Background

On May 27, 2019, Our Unknown Threat Detect System highlighted a suspicious ELF file, and till this day, the detection rate on VT is still only one with a very generic name. We determined that this is a Proxy Botnet, and it is a Linux version variant of the Win32.Ngioweb[1] malware. We named it Linux.Ngioweb. It shares a lot of code with Win32.Ngioweb, except that it has DGA features. We registered one of the DGA C2 domain names (enutofish-pronadimoful-multihitision.org) and was able to observe the Bot connections.

In addition, we have observed that Linux.Ngioweb malware has been implanted into a large number of WordPress Web servers.

Although the Bot program is loaded with the privilege of the user group corresponding to the Web container, it still works and runs as Rotating Proxy node[2].

We don’t know why the attacker runs this proxy botnet, but it is possible that everything goes through the proxy is being recorded by the attacker.

Overview of Linux.Ngioweb

The main functionality of the Linux.Ngioweb Bot sample is to implement Back-Connect Proxy[3].on the victim’s machine. The attacker builds multiple Bots into a Proxies Pool and controls it through a two-tier C2 protocol, then provides a Rotating Proxy Service.

Reverse engineering on Linux.Ngioweb

Basic information

• MD5: 827ecf99001fa66de513fe5281ce064d

ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped

Anti-reverse engineering technique

• Uses a niche library named musl libc
  

• Stores its functions in the function table in advance
  

• Uses Stack Strings Obfuscation
  

• Generates constant table used by CRC and AES
  

• Uses a two-tier C2 protocol, where Stage-2 C2 is determined by the CONNECT instruction of Stage-1 C2

• Stage-2 C2 uses a two-layer encrypted communication protocol

Stage-1 C2 protocol analysis

At this stage, the main behavior of the sample is to establish communication with Stage-1 C2, and proceed to the next step according to the instructions returned by C2.

Communication attempt

• Try to establish communication with the following hardcoded C2 IP every 60 seconds
  169.239.128.166:443
  185.244.149.73:443

• Try to establish communication with the domain name generated by DGA (Domain Generation Algorithm) every 73 seconds. When the number of DGA domain names reaches 300, the Seed will be reset. So the total number of DGA domain names is 300.
  

DGA implementation

uint64_t GenSeed(uint32_t& seed, uint32_t mod) {       uint32_t tmp = 0x41C64E6D * seed + 0x3039;       seed = tmp;       return tmp % mod; } string dga(uint32_t& seed) {       char* HeadBuf[] = { "un", "under", "re", "in", "im", "il", "ir", "en", "em",                           "over", "mis", "dis", "pre", "post", "anti","inter",                           "sub", "ultra", "non", "de","pro", "trans", "ex",                           "macro", "micro", "mini","mono", "multi", "semi", "co" };        char* BodyBufA[] = {"able","ant","ate","age","ance","ancy","an","ary",                           "al","en","ency","er","etn", "ed", "ese","ern","ize",                           "ify","ing","ish","ity","ion","ian","ism","ist","ic","ical",                           "ible","ive","ite","ish","ian","or","ous","ure" };        char* BodyBufB[] = {"dom","hood","less","like","ly","fy","ful","ness",                           "ment","sion","ssion","ship","ty","th","tion","ward" };        char* TailBuf[] = { ".net",".info",".com",".biz",".org",".name" };        string BlockBufA = "aeiou";       string BlockBufB = "bcdfghklmnprstvxz";       string domain;       uint32_t dashloop = GenSeed(seed, 3) + 1;       while (dashloop--)       {               domain += HeadBuf[GenSeed(seed, 0x1e)];               int flag = 0;               int i = 0;               if (BlockBufA.find(domain.back()) == string::npos)                       flag = 1;               int fillcnt = GenSeed(seed, 0x3) + 4;               while (fillcnt > i)               {                        if (flag + i & 1)                               domain += BlockBufA[GenSeed(seed, 0x5)];                       else                               domain += BlockBufB[GenSeed(seed, 0x11)];                       i++;               }               if (BlockBufA.find(domain.back()) == string::npos)                       domain += BodyBufA[GenSeed(seed, 0x23)];               else                       domain += BodyBufB[GenSeed(seed, 0x10)];               if (dashloop != 0)                       domain += "-";       }       return domain += TailBuf[GenSeed(seed, 0x6)]; }  

Communication Protocol

This phase of communication is based on the HTTP protocol and the parameters are Base64 encoded.

Packets overview

Sent Packets decode

After decoded the parameter content by Base64, we get the following information.

• id=machine-id[0:15]

  

• v=x86_64, hardcoded, architecture

• sv=5003, hardcoded, version number

• &qlohmzalwdepupwf, random 16-byte data, the algorithm is as follows

  

• User-Agent, hardcoded

  Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 

Received Packets decode

Command Supported

• WAIT
• CONNECT
• DISCONNECT
• CERT

Stage-2 C2 protocol analysis

At this stage, the main action of the sample is to establish communication with the C2 of Stage-2 and enable the Back-Connect Proxy function. C2 of stage-2 is specified by the CONNECT command.

Communication Protocol

At this stage, the communication is combined by double-layer encryption. The inner layer is XOR and the outer layer is AES.

Packets overview

Encryption Algorithm

The XOR key is generated by a random algorithm:

The algorithm is:

AES uses ECB mode, no padding. The key is:qwerasdfzxcqwerasdftyuirfdsdsdss

Packet Structure

The packet consists of two parts: “header” and “msg”.

“header” structure:

#le->little endian #be->big endian struct header {  uint32_le xorkey;  uint32_be msgcrc32;  uint32_be len;  uint16_be msgcode  uint16_be magic }; 

“msg” consists of chunks, and the chunks supported by the sample are as follows:

A “msg” can have one or more chunks, and different “msg”s are made up by different chunks .

The “msg” types uses by this sample are “recv” and “send”.

• recv
  

• send
  

See the table below for a summary of different “msg”s:

Sent packets sample analysis

• Raw data

   packet[0:31]:  6c 52 8c 08 3e 80 a9 3c 00 00 00 10 00 10 fa 51   04 dd b0 b4 9d 10 ec 42 c3 00 00 00 00 00 00 00  header  --->packet[0:15]   xorkey  --->0x088c526c   msgcrc32 --->0x3e80a93c   msglen  --->0x00000010   msgcode  --->0x0010,check-in    magic  --->0xfa51  msg  --->packet[16:31]   1st chunk    chunktype --->0x4    content  --->0xddb0b49d10ec42c3   

• After XOR encryption

  6c 52 8c 08 36 0c fb 50 08 8c 52 7c 08 9c a8 3d  0c 51 e2 d8 95 9c be 2e cb 8c 52 6c 08 8c 52 6c 

• After AES encryption

  c1 d3 78 71 2d f6 5b bb  16 ca ff 8b ef 69 bb 26 3b 01 f0 22 70 09 38 dc  e7 06 89 de 2b 55 eb 8e 

Received packets sample analysis

• Raw data

  c5 ad 4a bf 30 C2 3a 43 9b 6e 22 08 73 e0 b9 5d  3c e6 b7 f0 74 76 53 43 3a 79 0e 82 80 1a c3 84  ba a4 85 05 4a 63 b1 d6 d1 94 ad 53 be 7a 9a 88 

• After AES decryption

  59 8b e5 6d 4a ee bf ef 6d e5 8b 79 7d f5 71 08 69 b8 81 aa 92 ed 65 fb 29 e0 8b 59 6d e1 51 47 19 e1 89 d8 29 e5 8b 59 6d e5 8b 59 6d e5 8b 59 

• After XOR decryption

    packet[0:47]     59 8b e5 6d 27 0b 34 b6 00 00 00 20 10 10 fa 51     04 5d 0a f3 ff 08 ee a2 44 05 00 00 00 04 da 1e     74 04 02 81 44 00 00 00 00 00 00 00 00 00 00 00    header  --->packet[0:15]     xorkey  --->0x6de58b59     msgcrc32 --->0x270b34b6     msglen  --->0x00000020     msgcode  --->0x1010,set channel id     magic  --->0xfa51    msg   --->packet[16:47]     1st chunk         chunktype --->0x04         content  --->0x5d0af3ff08eea244     2nt chunk         chunktype --->0x05         content  --->len:0x00000004 buf:0xda1e7404     3rd chunk         chunktype --->0x02         content  --->0x8144 

Stage-2 C2 association analysis

We obtained the following 6 Stage-2 C2 addresses by visiting the Stage-1 C2 URL (http://185.244.149.73:443/min.js).

5.135.58.119 5.135.58.121 5.135.58.123 5.135.58.124 91.134.157.11 193.70.73.115 

We looked up this md5 (9017804333c820e3b4249130fc989e00) in our GraphicQuery platform and was able to find more IPs which host the same file, we then sent specific crafted packets to these IPs and was able to ID another 18 Stage-2 C2s.

5.135.35.160 5.196.194.209 51.254.57.83 54.36.244.84 54.36.244.85 54.36.244.91 91.121.36.212 91.121.236.219 92.222.151.63 145.239.108.241 163.172.201.184 163.172.202.116 178.33.101.176 178.33.101.177 178.33.101.178 178.33.101.182 188.165.5.123 188.165.163.20 

We found that these Stage-2 C2 IP address are providing Socks5 proxy service by looking them up on free-socks.in

As we tested, all these Socks5 proxy IPs are properly functioning. Also, they accessed the C2 domain we own(enutofish-pronadimoful-multihitision.org) via the Stage-1 C2 protocol, so it can be said that they are all Linux.Ngioweb Bots.

root@localhost:~# curl --socks5 91.134.157.11:50880 ifconfig.me 31.170.123.49  root@localhost:~# curl --socks5 91.134.157.11:62012 ifconfig.me 208.113.197.88  root@localhost:~# curl --socks5 91.134.157.11:18278 ifconfig.me 45.58.190.100  root@localhost:~# curl --socks5 91.134.157.11:64380 ifconfig.me 72.29.64.29  root@localhost:~# curl --socks5 91.134.157.11:47067 ifconfig.me 54.38.101.17  root@localhost:~# curl --socks5 91.134.157.11:63862 ifconfig.me 88.99.212.97  root@localhost:~# curl --socks5 91.134.157.11:49475 ifconfig.me 23.91.65.240 

Infected IPs information

By listening on C2 domain (enutofish-pronadimoful-multihitision.org), we have observed a total of 2692 Bot IPs.

The following is a detailed list of countries/regions with number of infected IPs:

US 1306 BR 156 RU 152 DE 133 FR 102 SG 98 NL 80 GB 66 CA 66 IT 64 VN 42 AU 36 PL 31 TR 28 JP 26 IN 26 ZA 21 ID 19 ES 18 UA 15 

By probing the infected IPs, we found out that almost all Bot IPs are web servers and have WordPress programs deployed. We did not look into how the attacker took control of these WordPress sites though.

We contacted some infected users and found multiple WebShells on their Web servers.
These WebShells are highly obscured, but the techniques, encryption, and code share similar characters.
Combined with the accessing characteristics (such as time, order) the infected IPs made to the our sinkhole DGA domain, we speculate that the attacker will periodically issue commands to the WebShells on the victim websites, as well as running the Linux.Ngioweb program.

Solutions and Suggestions

We recommend that readers do not use the Socks5 proxy service provided by these Stage-2 C2 IP.

We recommend that WordPress users back up the website article database (delete backdoor users such as wp.service.controller.*), reinstall the latest version of WordPress program, enhance user password complexity, enhance WebShell detection capabilities, and disable PHP commands to execute related functions;

Contact us

Relevant security and law enforcement agencies are welcomed to contact netlab[at]360.cn for a list of infected IP addresses.

Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.

IoC list

Sample MD5

827ecf99001fa66de513fe5281ce064d 

Stage-1 C2 (Hardcoded IP)

169.239.128.166      South Africa         ASN 61138            Zappie Host LLC 185.244.149.73       Romania              ASN 60117            Host Sailor Ltd. 

Stage-2 C2

163.172.201.184      France               ASN 12876            Online S.a.s. 163.172.202.116      France               ASN 12876            Online S.a.s. 5.135.35.160         France               ASN 16276            OVH SAS 5.135.58.119         France               ASN 16276            OVH SAS 5.135.58.121         France               ASN 16276            OVH SAS 5.135.58.123         France               ASN 16276            OVH SAS 5.135.58.124         France               ASN 16276            OVH SAS 5.196.194.209        France               ASN 16276            OVH SAS 51.254.57.83         France               ASN 16276            OVH SAS 54.36.244.84         France               ASN 16276            OVH SAS 54.36.244.85         France               ASN 16276            OVH SAS 54.36.244.91         France               ASN 16276            OVH SAS 91.121.36.212        France               ASN 16276            OVH SAS 91.121.236.219       France               ASN 16276            OVH SAS 91.134.157.11        France               ASN 16276            OVH SAS 92.222.151.63        France               ASN 16276            OVH SAS 145.239.108.241      Germany              ASN 16276            OVH SAS 178.33.101.176       Ireland              ASN 16276            OVH SAS 178.33.101.177       Ireland              ASN 16276            OVH SAS 178.33.101.178       Ireland              ASN 16276            OVH SAS 178.33.101.182       Ireland              ASN 16276            OVH SAS 188.165.5.123        Ireland              ASN 16276            OVH SAS 188.165.163.20       France               ASN 16276            OVH SAS 193.70.73.115        France               ASN 16276            OVH SAS 

Stage-1 C2 (DGA)

enutofish-pronadimoful-multihitision.org exaraxexese-macrobacaward-exafosuness.net nonafudazage.name demigelike.net emuvufehood.net subolukobese.biz inogepicor-prorarurument.biz overahudulize-unazibezize-overuzozerish.org imunolance-postodinenetn-antifipuketn.net antizerolant-monogevudom.info transavecaful-transinenation-transikaduhern.com subogonance.info inoxodusor-misehupukism.info devikoviward-semibazegily-copaxugage.name eniguzeless-inecimanable.net subilebesion-irogipate.biz colozosion-antigobunaful.name inudiduty-dezaviness.org irelizaring-enipulical-monovuxehossion.info ilenudavous-monoxoxapal-semimihupution.info ultrapadupize.biz covategal-dezakedify-enebugassion.name transivesudom-macropimuship.org rezolezation-transapupirify-seminecation.name macrolutoxous-overefimety.name coxumumage-dexolalite.name cotexafical-postirutuvian-emimimous.biz copubuloness-misumusal-disokozian.com nonecuzuking-enekopofen-imakozity.info dezohipal-ultrazebebive.name cosazalike-antifoxirer-subudikic.biz underotutilism-monoceraretion-underosociful.name overugiror.net emuzixucize.biz disicevament-desizigasion-recadihuful.biz decehoward-microhikodely-overokerezant.com microlasokadom-ultralarumous.info minixecision-iruzaxuhood.net profusonuty.info multifipakency-conovofy-prorakikate.com antiseramoment.info postavutetn-emedarevous.biz inolugoty-inidiverible.com prodipamament.biz overogobity-imivocurify-disovizution.biz decozaness-antihazation-overetalovical.net nonesolafy.com unihatosancy.name interiragocern-micropuxotion-transogorion.org seminamatity-enogibely.name inosebovion.net exofifure-postirexument.info transirirenern-semizafunic-nonivubed.biz enegizize-microtizobity.name macrohuseded-multipazaseship.com imefihured-macrohixuhood.org microlulition-macrokiguxable.biz multizesumefy-emebefion.biz underebelassion-postizoziless.info dezuvazen.name decotusion-exexavihood-exevozebant.name disuzepuly.info inuviging-antizoluly.biz multisotiren-ilazufist.org predepussion.info inidozadom.name interikuhaful.info cozuheming.biz multiruxuth.org monozogeced.org mononoredom.info postarubixage-monocinamety-overogefesal.com prebekokian-misadepepive-transilogify.com monohatodom-cohotiship.com exebasusion.org unahodoness-emevuzeward-emuzeduness.com exemidexous-underiposapite-unegatature.name interocugopist-misugexadic-ilobipegency.org monokifomancy-misagefism-macrobepoth.com antizekussion-minipusaral-copofuxoship.com relutodom-comakitize.name multikezusion.org emopumical-enohecical.org semitegopish.net recepatission.info inoluvary.com seminitotuful.info interanubing-emelulotal-transugotuzern.com subefehity-iledutession.name ultrapapiten.biz transuvarusish-prozumoxety.info transisigern.org imirotiship-microhopulive-emotomeship.com presefavution.info enevifaking.org misidogive-coxecovor-dexefoxan.name overazadudom-deliromohood.com emakanuward.com emitohage-overasuhorure-antitipenoless.info ultrasesebible.biz multihadekite.name iluvused-iravoxish.info postobagoly-detovaward-unixohible.biz underasusogen.com imovaman-multimihivoship-imeduxian.biz dedunuguhood.com prevukition.info underehugavish.org misoxomelical-iluxubism.net microcolacoful-postabitition.name overurohely-overadolure-iruraluness.org unurodable-dekipuhic-postuxufous.org unitucihern-postadagen-imupuduth.org imukokuship.org prenubocetion-ultrahahohood.com monofugition-underefogukic.org irofetufy.com irobigelike.org presifament.biz overetigution.info enuvopan-imixesoward-irarupipary.biz inorofizian.com monopadecotion-multicecihood-imuzicasion.com exofosehance-minimezazofy.org monokacofudom-inuvinable.com emisucosion-prohosexite-imorekusion.net semiledoduly.info multivapufy-promumuly-enonuben.net subebodency.info cofexasish-inodehed.net unutexupify-conofubusion.com misebonure-iluborize-rezericify.com exunaxian.info colanizity-postosecive-nonuresible.info dedaliward-imipusen-inacaliver.com refusovize.org monokuvission-transodigical-semihehamussion.biz transalavudom-multilavezuhood.net exusizeward.net unisimor.name minipihagaship.com recusigetion-transubeviful.info multixizitufy-microtomuly-multixoleward.com microxulodish-semibahoty.biz macrokunith-proxobivive.net preginaxodom.name transimapeful-cotalision.com prefinazuly.name inucasazing-microhesunian-semidikokement.biz disitirotion-transekarenate.org unehihify-antimepavable-nonubovafy.net misunotelike-nonugidant.info enogosudom-macrogekabive.biz postozokipetn-microdomobaly.biz interunavission-ininibecist.org microhinoler.org prosihamish-noneguhaness.com preberekous-microkagibant-imemahal.name iletegifage.org emikuraran.biz overokigoty-ilecavish.net nonikofucable-postelihuzism-rexecigism.net imixifure.info minirabupeness-nonitefuward.org misasugegify-underazosuzish-exuvexezical.info multipocihood-monomuhunible.org nonohacutancy-postuxikitan-microseditoless.info overasobament.info overulurotion.biz disepadely-disuzirovor.net repetepian-irelucify.biz enikobadom-postolixement.name inunatogite-imoboraness.net irimarefy.net monohiloless-demodefy.com previbetian-misunohigate.info multivunuhance-inabiber.com semicasinaty-ilibaholy.biz transupovetn-monozeruduless.biz debapesetn-underisaxufical-imukugamism.info multibibetefy.com exanonish.name interanulish-imazekalike-unisukugate.info inokevidage.org monofipuly-underubihal.net profobekify-subebobefy-exozufous.name macrovetecuship-emebudemical-underaxakament.biz demeficiward-retitisily-macromuvaward.org monosumuly-ilenusuty-dedabaness.net exapofaran-postulusadify.com microhobament-postevofafity.com rebezusaly-overidirity-ultrahiseness.org unafacigage-transihicical-prebokity.info interazution-irudegufy-antinefoly.biz minizecidish-macrolafukish-depovased.biz derirepous-cosideship-semibiseless.biz overupazadity-irativorical.name coseviness-nonikunant-macrorasihood.net nonesocern-macrotocipity.info interuzoputy.info inicinic-misuluzan-ultrakuxuness.com sububesebism-ultrabutath.com misacireship.org exuxuburan-miniravuhood-exosoxen.info macrozigahood-monosulopancy.com unegoping-detunusion-antimuruseful.biz macrozixaward-semivanimoly-underekutoty.biz ultratipuxian-inosilission-multiridith.net microtonagament.info cobemesion-redacocoful.name disicogure-seminedasoly.biz dekacify.net emegamilike-imupogazance-ultrapanacesion.org unocelibable-underelatucance.com irodetolike-imisocatite-inecolafian.com antikuzucen-irokarance-transitupikible.org semiralety-macrorobinant-ultrapixutency.biz transisomuless.name ilebigument-macroripakesion.org profebarable.org nonixigefy-protisumiless.biz corahicohood.com pretuvution-disafatutical-irehopuvese.name miniregath-anticesuty-postudagily.biz coguvilaship-recakubodom.name overipugoful-interizihing.org imipadaness-iralikoward-semitolicoly.info interupefity-semigiduly.info macromosoriship.net antigizepist.net subuluhic-disomokate.net irunucudor-macrogocudern-comoxizish.name underedofobate.net prolapuzern-progobutiful-dehifasion.org irucasian-macrofevasion.net unogoxeness-semixocapency.org rehofocese.org exebutian-interomifenism.org subihefahood-subenopure-ultramoherihood.net nonezogeward.com exasavate-minidevilefy-subanevous.biz enodenission-overucelancy-microvitasission.info ultrafakitesion-misesuzahical-transanafetion.biz interinipoly-minimorovor-debininess.com prenedelission-interugefable-repekosossion.name postifozible-irololuship.com unozolasion.org unobelaness-prepifavety.info cofukosable.info iloletible-imakeben.info ultraronupity.name minikisision-monobavunism-micronepavage.org unufepaness-misedepugance.biz inafolage.com semifolofic-unaraxal.biz enerivosism-imenufanist-macrovonahood.org monobocution.info cosuzuness-prepurizor-unasulal.name inopivic-antimaporary-subavocobive.biz covogidish-iletinassion.biz defizalike-unodatage-inarabevous.com unuvirisern-interusalosize-misucakiness.org ireninenish-multicemath-prezucetussion.biz interodekive.com iramilahood-antirotuxary-misobegesion.name multidafadite-postagoker.org monobagehance.net emixuvidite-ilofikency-subolubify.biz postugihucency-emademify.name cotefehood-imocakitency.biz enikavely-inosifuty-postaviraly.info transabusossion.biz interitebure.net unehumugage-ultraburosion.com subutavahen-inuhabish.org subifefer-devufoward-probelalance.org emefimafible.biz ilibefudom.biz postemivaxage.net monofudumossion.info inuxazodom-macrodexaxahood.org semibugegetn-monohifutuly.biz macromohazaship-subonohion-disonixucing.com emosacekant-cokebohood-nonetakive.biz interozecifist-antipinukity-multifekemath.net refedomous-antifaliless.name ultraxekevohood-nonizerosion-exovigant.name interarogous-unuculuhood.org semipulimian.com monocalacaless.biz disevolikency-retipegation.biz cosituxath-misuxunor.info ultraporader-conapefy-prolobeziless.info ilucasure.com reletohite-misosulahood-antitedudom.info minivucilous-inafafomism.net monorifutaless-ilocamussion.name inohufohese-imufilahood-antifidupite.com emegemaxed-transigifuty-multitumolith.net exotacible-denitokolike.com