromise edge devices

ORBs

We have been able to observe edge devices compromised and transformed into ORBs by GobRAT and Bulbature (initially called “kkrn”) malware. The following infection chain can therefore be described in four main steps:

  • Step 1: The operator deploys staging servers, which host Bash scripts as well as GobRAT and Bulbature malware.
  • Step 2: The operator compromises edge devices.
  • Step 3: The operator runs Bash scripts that download malware from the staging servers, and runs them.
  • Step 4: The edge device communicates with staging servers and Bulbature C2 & Dispenser. It is transformed into an ORB.

Staging servers

The list of staging servers at the date of writing is as follows:

Staging host IP ASN AS Name Hosting Country
38.54.56.5 AS138915 KAOPU-HK Kaopu Cloud HK Limited Japan
38.54.85.246 Hong Kong
38.60.134.236 France
38.60.221.32 Russia
38.60.221.63
38.60.221.174
38.60.223.51
38.60.223.81
38.60.221.145

All the currently active hosts are located under the same autonomous system AS138915, but it was not always the case historically, since other ASNs have also been observed since 2023. It is worth mentioning that this autonomous system is increasingly used by Chinese intrusion sets. Nevertheless, all these staging servers host malicious files served on port 443 (HTTPs) or 58888 (HTTP or HTTPS). On these ports, we have identified an open directory under /static/, containing the following files

Filename Type File Info Creation Date
sshdeny1.sh Block script Bourne-Again shell script 2024-07-19
hold_by_bot.sh Daemon script Bourne-Again shell script 2024-07-31
zoneController.sh Daemon script Bourne-Again shell script 2024-07-19
zonedelete.sh Delete script Bourne-Again shell script 2024-07-19
zonesetup.sh Start script Bourne-Again shell script 2024-07-19
zoneupdate.sh Update script Bourne-Again shell script 2024-07-23
zoneRestart.sh Update script Bourne-Again shell script 2024-07-19
bulbature Bulbature malware ELF 64-bit LSB executable (x86-64) 2024-07-31
zone.x86_64 GobRAT malware ELF 64-bit LSB executable (x86-64) 2024-07-19
zone.i686 GobRAT malware ELF 32-bit LSB executable (Intel 80386) 2024-07-19
zone.arm GobRAT malware ELF 32-bit LSB executable (ARM) 2024-07-19
zone.mips GobRAT malware ELF 32-bit LSB executable (MIPS) 2024-07-19
frpc.x86_64 FRP (Fast Reverse Proxy) ELF 64-bit LSB executable (x86-64) 2024-07-19
frpc.i686 FRP (Fast Reverse Proxy) ELF 32-bit LSB executable (Intel 80386) 2024-07-19
frpc.arm FRP (Fast Reverse Proxy) ELF 32-bit LSB executable (ARM) 2024-07-19

This open directory contains installation and management scripts, tools and two backdoors, GobRAT and Bulbature. In total, more than 200 files were found on the staging servers, and the first records of these files date back to 2022. Although there are variations, mainly due to the fact that many scripts contain hard coded domains, they all behave in the same way and perform the same actions.

Bash scripts

Full details of the chain of compromise carried out by the Bash scripts are available in Appendix 1: Bash scripts. These Bash scripts include code for:

  • Installing and running malware;
  • Ensuring persistence;
  • Blocking other potential attackers;
  • Making the host publicly accessible by disabling security mechanisms.

It is also possible to notice that update scripts are included which have the effect of deleting scripts and malware and reinstalling them entirely. This indicates a desire to keep access to a compromised device and to push out new versions of the malware, probably with new functionalities.

Malware interactions

GobRAT is a RAT developed in Go language providing 22 types of commands that are runned from a staging server, as reported by the JPCERT/CC. Its capabilities are as follows:

  • Obtains a new C2 configuration
  • Starts, stops or confirms a reverse shell connection
  • Executes shell commands
  • Reads/writes a specified file
  • Fingerprints host
  • Captures system state data
  • Sets new communication channel for TCP/UDP
  • Runs a SOCKS5 proxy (compatible with specified port and password)
  • Runs a Fast Reverse Proxy (FRP) binary (well known and available on Github)
  • Attempts to login on services like SSH, Telnet, Redis, MySQL or PostgreSQL
  • Sends HTTP/HTTPS requests to a specified IP
  • Sends HTTP/HTTPS Dictionary attack to a specified IP
  • Performs DDoS attacks using SYN, TCP, UDP, HTTP, ICMP

By analysing the content of installation scripts, it was possible to group together all the names, ports and running methods of the malware. They are constantly found in the same place in the staging servers open directory, and they are also executed at the same time.

Malware Alias Run command Local port Remote port
GobRAT apached
icon_x
asus_x
./zone.[ARCH] -d None 80 (TCP, HTTPS)
Bulbature bulbature
kkrn
mostise
myet
rhabdia
scindwise
out_arm
out_mipsle
asus_x
level
./bulbature -d [PORT]
./bulbature [PORT]
Random (UDP)
5500 (UDP)
8001 (TCP)
8080 (TCP)

However, it is not yet obvious how Bulbature behaves due to a very high level of obfuscation. The figure below highlights the interactions observed during the infection process of an edge device:

On this diagram, the orange-coloured data shows the parts that could not be fully identified. Despite this fact, the following steps can be observed:

  • Step 1: zoneupdate.sh downloads Bash scripts as well as GobRAT and Bulbature malware from a staging server.
  • Step 2: GobRAT and Bulbature are dropped and executed.
  • Step 3a: GobRAT exchanges data over TCP with a staging server.
  • Step 3b-0
    • Step 3b-1: When Bulbature is launched without any arguments (./bulbature), it connects to the Bulbature Dispenser, a server which is designed to send back a list of three [IP]:[PORT] Bulbature C2.
    • Step 3b-2: Bulbature malware connects to Bulbature C2 using an IP address with port from the list received in the previous step.
    • Step 3b-3: Bulbature listens on a random UDP port, and data is exchanged with the IP and the port of Bulbature C2 selected on the previous step.
  • Step 3-c0
    • Step 3c-1: When Bulbature is launched with an argument (./bulbature 5500 or ./bulbature -d 5500), Bulbature listens on the port entered as an argument in UDP and exchanges data with Bulbature C2.
    • Step 3c-2: Bulbature listens on port 8001 (TCP), bound to localhost only.

Bulbature has been the primary source of challenges encountered during the analysis. At the time of writing, it has not been possible to identify all its features and network interactions. Based on the results obtained, it appears that its behaviour is more complex than GobRAT and connects to a different infrastructure cluster than GobRAT. 

Bulbature is developed in C, compiled for x86-64, ARM or MIPS architectures and packed with UPX. It contains anti-analysis techniques such as:

  • Strings encryption: strings are encrypted using a simple xor
  • Control Flow Flattening (CFF)

The CFF complicates reverse engineering significantly. To address this issue, we tested two techniques: 

  • The use of the d810 plugin. In some cases, this plugin removes the CFF completely or partially.
  • The development of a custom IDA Pro script to reconstruct the original control flow. Unfortunately, various special cases hindered its effectiveness.

Moreover, all samples of Bulbature are stripped and contain more than 1000 functions. Bulbature is statically compiled with the mbedtls library and makes extensive use of asynchronous programming. This further complicated our analysis, preventing us from gaining a precise understanding of its function and role. 

Nevertheless, Bulbature appears to be a malware with functionalities that are primarily network-related, along with other basic features such as executing local commands.

The analysis still allowed us to identify two encrypted Bulbature C2 Dispenser servers: nbt201.dynamic-dns[.]net:8080 and eyh.ocry[.]com:443. Then, we also were able to retrieve a list of Bulbature C2 servers.

Proxies provider interface

Among all hosts that have a self-signed certificate (MD5: af4ad0bd9221ffc63ae5acff4034834a), several of them share the same behaviour and we call them Proxies provider. It has not been possible to establish a clear correlation between them and GobRAT or Bulbature, so it could be linked to another piece of malware. At the time of writing, these two servers are active:

IPv4 ASN AS Name Hosting Country
47.96.119.186 AS37963 ALIBABA-CN-NET Hangzhou Alibaba Advertising China
178.128.96.236 AS14061 DIGITALOCEAN-ASN Singapore

The first port 8080 (HTTPS) is hosting a web interface where a login is required. By investigating the open directories of these hosts, we were able to discover an open directory containing HTML, Javascript and CSS files: the webadmin console’s unpacked frontend  source code. As a result, it was possible to visualise the interface without the data and extract various API endpoints.

The second port is listening on port 8888 (HTTPS) and hosts an API. The following endpoints have been identified:

Endpoint Goal
/v1/wire-guard/tunnel Display all “Security Tunnels” (proxies)
/v1/wire-guard/node Display all “Nodes” (compromised hosts)
/v1/wire-guard/nodegroup/all Display all “Nodes Groups” (group of compromised hosts)
/v1/wire-guard/eventlog/all Display all server logs
/v1/wire-guard/setting Display settings (timer alarm)
/v1/wire-guard/user/list Display all users
/v1/wire-guard/user Display the current user
/v1/wire-guard/password Reset password
/v1/wire-guard/login Connect the user (only the “root” account is authorised to connect)

Browsing the “Security Tunnel” view

When the path /dist#/ of these hosts is consulted, the following interface is displayed.

In the home view called “Security Tunnel”, we find a table that is probably listing proxies tunnels. When a user wants to add one via the “Add” button, a window appears. When the “Generate Mode” field is checked at “Select”, a new dialog appears offering to select one of the protocols: WireGuard, OpenVPN, L2TP, PPTP, SSTP, SOCKS5, SOCKS4 or HTTPS. Based on the fields displayed, it seems possible for an operator to create an on-demand proxy tunnel.

Browsing the “Nodes” view

Next, in the “Nodes” view, a table is displayed containing the columns “Name”, “IP”, “Node Group”, “Status” and “operation”. When the “Add” button is clicked, the following window is displayed:

Judging by the form fields in this window, it can be deduced that the “Nodes” used in the “Security Tunnel” correspond to compromised edge devices. When adding a new node, the user is asked to select whether “Auto deploy first” or “Have been deployed by script”.

Finally, in the “Setting” view of the interface, the following page can be found:

When an operator creates a proxy tunnel, if he keeps using the same connection for too long (at least 60 minutes here), an alert will prompt on the interface.

We can conclude that this proxies provider interface allows an operator to create on-the-fly proxies tunnels compatible with several Proxy/VPN protocols. Based on the interface we can deduce that the proxies are deployed directly on the compromised edge devices. Furthermore, the alarm mechanism indicates a desire to rotate the proxy tunnel as soon as possible. This is a typical behaviour of attacker groups trying to cover their tracks, thereby reducing the traces of operations carried out.

GobRAT administration interface

Still based on the certificate (MD5: af4ad0bd9221ffc63ae5acff4034834a), it was possible to identify another cluster of servers. The discovered interface is related to the administration of the GobRAT malware with high confidence. This interface has the same functionalities as those implemented in GobRAT such as performing DDoS, executing commands, doing reconnaissance or performing attacks.

IPv4 ASN AS Name Hosting Country
38.54.85.70 AS138915 KAOPU-HK Kaopu Cloud HK Limited Hong Kong
38.54.85.164 AS138915 KAOPU-HK Kaopu Cloud HK Limited Hong Kong
38.54.85.178 AS138915 KAOPU-HK Kaopu Cloud HK Limited Hong Kong
38.60.203.167 AS138915 KAOPU-HK Kaopu Cloud HK Limited Hong Kong
103.57.248.40 AS9009 M247 Hong Kong
176.97.73.171 AS9009 M247 Japan
38.60.203.21 AS138915 KAOPU-HK Kaopu Cloud HK Limited Hong Kong
38.54.85.21 AS138915 KAOPU-HK Kaopu Cloud HK Limited Hong Kong
38.60.203.141 AS138915 KAOPU-HK Kaopu Cloud HK Limited Hong Kong

Several servers use different HTTP ports: 14739, 42208, 42308, 52208, 58162, and provide the same service. When a user tries to browse these ports, the body response is always the same:

{“message”: “need login”, “success”:0}

However, on any of these hosts, the path /assets leads to an open directory containing thousands of JavaScript, CSS and image files. There are several dozen versions of the interface, but all of them have the same structure and functionality. Since only the files used to display the front-end of the interface were available, it is possible to visualise what the interface looks like when a user is connected, but without the dynamic data.

Browsing home page

The home page consists of a table showing the aggregation of compromised edge devices, with different columns. These devices can be of different types as suggested by the “Category” field (routers, cameras, NAS, Linux or other). Still, they can also have different compatibilities according to the “Flags” field, which includes different processor architectures (x86_64, i686, ARM), operating systems (Linux, Windows), protocols (TCP or UDP) and the level of privilege acquired (Root). It is also possible to filter by the country in which they are located and whether or not they are running. To the left of this home page, a panel allows users to navigate to other views.

Browsing the “Task List” view

When the “Task List” view is consulted, it displays a table containing columns indicating actions in progress. Above, it is possible to filter, refresh or create new ones, which redirect to a new tab. A new window appears, offering three ways of creating tasks:

  • “Weak password”: seems to create a brute force attack task against specific or random hosts. The services targeted can be SSH, Telnet, MySQL, Redis or PostgreSQL. Users can also choose an existing credentials dictionary, or upload it.
  • “Exp” (for Exploit): creates a campaign designed to exploit a web vulnerability against pre-selected targets. It is possible to select a specific exploit (called a “Plugin” in the interface) or to select them all.
  • “DDoS”: creates a distributed denial-of-service (DDoS) attack campaign against a single target (IP or domain), or a block of IP addresses (called an “IP Segment” in the interface). It is possible to choose one or more specific ports, to start the campaign at a delayed time or to choose a vulnerability to be used.

Browsing the “Plugin” view

Moving on, the “Plugin” view lists all the web vulnerability exploits created. This page is designed to build custom network template actions that can be automatically deployed against targets. Four exploitation template types are available: “Exp”, “Web Admin”, “Camara” (note the typo) and “DDos”:

The interface provides precise settings of expected network behaviour. For instance, when the “Exp” plugin is selected, it is possible to enter the expected behaviour when a HTTP request is sent using the “Success Body Contains” or “Failed Body Contains” fields. It is also possible to modify its metadata, and the user can create complex sequences by adding steps as desired.

Browsing other views

Other views are available in the left-hand panel. The “Password Dictionnary” view allows the operator to create lists of username and password combinations that can be reused against targets. The “Ip Segment/Domain” view prompts the user to add one or more IP address blocks that can be reused for targeting. Also, there are views for each campaign type launched using the plugins, which monitor progress and results in real-time.

Browsing views that are not displayed

The fact that we had to rebuild the interface locally means that it is not possible to display all the pages available solely by using a web browser. However, analysing the JavaScript code makes it possible to discover new routes that can be accessed via the interface.

The route /deploybots contains a feature called “Add Script”, which displays the following window:

The $URL_HOME variable referenced in this modal corresponds exactly to the one used in all the Bash scripts found in the staging hosts.

Finally, the route /install seems to prompt the user to install a new staging server, automatically by using SSH or manually by downloading an archive.

References to the GobRAT and Bulbature malware can be found in the “Install Server Manually” section. If the operator enters an IP address or URL, an archive named zone.tar.gz can be downloaded containing all the installation bash scripts and malware pre-configured to be hosted and accessible from a compromised host. Files in this archive correspond to the name of the GobRAT zone.[ARCH] malware and traces have been found in other open directories.

Other open directories

Only on a single host, we found an open directory containing files corresponding to an export of compromised devices. The following file appears to be on the main page. This is a sample of the file with some columns removed:

IP Flag Location Version Belong Online Message
[REDACTED] L,A,R,U,T,P South Korea 2.0.7.2 Admin Yes RT-AC68U
[REDACTED]
.asuscomm.com
[REDACTED] L,A,R,U,T,P United States 2.0.7.2 Admin Yes RT-AC68U
[REDACTED] L,A,R,T,U,P Sweden 2.0.7.2 Admin Yes RT-AC68U [REDACTED]
.asuscomm.com
[REDACTED] L,A,R,U,T,P Hong Kong 2.0.7.2 Admin Yes RT-AX56U [REDACTED]
.asuscomm.com
[REDACTED] L,A,R,U,T,P Taiwan 2.0.7.2 Admin Yes RT-AX95Q no
[REDACTED] France 1.0. Admin No exit status 1
[REDACTED] Australia 1.0. Admin No Linux [REDACTED]
4.14.24-qnap
[REDACTED] L,A,R Russia 1.0. resource_admin Yes exit status 127

This file contains 74,944 lines, each one being a compromised host. We can therefore deduce that on 11 July 2023 (given the date generated in the file name), this infrastructure included a botnet of almost 75,000 ORBs. A detailed study of the data in this file will be made in the “Victimology” section.

Also, an export of data from the “Task List” view was found. Here is a sample of this file, which contains 58 lines:

IP Port Username Password CreateTime Task Name Type
[REDACTED] 9022 root [REDACTED] 28/02/2024 02:29 None ssh
[REDACTED] 6379 alpine [REDACTED] 28/02/2024 02:33 None redis
[REDACTED] 23 admin [REDACTED] 15/01/2024 12:48 None telnet
[REDACTED] 23 support [REDACTED] 15/01/2024 12:50 telnetrouter telnet
[REDACTED] 23 mg3500 [REDACTED] 15/01/2024 12:50 telnetrouter telnet

This data indicates a credentials bruteforce campaign, where it is clearly possible to observe the credentials obtained.

Furthermore, another folder stores temporarily uploaded files. Here is a list of all the files found, the “Creation Date” column is based on file metadata:

Filename Creation Date Number of rows
[ok]【CVE-2019-9082】Thinkphp5.txt 2024-07-05 355,149
[ok]【CVE-2019-13956】discuz mlv3.txt 2024-07-05 118,474
[ok]【CVE-2017-5638】S2-045 远程代码执行漏洞2.txt 2024-07-05 325,963
1705313101_1.txt 2024-01-15 500,001
telnetlinux.txt 2024-01-15 800,000
tw_ssh.txt 2024-01-15 842,457
own-0209-7.txt 2023-04-07 131,071
own-0209-10.txt 2023-04-07 133,621
own-0209-11.txt 2023-04-07 3,061
own-0209-41.txt 2023-04-07 68,341
own-shiz-0214-0.txt 2023-04-07 0
own-telnet-0222-0.txt 2023-04-07 308,551
own-telnet-sz-02.txt 2023-04-07 11,133,553
ssdaf0222.txt 2023-04-07 308,551
test_ip_range1.txt 2023-04-07 0
test_range_ip.txt 2023-04-07 65,536
wys_test_range_ip.txt 2023-04-07 65,536
lilin-38w-ip.txt 2023-04-07 396,874
ssh-ip-500k.txt 2023-04-07 500,000
dlink-20221208.txt 2023-04-07 64,399
draytek1.txt 2023-04-07 42,699
drapal7-30w.txt 2023-04-07 600,599
ssh-ip.txt 2023-04-07 500,000
iot-telnet-50k.txt 2023-04-07 499,999
tw-telnet-60w-quchong.txt 2023-04-07 625,333
qnap-all-fofa.txt 2023-04-07 1 377,932
drupal-ip-60w.txt 2023-04-07 600,599
0321-000.txt 2023-03-21 1 488,177
0321-etest.txt 2023-03-21 448,876
own-telnet-0320-5.txt 2023-03-20 352,085

In total, 22,657,437 hosts are included. Observing the number of lines in these files, it is very likely that this data comes from an export of network infrastructure indexing engines such as Fofa (as suggested by the “qnap-all-fofa.txt” file). Based on the filenames, there are three types of targeted hosts: 

  • Hosts with shared remote administration services such as Telnet or SSH;
  • Hosts with an associated service and country (as suggested by the tw_ssh.txt file, which would correspond to all the IPs in Taiwan hosting an SSH service);
  • Type of device, as suggested by the file qnap-all-fofa.txt or draytek1.txt, which contains the IP addresses of appliances manufactured by Qnap or Draytek.

To summarise all the features included in this interface, we can deduce that an operator can use these lists of assets to try to compromise them automatically or manually using web vulnerabilities or accounts dictionaries. Once compromised, they can be remotely controlled and used as relays to launch DDoS attacks and exploit final targets.

Victimology identified form the open directories on the GobRAT administration interface

We were unable to obtain a comprehensive victimology because real-time data access was not available in both interfaces we examined. However, we can still draw up a victimology based on an interface export carried out on 11 July 2023 found in open directories on the GobRAT administration interface.

Among the 74,944 retrieved hosts, a total of 139 different countries were found.

The United States had the highest number of infected hosts, with 28,452 hosts, four times more than the next country, Hong kong. These infections might indicate a strategy to get as close as possible to their targets. This is particularly relevant in the context of the ongoing US-China tensions.

In second place comes Hong Kong with a total of 7,418 hosts, and in third place Sweden with 6,017 hosts. The fact that these countries are among the top 3 infected hosts most probably shows that the operator wants to obtain exit nodes or targets three continents: North America, Europe and Asia. Finally, between 2,000 and 3,000 compromised hosts are found in the following countries: Singapore, Canada, Taiwan, United Kingdom, Germany and Italy.

Still, on the 74,944 hosts, a column filters hosts by their characteristics: network protocols, processor architecture, Operating System, whether it has open services, and if the operator has administrator access. Based on this, it is therefore possible to draw a distribution of hosts types:

Most of these hosts are Linux routers with ARM system architecture and a public IP address, which confirms that they are indeed edge devices. The details in other columns indicate that they are mainly manufactured by Asus or Qnap. The transport protocols are both TCP and UDP, corresponding to the running behaviour of the GobRAT and Bulbature malware. Of note, although a “W” field for Windows is mentioned, no such host was identified.

Conclusion

The investigation we conducted since 2023 provided us with a comprehensive overview of the features of this cluster of activity. Similar to the previous Sekoia.io publications, this architecture, consisting of compromised edge devices acting as ORBs, allowing an operator to carry out offensive cyber operations around the world near to the final targets and hide its location by creating on-demand proxies tunnels.

Considering the functionalities included in the Proxies provider interface and the GobRAT administration interface, operators have an automated technical toolkit, enabling them to carry out massive exploitation or DDoS attacks. Each of these interfaces has user management functionalities, suggesting that they are being used by several operators. Inside this ecosystem, GobRAT and Bulbature malware operate in a complex way: the level of obfuscation is considered to be particularly advanced. The various network interactions are difficult to identify, indicating a genuine intention by operators to conceal infrastructures. Several version numbers associated with malware have been recovered, implying a constant evolution of their functionalities since at least 2022.

Since 2023, we have seen several ties to China. Traces in the code, interfaces historically configured with a single language, the repeated use of AS138915 “KAOPU-HK Kaopu Cloud HK Limited” and the predominantly North American targeting. This type of infrastructure, which implies compromised appliances directly exposed on the internet, is also very present in the Chinese state-sponsored ecosystem. Given the evidence at hand, we assess with a high level of confidence that this threat originates from China.

Indicators of compromise

Several indicators are not shared in this report. If you are a national CERT or LEA, we can share IOCs and samples with you under TLP:AMBER classification. Please contact tdr [ at ] sekoia [ dot ] io.

The following table lists all active indicators as of 5 September 2024 (cut-off date of this report), which have certificates mentioned in the Initial Findings.

Type IPv4 ASN Hosting Country Self signed certificate fingerprint (MD5)
Staging host 38.54.56.5 AS138915 Japan af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.54.85.246 AS138915 Hong Kong af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.60.134.236 AS138915 France af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.60.221.32 AS138915 Russia af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.60.221.63 AS138915 Russia af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.60.221.174 AS138915 Russia af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.60.223.51 AS138915 Russia af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.60.223.81 AS138915 Russia af4ad0bd9221ffc63ae5acff4034834a
Staging host 38.60.221.145 AS138915 Russia af4ad0bd9221ffc63ae5acff4034834a
Proxies provider interface 47.96.119.186 AS37963 China e4b7b3a2610ad706a83667a5bac7cd31
Proxies provider interface 178.128.96.236 AS14061 Singapore e4b7b3a2610ad706a83667a5bac7cd32
GobRAT administration interface 38.54.85.70 AS138915 Hong Kong e4b7b3a2610ad706a83667a5bac7cd33
GobRAT administration interface 38.54.85.164 AS138915 Hong Kong e4b7b3a2610ad706a83667a5bac7cd34
GobRAT administration interface 38.54.85.178 AS138915 Hong Kong e4b7b3a2610ad706a83667a5bac7cd35
GobRAT administration interface 38.60.203.167 AS138915 Hong Kong e4b7b3a2610ad706a83667a5bac7cd36
GobRAT administration interface 103.57.248.40 AS9009 Hong Kong e4b7b3a2610ad706a83667a5bac7cd37
GobRAT administration interface 176.97.73.171 AS9009 Japan e4b7b3a2610ad706a83667a5bac7cd38
GobRAT administration interface 38.60.203.21 AS138915 Hong Kong e4b7b3a2610ad706a83667a5bac7cd39
GobRAT administration interface 38.54.85.21 AS138915 Hong Kong e4b7b3a2610ad706a83667a5bac7cd40
GobRAT administration interface 38.60.203.141 AS138915 Hong Kong e4b7b3a2610ad706a83667a5bac7cd41

This table lists the Bulbature Dispenser and Bulbature C2s that have been collected in 2024.

Type IPv4 or domain Port
Bulbature Dispenser eyh.ocry.com 443
Bulbature Dispenser nbt201.dynamic-dns.net 8080
Bulbature C2 38.180.29.229 8245
Bulbature C2 38.180.128.52 7598
Bulbature C2 38.60.223.208 4557
Bulbature C2 139.84.230.198 7335
Bulbature C2 38.180.74.173 6114
Bulbature C2 45.32.33.92 3558
Bulbature C2 139.84.147.229 7860
Bulbature C2 64.176.56.252 8927
Bulbature C2 139.84.177.244 6542
Bulbature C2 139.84.163.73 2225
Bulbature C2 38.180.191.118 2814
Bulbature C2 38.60.212.233 7038
Bulbature C2 38.180.74.14 7144
Bulbature C2 45.77.34.148 8158
Bulbature C2 38.54.50.163 3296
Bulbature C2 139.84.170.90 7170
Bulbature C2 154.205.128.210 3591
Bulbature C2 139.180.139.12 5118
Bulbature C2 38.60.212.167 8764
Bulbature C2 5.34.176.150 2666
Bulbature C2 38.180.106.167 3973
Bulbature C2 154.223.21.160 5972
Bulbature C2 5.34.178.144 3652
Bulbature C2 38.60.203.83 7121
Bulbature C2 176.97.73.215 6894
Bulbature C2 38.54.50.253 4805
Bulbature C2 38.180.29.5 6214
Bulbature C2 38.180.188.92 6733
Bulbature C2 154.90.63.156 8080
Bulbature C2 64.176.228.78 2119
Bulbature C2 45.76.177.40 3053
Bulbature C2 139.59.43.67 3242
Bulbature C2 154.90.62.247 3472
Bulbature C2 154.223.21.80 2694
Bulbature C2 38.180.106.179 6648
Bulbature C2 154.90.62.201 5914
Bulbature C2 188.116.22.59 3632
Bulbature C2 154.223.21.181 4873
Bulbature C2 38.60.206.78 3314
Bulbature C2 154.223.20.215 8640
Bulbature C2 64.176.47.133 7216
Bulbature C2 38.60.196.86 8784
Bulbature C2 139.84.174.102 8835
Bulbature C2 64.227.130.48 6088
Bulbature C2 38.180.189.108 5984
Bulbature C2 38.180.106.12 2572
Bulbature C2 67.219.101.151 5989
Bulbature C2 158.247.223.125 2109
Bulbature C2 38.60.203.61 4516
Bulbature C2 139.180.200.78 3499
Bulbature C2 154.90.63.215 2280
Bulbature C2 38.60.212.13 5049
Bulbature C2 207.148.125.75 5893
Bulbature C2 108.61.127.186 4001
Bulbature C2 38.180.9.2 5226
Bulbature C2 141.164.47.248 2251
Bulbature C2 154.223.21.16 6259
Bulbature C2 66.42.34.87 8262
Bulbature C2 154.205.136.160 5366
Bulbature C2 91.196.70.165 4572
Bulbature C2 207.148.69.74 8225
Bulbature C2 139.180.212.224 6771
Bulbature C2 140.82.38.225 3748
Bulbature C2 139.84.227.52 2474
Bulbature C2 154.205.155.3 7497
Bulbature C2 38.180.74.236 4818
Bulbature C2 38.54.56.45 7507
Bulbature C2 38.180.74.180 7462
Bulbature C2 176.97.73.199 7422
Bulbature C2 104.238.176.171 5468
Bulbature C2 38.54.88.248 2882
Bulbature C2 64.176.49.89 4524
Bulbature C2 139.84.167.48 6004
Bulbature C2 139.59.80.77 4538
Bulbature C2 195.80.148.142 2410
Bulbature C2 154.205.128.194 2621
Bulbature C2 154.205.137.248 7192
Bulbature C2 68.183.89.48 6450
Bulbature C2 38.180.74.228 8976
Bulbature C2 45.76.154.241 4281
Bulbature C2 78.141.218.239 8717
Bulbature C2 38.54.50.120 7288
Bulbature C2 38.54.85.244 4986

The following files were retrieved from the staging host https://38.60.221[.]145/static/, and are those described in this report. However, around 200 variations of these files were found on all the staging hosts.

Filename Type SHA256sum SHA1sum MD5sum
bulbature Bulbature malware 41e189a5b68f305ab6251a06475b76777bda0d035ea06cd569306ed5c98bdc98 b7328e89017b9c56e9a77150bcd9e01f023590b3 e988b0adfc9d606dba66e839394c01a0
zone.arm GobRAT malware 48b243fd7ed8bc0b7ce663f0b3fc34f07fcf9fb04bf8bceaff8b7453ab4e5318 44f2f951fdcf2b88c1f6565fae4c806019fe397c d16a8d41950cd226240072fe1cb2b43f
zone.x86_64 GobRAT malware 91eaa94223c12ddc89eca5220a8c57f0254f587f73c9edc161fc161a56e2c2f0 a6ad4538b145567ded3e7df723e9777944bd3b45 fc0521c22cef4423e9fd440d1f788d4c
zone.i686 GobRAT malware b1c21264a60edb64895c8c61507211a829f13068541f875b615e6c1c363122ba c049cdaf68906e280ce6e99ffe046caa13e4369f ea9c445106d86372849b522f4aeae193
zone.mips GobRAT malware 726ac8f88c4585ccb2ce2e3325726230dc7bd2c7f6667085ac2f665c4ce3fb46 b8788656c6c8bca00abb2d83672fde546ac2bf3e 4a8462db712c05190b2741b36567fc4e
frpc.i686 FRP (Fast Reverse Proxy) 676cf55076127dab1403c3322d38bf72b62f8aaff25534e5af7b02fc1474a9c0 30a3b3ffaf025d93850402de323387f1ebc5ca7a 9e5870fc5fadd943307eecaef74bbf69
frpc.x86_64 FRP (Fast Reverse Proxy) a6d184715cbb596edac024089ae493785ba3c4519b493946c8f850b4bd08836c 2a596d8db43e35951fb820588eed43872606f154 31ced0d01855ce9b66a9fb786edc8d90
frpc.arm FRP (Fast Reverse Proxy) 141bc0c7413665970cc33ba7b31f8e2ab0d1f9fb0363478aa6d3fd444e6745a4 48a2a15803ca7784e61dccc9435786d4203ce48b dabdabcdd97652c9175a18b3ee8847f8
hold_by_bot.sh Daemon script 869a6cd8205af5ec1bf04e6abf0ff79f12e62a8eeae129b9e219e1179520bac3 97d79325e0ffc55ff277bc24cc1f91b5c518c82c 0c417d9d857aff511cb0d9713a511126
zoneupdate.sh Update script 0858c36ed2cf29d9f7de3d7b8d595e45d888da422e76bc9c9115a8f25027d5e7 181d629ed8faad17c5548e05fdcd48e24969a0bd f501977e0b01d0a9c7a737ad0e197223
zonesetup.sh Start script 6632fe263bf687fb8d46dd29eaf90601350681aa1930a14e2aba2a16f6c3e040 88094c3907cb4a69bc25fe9feb1867dfbca33437 a034dd3eac327bd318b2e5f22aa24385
zoneController.sh Daemon script 743e15f8cfd54077406635bea803b26c574b1b5c3862b132779a8cf52d9ef903 8197abcad20e2d14bde93d5af0199c3ebdd9b77f 7e5ea306574e2237dc5b3902fba2d173
sshdeny1.sh Block script 1f3a0144e717e7d93fe65877b4945a25c03b0722b6761e8fc96c8b5e62be3e46 a860a33f8ec6f0f4d91a413ef3fe3b0aab45f232 f75d14bcc6d67dc7a03f734eff951b35
zoneRestart.sh Update script 173e2f90de78f8288e0172e900693d228ae1071cc80a4fe02a09af6cd37358e9 b41466642674365e73428f9899a36986ced18c5d 71b5c7a5ae58129bffadda3cc42dbcd1
zonedelete.sh Delete script 667dd21bc252eb7d7415fc13ab996575bbe451062d82c94b14d6ba750d95ab64 5e85de2e35f1fccb66cb92f7d9efc59c7cd25ac2 855856f0d98cb3500acd524cde3f966f

When the operator compromises an edge device, he begins by running “zonesetup.sh”. This script downloads “zoneController.sh” from a staging server, modifies its permissions to make it executable, then runs it.

In the meantime, “zoneController.sh” checks every 6,000 seconds to ensure that the “apached” process (corresponding to “zone.[ARCH]”, GobRAT) is running, and if it is not, it downloads a script from a specified URL, modifies its permissions to make it run, then runs the script in the background. Runned in an infinite loop, this script ensures that GobRAT is run persistently.

The operator runs the “zoneupdate.sh” script, which performs the most important infection operations on the host:

  • Installs “wget”;
  • Increases the user process limit;
  • Stops and disables the firewall service;
  • Empties the firewall rules;
  • Creates a directory called “/zone”;
  • Deletes several files and directories in /zone. 

The fact that the user’s native configurations are modified indicates that the operator wishes to manipulate a large amount of data on this host, freeing himself from the default weak limits on edge devices.

It then downloads GobRAT malware depending on the host’s system architecture, as well as Bulbature and other Bash scripts, placing them in the “/zone” directory.

Following this, it checks whether processes named “hold_by_bot.sh”, “apached”, “frpc.[ARCH]” and “bulbature” are running, and terminates them if they are found.

After this, it:

  • Deletes several files and directories in “/zone”;
  • Moves temporarily downloaded files to their final locations;
  • Changes their permissions to make them run.

Finally, it:

  • Configures the “/etc/rc.local” file to run “zone/hold_by_bot.sh”
  • Empty the iptables rules at start-up
  • Adds periodic run of “/zone/sshdeny1.sh” to the crontab file
  • Increases the file and process limits in two security configuration files;
  • Runs “hold_by_bot.sh” in the background;
  • Empties the iptables rules again;
  • Stops and disables the firewalld service. 

In this way, the compromised or deployed host will be accessible without any restrictions from remote access.

In “zoneupdate.sh”, it is possible to see the use of “hold_by_bot.sh”. This will check every 6 seconds whether the GobRAT and Bulbature processes are running, and if not, it will restart them and record the date and time of each restart in a log file. Once again, this suggests the use of a persistence mechanism.

Also, “zoneupdate.sh” install and run “sshdeny1.sh”, which:

  • Identifies IP addresses with failed connection attempts;
  • Counts them and adds those with more than 5 failures to “/etc/hosts.deny” to block SSH access;
  • Records the date and time of the block. 

In this way, the operator reduces the chances of compromise by another actor, by blocking the possibility of brute force authentication attacks.

Whatsmore, “zonedelete.sh” and “zoneRestart.sh” can be found on a staging server open directory, but are not run by any of these bash scripts. It therefore seems that these scripts are launched by the operator itself.

The “zoneRestart.sh” script adds “hold_by_bot.sh” to the “/etc/rc.local” file so that it runs at start-up if it is not already there. It terminates GobRAT-related processes if they are running, then runs “hold_by_bot.sh” in the background.

Finally, the “zonedelete.sh” script deletes all files and directories in the “/tmp” folder, then abruptly terminates all processes whose command line contains “tmp”. However, this script does not seem to erase all traces of run of downloaded malware, since they are also in the “/zone” directory.

This concludes the analysis of the nesting of bash scripts hosted on staging servers.

Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here :

Share this post:




















Source: Original Post