Hunting Open Directories and malware with Shodan
Hi! I am moly.
In this article, I will introduce how to hunt open directories with Shodan and how it is!
Background
We always read articles say researchers found open directories and malwares.
That is 100% true. After read this ariticle, you can actively hunt malware and realize threat actors use Opendir as usual!
Hunting with simple query
We can use queries for Shodan to recon something fun.
We gonna use this below.
http.title:”Directory listing for” http.html:.exe
This query means that website title is “Directory listing for” and that html has .exe string.
Let’s hunt with this query!
Hunted Example
You need to spend time on hunting and most of results are not malicious.
I have hunted interesting things in China!
- 360.exe is a legitimate security software.
- 360saa.txt is a download URL of AV and it contains tokens for auth
- IHue87edpdf.scr is a cobalt strike beacon(Detonation at ANYRUN)
- we.exe is a cobalt strike beacon(Detonation at ANYRUN)
- y0PuSGed.exe is a cobalt strike beacon(Detonation at ANYRUN)
I realize that if this server is owned by threat actor, they know tokens for 360 AV download and serve beacons on it.
This Leaked token should be revoked as soon as possible!!!!!!
Conclusion
In this article, I simply introduced how to hunt opendir and malware using Shodan. It is very easy and great starting point of research!
Have a great hunting!
IOCs
- y0PuSGed.exe e6237696a2afa993513c44ede3b2a3e9f2407d3184b775a9b6109bf6ef266260
- we.exe e17488b7b3c9a600dca703cf0aeb28a4cd8fa229e931edbc206f6ef3fd66b03b
- IHue87edpdf.scr b5aad6ea245195769361446a5009bd22a1560fe58a9f351965d9cdca12eb756d