Research Saturday 11.19.22
Ep 259 | 11.19.22

Another infection with new malware.


Dave Bittner: Hello, everyone, and welcome to the Cyberwire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Larry Cashdollar: I recently had downloaded a honeypot that was written in Golang, and it was immediately getting hits after, I'd say, oh, 15 or 20 minutes of being up. But I noticed an automated scan came in, and it tried to download some malware to my system. 

Dave Bittner: That's Larry Cashdollar, principal security intelligence response engineer at Akamai. The research we're discussing today is titled "KmsdBot: The Attack and Mine Malware." 

Larry Cashdollar: And, normally, the hits are just, you know, SSH scanners and folks just looking to drop a XMRig on there and do some mining. But I noticed an automated scan came in, and it tried to download some malware to my system. I like, oh, that's interesting. You know, the honeypot didn't download the malware 'cause it's just not working properly yet. So I manually downloaded it and realized it was written in Go. And I'm like, oh, neat, a piece of Go malware. 

Dave Bittner: Even more for you to continue your education... 

Larry Cashdollar: Yeah. So, like... 

Dave Bittner: ...In Golang, right? 

Larry Cashdollar: ...I've working on learning how to reverse engineer malware, or Golang malware, and I'm like, oh, so this'll be, you know, something I can sink my teeth into. So I started digging into it, and I'm like, OK, this is actually kind of interesting. And then I started a document, like, just to sort of take notes and write stuff up. And then where I live in Florida - we got hit with a hurricane. So that kind of delayed my research for about two weeks. And then I got sick. So that delayed my research another week and a half. 

Dave Bittner: Insult to injury, right? This is the real world interfering with the technical world, right? 

Larry Cashdollar: Yeah. And I - you know, I likely - I'm guessing I had COVID, but I never tested positive, even though I kept testing, and I was pretty sick for a couple of days with a fever. But I just assumed it was COVID and just stayed in my room. And my family's doing their side of the house. But after I start feeling better, I'm like, you know, I'm going to go back to that botnet that I found and start poking at it some more. And one night during a bout of insomnia, I ended up in my office and decided I was going to poke at it. And I started digging into the malware, looking at the functions and disassembling functions and looking at the code. 

Larry Cashdollar: And I realized - I'm like, this thing looks like it has a pretty simple command-and-control structure, where it sends a simple 0x02, where it starts off with a with a null byte it sends to the command-and-control server. The command-and-control server sends back a hexadecimal 1, and then the response is hexadecimal 2. And I'm like, OK, I'm going to sit and write a Golang program to emulate this malware to see if I can talk to C2. And then this is 3:30 in the morning. 

Larry Cashdollar: And so then I managed to get this little piece of software to talk to the command-and-control server. And it's sending a heartbeat with the - you know, the 0x01, 0x02 back and forth. Every second or so, I'm getting a response. I'm like, OK, neat. I'm talking to C2. And then I see an attack command come in. And I'm like, wait. I'm like, attack commands are just in cleartext? So I'm like, well, this is even neater. So then I started - I wrote this little tool to log the attack commands, and then I actually detonated the botnet in my lab on a network where the outbound traffic is heavily throttled. It only can get, like, I think 32 kilobits per second out. So if there's any attacks, it doesn't - its damage is limited. 

Dave Bittner: Right. 

Larry Cashdollar: So I had it running there and was watching it for a couple of days. And then I saw that they actually had revised the malware and had another version of it that had more functions in it. And it actually had a new command-and-control server. So I'm like, OK, I'm just going to monitor this malware for a while and then take notes and write it up. And I'm expecting to have two more blog posts on this malware after this. So there's a lot more to be told about it. So it's up-and-coming research. 

Dave Bittner: Yeah. Well, let's go through the things that you've discovered together here. I mean starting out with - it was just sort of some high-level stuff. What is the goal of these folks? What does it seem to you as though they're after? 

Larry Cashdollar: So in my research and in my mind, in my observations, the malware seems to be specific to the gaming - well, initially it looked specific to the gaming industry. It looked like it was specifically targeting third-party GTA hosting servers. So for folks who aren't gamers - I'm not a gamer - I had to ask my 13-year-old son, Max (ph), what - there's a company called FiveM that - they host GTA servers on their network where you can actually run a GTA, "Grand Theft Auto," server and have your friends connect to it and play on your own server. So it looked like it was specifically written to target those servers because there were actual functions in the code that said attack FiveM, and the packets that were being sent had authentication tokens specific to the FiveM protocol for their system. So what it looked like to me was it was something to send a packet to initiate either authentication or a session and then just overwhelm the server and try and take it offline by just repeatedly saying, I'm going to start a session with you and then just never respond. 

Larry Cashdollar: The malware also has the ability to mine crypto, which - it has functions to actually start and stop a crypto miner. It has functions to load different random wallets that are in a list. And then I actually haven't seen it do any crypto mining yet. In my observations of it, it's mostly been used for DDoS, but I figure that the people who wrote this initially, I think, wanted something that they could use to take down certain gaming servers and then mine crypto when in the interim. But this botnet can also be used to target arbitrary folks. So, you know, you can send a command to have it attack anything, not just FiveM, which I'll - you know, we'll get to some of the other targets as this thing branches out. 

Dave Bittner: So in terms of the DDoSing (ph), you know, we hear about rivalries among different folks in the gaming world. Is - this does it seem like that's what this is - like, a nuisance kind of thing where you're going to, you know, take down the folks who you have a bit of a beef with and take down their server? 

Larry Cashdollar: That's what I initially thought. I initially... 

Dave Bittner: Yeah. 

Larry Cashdollar: ...Thought that that these were fellow gamers that developed this and they were using it to specifically target gaming sites. Now, what changed my mind was that they actually started targeting universities, and they started targeting high-end automobile manufacturers of, like, the highest end. And then they started targeting churches in Germany and then government websites in Brazil. So then I realized that it wasn't just a bunch of, you know, gaming kids that were targeting gaming sites. This might be an actual botnet that either someone is renting out - for a fee, you can target a specific site for X amount of time, for X amount of money - or it was being lent out to other folks who could, you know, say, hey, I want to target this site for 60 seconds with a UDP attack. So it's - something else was going on there because of the erraticness (ph) of the targets. So we're still monitoring the targets. It's actually been relatively quiet right now, but I'm sure it'll spin back up. 

Dave Bittner: And in terms of the sophistication that you think we're dealing with here, I mean, you mentioned that this is written in Golang, which is - my sense is becoming more and more popular. Can you speak to why that is? Why are folks choosing that particular development language? 

Larry Cashdollar: I think Golang offers a lot of functionality, and it's relatively robust language that I think malware authors are leaning towards because it's got a lot of built-in functions that you might have to implement yourself in other programming languages. And I think because of the way the Golang binaries are built, they're statically compiled. So you get a 10, 15-megabyte compiled binary versus a, you know, 40, 50-kilobyte compiled binary that's in C. I think the malware authors are realizing that it's harder to reverse engineer Golang 'cause it's more of a ball of spaghetti, really, is what the - you know, the Golang binaries are. And the way Golang binaries organize their strings, the strings aren't just kept in the binary in certain areas. It's, like, one ball, and that ball is indexed and carved up to get the string that you want out of the - out of that section of the binary and then use in the program. So it's more tedious for reverse engineers, I think, to edit or to - not edit, but to reverse-engineer a Golang binary. So I think that's why the office (ph) are leaning towards it. 

Dave Bittner: So in terms of defending yourself against this, what are your recommendations? 

Larry Cashdollar: I recommend that if folks have systems that are internet-facing, they should either disable password authentication and only allow SSH key authentication, or they should ensure that their passwords are secure because this thing has a list of passwords that it can download and update from itself, or from the command-and-control server, they have a list of passwords that can be dynamically updated, and they try those passwords over SSH at, you know, unsuspecting systems on the network, on the internet. And, you know, if you don't allow password authentication, there's no way they can get in through that method. Now, whether they make any adjustments onto how they infect systems is yet to be seen, but that's their primary infection vectors, is weak SSH login credentials. 

Dave Bittner: And to what degree are they attempting to be stealthy here? Are they making a lot of noise or trying to sneak around in the shadows? 

Larry Cashdollar: At this time, it seems like they're not being very stealthy. The command-and-control IP address is one of the - it's in, like, the top list for malicious IP addresses that we've noticed this last two weeks, and it seems like they're - the malware itself doesn't try to keep persistence. It doesn't try to add itself to cron. It doesn't try to do anything like that. And it just, generally, will run as whatever it's logged in as. So at this time, it seems like it's an initial implementation on the botnet, and it's not really trying anything too stealthy yet. 

Dave Bittner: I'm curious. Just as a little aside here, could you give us a little bit of your insights when it comes to spinning up honeypots themselves? I mean, what sorts of things do you do as a researcher to make them most effective? 

Larry Cashdollar: I try to make them look as real as a legitimate system as possible, and in some cases I've actually used legitimate systems as a honeypot, where I've actually taken, like, an SSH docker and modified the SSH daemon on it to log the session to disk. Rather than, you know, actually use an SSH honeypot, this was actually just a docker image that was running with a backdoored SSH daemon. So that's some of the stuff that I'll do as a researcher to try and, you know, get the bad actors to think that the system is a legit system when it's actually me monitoring their actions. 

Dave Bittner: And where do we stand in that arms race in terms of the bad actors being able to detect honeypots and, you know, folks like yourselves trying to make them look as real as possible? 

Larry Cashdollar: I feel like we're always neck and neck. You know, it's cat and mouse. You know, they think of something, and then, you know, we think of something, and then, you know, one of us outdoes the other one, and then, you know, the other person catches up. And it just seems to go back and forth. You know, some of the more popular honeypots out there like Cowrie are easily fingerprinted. So, you know, they're effective in getting some traffic, but not all traffic. So it's been - it's really been a challenge to sort of just keep up with everything. 

Dave Bittner: You mentioned that this is the first step of some continuing research you're going to do with this particular bot. What does the future hold here? What sort of things are you going to take a look at next? 

Larry Cashdollar: I'm going to investigate the actual attack commands and the attack traffic in one of the blog posts. And then we're going to examine a misstep that the bot authors took when they were attacking a site. And I'll go into that when I actually write the blog post, but it's actually an interesting story. 

Dave Bittner: Our thanks to Larry Cashdollar from Akamai for joining us. The research is titled "KmsdBot: The Attack and Mine Malware." We'll have a link in the show notes. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.