Honeypot and Malware Hunting
Overview
- Honeypot
- Docker API
- HoneyDock
- Stats
- Malware Analysis
- Malware Infrastructure
- Campaign Evolution
Honeypot
Honeypot
Low interaction
Pros:
-
Easy to deploy
-
Service or system emulation
-
Easy to monitor
Cons:
-
Attacks are limited
-
Easily detectable
-
Restricted IOC
Honeypot
High interaction
Pros:
-
Detection of advanced events and new exploits
-
Highly customizable
-
Difficult to detect by an attacker
-
Rich IOC
Cons:
-
Risky
-
Complex implementation
-
Need for an architecture
Honeypot
De l'intérêt du Honeypot - Arnaud Zobec
Docker API
Docker API
Docker API
Docker API
HoneyDock
HoneyDock
- Python using Flask
- 40 lignes
-
Implemented endpoints
- _ping
- version
- info
- containers/json
- containers/create
- images/create
HoneyDock
HoneyDock
HoneyDock
- Simple and fast to make
- Easily spoted
- Low interaction
HoneyDock
Stats
2018 Nov 8 - 2019 Jan 24
(78 days)
Stats
- 14 000 requests by 165 IP
- ~1 request/min
- Images
- strm/xmrig
- bitnn/alpine-xmrig
- kannix/monero-miner
- arayan/monero-miner
- busybox
- alpine
- centos
- ubuntu
Stats
- kannix/monero-miner : 10M
- bitnn/alpine-xmrig : 100k
- strm/xmrig : 50k
- arayan/monero-miner : 10k
Stats
Malware Analysis
Log Analysis
Log Analysis
- IP : 45.77.140.98
- DN : oceanhole.xyz
- Dropper : https://oceanhole.xyz/d
Dropper
https://www.oceanhole.xyz/d
Environement Setup
https://www.oceanhole.xyz/d3
Environment Setup
https://www.oceanhole.xyz/d3
Environment Setup
https://www.oceanhole.xyz/d3
Environment Setup
https://www.oceanhole.xyz/d3
Environment Setup
https://www.oceanhole.xyz/d3
Malware Analysis
https://www.oceanhole.xyz/xg.n.tgz
- .cf
- b
- kernelupd
- xg
Malware Analysis
https://www.oceanhole.xyz/xg.n.tgz#.cf
xmrigCC
Malware Analysis
https://www.oceanhole.xyz/xg.n.tgz#b
Malware Analysis
https://www.oceanhole.xyz/xg.n.tgz#kernelupd
Malware Infrastructure
Infrastructure
-
oceanhole.xyz
-
vpn.oceanhole.xyz
-
host.oceanhole.xyz
oceanhole.xyz
- Domain Registered On 2018 Oct 03
- IP : 185.10.68.35
- Reverse DNS : 35.68.10.185.ro.ovo.sc (https://cock.li)
- DNS CNAME:
- wback.oceanhole.xyz
- ipv4.oceanhole.xyz
- www.oceanhole.xyz
oceanhole.xyz
- 22 : SSH
- 80/443 : HTTP(S)
- 3344 : HTTPS (xmrCC Dashboard)
oceanhole.xyz:443
- Malware distribution (Virus Total)
- Config files : Docker, SSH Key...
- XMR Miner (xmrigCC)
- Web Miner (crypto-loot.com)
oceanhole.xyz:443
oceanhole.xyz
vpn.oceanhole.xyz
- IP : 45.77.140.98
- The attacking machine
- 22 : SSH
vpn.oceanhole.xyz
host.oceanhole.xyz
- IP : 104.238.190.35
- DNS CNAME : eu.proxy.oceanhole.xyz
host.oceanhole.xyz
-
80 : xmr-node-proxy
-
40929 : SSH
host.oceanhole.xyz
Infrastructure
Campaign Evolution
Campaign Evolution
Campaign Evolution
Campaign Evolution
Campaign Evolution
Other Research
- https://blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware
- https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html
- https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack
Tools
- Crt.sh
- Amass
- VirusTotal
- Urlscan.io
- Onyphe.io
- Shodan.io
Thanks
Questions?
HACK2G2 | Honeypot and Malware Hunting
By floriancharbonneau
HACK2G2 | Honeypot and Malware Hunting
Présentation 30/01/2019
- 1,309