Security Advisory: BusyWinman Linux Intrusion – July 21, 2017 15:40 PT

 

We have received reports about malware on Linux systems that have been detected at other institutions. If you notice anything on your systems that matches the description below, please contact security@ubc.ca.

 

BusyWinman Malware is a two-component malicious software including:

  • A Linux Bew Backdoor variant
  • A UPX Packed BusyBox binary
  • A dedicated malicious infrastructure (C2s)

 

The initial infection is believed to have occurred no later than mid-2015 and the infection vector might be tied to be a drive-by attack in Firefox. No payload has been discovered so far on the affected hosts.

All victims are Linux Desktop hosts, running various Linux distributions (Ubuntu, Kubuntu, Mint, Fedora, Suse, etc.).

 

Attacker’s tactics, techniques, and procedures:

  • Devices are seen contacting IP 46.22.220.21, on port 443, using TLS v1.0. The domains associated are tw.gcache.net and storage.gcontent.org (valid Comodo certificates used). This is a likely drive-by download.
  • A UPX Packed BusyBox binary is dropped on the device (~/.tar)
  • A Linux Bew Backdoor variant is dropped on the device (in ~/.config)
  • Persistence is established via a cron job
  • Information on the victim’s system is collected:
    • OS distribution and version
    • Apache configuration and modules (if applicable)
    • Firefox stored passwords
    • Firefox stored certificates
    • Firefox stored intermediate certificates
    • Firefox security module database
    • Firefox browsing history
    • Presence of the /usr/bin/bzip2 binary
  • The attacker does not seem to attempt to escalate privileges
  • Persistent, clear-text connections, with sporadic data transfer packets of ~50 bytes, are observed to malicious IPs associated with hfir.u230.org on port 443 (again, this is NOT a SSL/TLS connection). This is likely a C2 host.

 

Indicators of compromise:

Network:

  • Check for connections to 46.22.220.21
  • Check for persistent connections on port 443 to any of the following IPs:
  • (note: different samples show different hardcoded IP addresses)
    • 45.58.49.98 (hardcoded in backdoor binary)
    • 192.211.49.214 (hardcoded in backdoor binary)
    • 185.120.34.177 (hardcoded in backdoor binary)
    • 91.219.239.156 (hardcoded in backdoor binary)
    • 46.36.37.169 (hardcoded in backdoor binary)
    • 193.68.47.49 (in process memory)
    • 107.155.120.181 (hardcoded in backdoor binary)
    • 107.155.118.175 (hardcoded in backdoor binary)
  • Check for connections to any of the following domains:
    • tw.gcache.net
    • storage.gcontent.org
    • hfir.u230.org
    • e.update3.org (possibly related indicator)
    • images.gistatic.org (possibly related indicator)
    • pd.update3.org (possibly related indicator)
    • a.update3.org (possibly related indicator)
    • share.update3.org (possibly related indicator)
    • se.update3.org (possibly related indicator)
    • est.just-cloud-it.com (possibly related indicator)

Filesystem:

  • Check for binary files in ~/.config such as
  • ~/.config/gnome-pty-helper and ~/.config/kdeinit4
  • Check for a ~/.tar executable
  • Check for a cron job such as
  • */10 * * * * sh -c “/home/xxxx/.config/gnome-pty-helper”

 

Indicators of compromise are also available in MISP format:

  • https://security.web.cern.ch/security/advisories/31434dd977f962ea0d555f20c89f207b/MISP-BusyWinman.json

Technical Details:

Linux Bew Backdoor Variant

The backdoor is dropped into a hidden directory, ~/.config. It is named according to the system’s windows manager, such as:

  • ~/.config/gnome-pty-helper
  • ~/.config/kdeinit4

Each sample tested has a unique hash and hard coded IPs appear to vary. Persistence is established by a cron job for the local user under /var/spool/cron/, launched every 10 minutes if the process is not running.

  • */10 * * * * sh -c ” /home/xxxx/.config/gnome-pty-helper”
  • */10 * * * * sh -c ” /home/xxxx/.config/kdeinit4″

 

Strings in the Linux Bew Backdoor variant vary between samples, largely in the IPs. One example is included here:

  • /bin/sh
  • /bin/busybox
  • /proc/self/exe
  • tempfile-x11session
  • 46.36.37.169
  • 91.219.239.156
  • 185.120.34.177
  • hfir.u230.org
  • %s:%d
  • [%s]:%d
  • %s: -%s
  • User-Agent
  • www.google.com
  • Linux
  • UNIQID
  • %s%sid
  • %s.tar
  • %star

 

UPX Packed BusyBox binary

A UPX Packed BusyBox binary is dropped into the user’s home directory. It is believed to be included to provide a uniform toolkit across infected devices.

  • ~/.tar
  • MD5 31434dd977f962ea0d555f20c89f207b

 

Remediation:

Identify infected machines using the Indicators of Compromise provided. Since the malware is not fully understood, we recommend installing a clean version of the required OS on a new drive and selectively copying necessary files from the infected drive.

 

Related links:

  • https://www.securityartwork.es/2017/07/21/linux-bew-backdoor-minado-bitcoin