1. Fodcha DDoS botnet
Reference: https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/ / https://www.bleepingcomputer.com/news/security/new-fodcha-ddos-botnet-targets-over-100-victims-every-day/
Fodcha로 명명된 악성코드가 3월 29일에서 4월 10일 사이에 62,000개 이상의 장치에 퍼졌다. 해당 악성코드는 장치의 n-day 취약점을 악용하고, Crazyfia라는 brute force 크랙킹 도구를 사용하여 장치를 감염 시킨다. 봇이 가장 많이 유입되는 지역은 중국인 것으로 확인 되었다.
Fodcha 주로 n-day 취약점과 telnet/ssh 취약한 패스워드를 통해 확산되고, 아래의 취약점들을 악용하는것으로 확인되었으며, 이 이외에도 더 많을 수 있다.
- Android: https://www.exploit-db.com/exploits/39328
- GitLab: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205
- Realtek Jungle SDK: https://nvd.nist.gov/vuln/detail/CVE-2021-35394
- MVPower DRV: https://www.exploit-db.com/exploits/41471/
- LILIN DVR: https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day/
- TOTOLINK Routers: https://www.exploit-db.com/exploits/37770
- ZHONE Router: https://www.exploit-db.com/exploits/38453
Fodcha는 취약한 장치를 통해 엑세스 한 후 Crazyfia 스캔 결과를 이용하여 악성코드 페이로드를 배포한다. 봇넷 샘플들은 MIPS, MPSL, ARM, x86 등 여러 CPU 아키텍처를 대상으로 한다.
22년 1월부터 클라우드 공급 업체에서 중단한 초기 C2 도메인(folded[.]in) 대신, fridgexperts[.]cc 도메인을 사용하고 있다.
IOC
C2
folded[.]in
fridgexperts[.]ccDownload Link
http[://]139.177.195[.]192/bins/arm
http[://]139.177.195[.]192/bins/arm5
http[://]139.177.195[.]192/bins/arm7
http[://]139.177.195[.]192/bins/mips
http[://]139.177.195[.]192/bins/realtek.mips
http[://]139.177.195[.]192/blah
http[://]139.177.195[.]192/linnn
http[://]139.177.195[.]192/skidrt
http[://]139.177.195[.]192/z.sh
http[://]162.33.179[.]171/bins/arm
http[://]162.33.179[.]171/bins/arm7
http[://]162.33.179[.]171/bins/mpsl
http[://]162.33.179[.]171/bins/realtek.mips
http[://]162.33.179[.]171/bins/realtek.mpsl
http[://]162.33.179[.]171/blah
http[://]162.33.179[.]171/k.sh
http[://]162.33.179[.]171/linnn
http[://]162.33.179[.]171/z.sh
http[://]206.188.197[.]104/bins/arm7
http[://]206.188.197[.]104/bins/realtek.mips
http[://]206.188.197[.]104/skidrt
http[://]31.214.245[.]253/bins/arm
http[://]31.214.245[.]253/bins/arm7
http[://]31.214.245[.]253/bins/mips
http[://]31.214.245[.]253/bins/mpsl
http[://]31.214.245[.]253/bins/x86
http[://]31.214.245[.]253/k.sh
http[://]31.214.245[.]253/kk.shMD5 hash
0e3ff1a19fcd087138ec85d5dba59715
1b637faa5e424966393928cd6df31849
208e72261e10672caa60070c770644ba
2251cf2ed00229c8804fc91868b3c1cb
2a02e6502db381fa4d4aeb356633af73
2ed0c36ebbeddb65015d01e6244a2846
2fe2deeb66e1a08ea18dab520988d9e4
37adb95cbe4875a9f072ff7f2ee4d4ae
3fc8ae41752c7715f7550dabda0eb3ba
40f53c47d360c1c773338ef5c42332f8
4635112e2dfe5068a4fe1ebb1c5c8771
525670acfd097fa0762262d9298c3b3b
54e4334baa01289fa4ee966a806ef7f1
5567bebd550f26f0a6df17b95507ca6d
5bdb128072c02f52153eaeea6899a5b1
6244e9da30a69997cf2e61d8391976d9
65dd4b23518cba77caab3e8170af8001
6788598e9c37d79fd02b7c570141ddcf
760b2c21c40e33599b0a10cf0958cfd4
792fdd3b9f0360b2bbee5864845c324c
7a6ebf1567de7e432f09f53ad14d7bc5
9413d6d7b875f071314e8acae2f7e390
954879959743a7c63784d1204efc7ed3
977b4f1a153e7943c4db6e5a3bf40345
9defda7768d2d806b06775c5768428c4
9dfa80650f974dffe2bda3ff8495b394
a996e86b511037713a1be09ee7af7490
b11d8e45f7888ce85a67f98ed7f2cd89
b1776a09d5490702c12d85ab6c6186cd
b774ad07f0384c61f96a7897e87f96c0
c99db0e8c3ecab4dd7f13f3946374720
c9cbf28561272c705c5a6b44897757ca
cbdb65e4765fbd7bcae93b393698724c
d9c240dbed6dfc584a20246e8a79bdae
e372e5ca89dbb7b5c1f9f58fe68a8fc7
ebf81131188e3454fe066380fa469d22
fe58b08ea78f3e6b1f59e5fe40447b11'깔짝할짝' 카테고리의 다른 글
| 2022-04-21 Thur (0) | 2022.04.21 |
|---|---|
| 2022-04-19 Tue (0) | 2022.04.19 |
| 2022-04-13 Wed (0) | 2022.04.13 |
| 2022-04-11 (0) | 2022.04.11 |
| 2022-04-07 Thur (0) | 2022.04.07 |