Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

[Honeypot Alert] New Bot Malware (BoSSaBoTv2) Attacking Web Servers Discovered

Our web honeypots picked up some interesting attack traffic. The initial web application attack vector (PHP-CGI vulnerability) is not new, the malware payload is. We wanted to get this information out to the community quickly due to the following combined threat elements -

  • Active exploit attempts to upload/install the malware
  • The overall low detection rates among AV vendors
  • The malware is actively being sold in underground forums

Update - Another security researcher has also seen similar activity in his ModSecurity honeypots back on August 26. Some of the tactics have changed but the core of the attack seems the same.

We have already discussed the initial PHP-CGI vuln attack/exploit vector in a previous blog post. What is interesting in these attacks are the actual tools installed if the attack is successful. Here is the initial screen shot of the attack payloads taken from the ModSecurity audit log file on the honeypot:

8653_338c1c66-5850-47b6-862f-ff3b7e400121

We cross referenced this attack with our own IDS alerts from Trustwave MSS team and have seen a definite increase in scanning activity for the inital web application attack vector (PHP-CGI) within the last month:

8759_38670e26-74e9-42f1-b144-7e5185d70ee2

Keep in mind that exploit vectors and payloads are separate ecosystems. They are often interchanged with each other. For example, we often see new PHP command injection vectors used within botnet code that execute or install the same backend malware code. The initial URL encoded data in the QUERY_STRING decodes to:

9750_6a6283da-36bf-427c-9a57-136fdae8b55b

The final "auto_prepend_file=php://input -a" data tells php to take the info from the POST payload and append it to any existing code and execute it. If we look at the complete PHP code in the request body, we see that there are actually 2 different variables that contain base64 encoded data.

8576_2fd1c886-3f68-412a-af67-7553f22de512

This data is then later decoded and places into temp files and then executed.

8338_2391a499-a51f-47a6-bde7-333346a2b987

What are these files? If we base64 decode the variable data, we can see that they are in fact ELF binaries that are packed with UPX -

8506_2cd1afae-94c0-40dd-ad83-c2f349f3a09b

Here is some quick static analysis -

8413_28256af6-f199-4dcb-9580-d01856efe7d8

The files are essentially the same, however one is 32-bit and one is 64-bit. The attacker isn't even bothering with checking the web server OS version... they are just trying to execute both to see which one might work. Checking this file over on VirusTotal shows that only 4 AV vendor currently detects this file as malicious:

8897_40537fdc-95ce-4f73-9fb4-1859be127e6f
Note - We have internally verified that Trustwave AV does detect this file as malicious.

The file contains many clear text URLs that have been associated with Botnet C&C activity:

  • srv5050.co

  • ka3ek.com

  • ircqfrum.com

  • 8rb.su

Once we see the IRC botnet code, we get a clearer idea of what we are dealing with here:

10284_819a3c9b-8940-4cbe-8111-d443072cb16e

There are many IRC commands here. IRC botnet code installs are nothing earth-shatteringly new however most of the variants we capture are written in Perl, PHP, etc... This one is binary C code. One interesting tactical note - the destination IRC port on these C&C servers is 53. This is a smart move from the attacker's perspective as DMZ network firewalls may allow web servers to initiate outbound DNS queries.

Additionally, we see the highlighted section of code which seems to identify this code as: BoSSaBoTv2. After some searching, we were able to find that this code is actively being sold on underground forums. Here are some example screenshots:

12067_d7a9bdeb-e93a-4714-8b7c-4e60161baa2d

11433_b8fb66e1-d1d9-431d-bc70-98a0440b33f1

Notice some of these features including bundling a Bitcoin Miner program. This is interesting as this shows another aspect how an attacker is looking to abuse their access to a compromised web server. They can siphon off local system resources such as CPU and RAM in attempts to create Bitcoins. Here are some of the commands for downloading and running the Bitcoin miner -

11830_cb861225-fa25-48be-b5c5-7e7f8d3a412b

 

We also see on the hacker forum that this malware is for sale at affordable prices:

8099_17bf3cdc-b485-47e7-bd6e-3d90794e0aac

Conclusion

We wanted to get this information out to the community quickly due to the following combined threat elements -

  • Active exploit attempts to upload/install the malware
  • The overall low detection rates among AV vendors
  • The malware is actively being sold in underground forums

Here are a few defensive steps:

Update Network Firewall Egress Rules

All too often, we see weak or non-existent egress firewall rules. As an example of why you need them - during our research, we saw the IRC botnet master send down commands to have the malware update itself by downloading a new version -

10538_8e6ab740-cb34-4a93-9e28-02ad822ac233

If you can block outbound connections from your web servers to 3rd party hosts, you can significantly help to reduce an attacker's ability to expand their breach.

Deploy a WAF

Our honeypots picked this up due to alerts from our ModSecurity WAF rules. The Trustwave WAF also detects these attacks. Not only will this give you some base protections, but it also provides better logging vs. standard web server log files. Speaking of web server log files....

Check Your Logs

Review your web server log files to see if you have been receiving these initial PHP-CCI attacks.

10517_8d6da014-32c3-4d98-b5a3-3b780ea612f4

Pay close attention to the HTTP Response Status Codes. Anything other than a 404 - Not Found could indicate trouble.

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More