{"id":16790,"date":"2019-11-05T18:41:23","date_gmt":"2019-11-06T02:41:23","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10529\/"},"modified":"2019-11-05T18:41:23","modified_gmt":"2019-11-06T02:41:23","slug":"news-10529","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10529\/","title":{"rendered":"Unveiling the Stealthworker Campaign"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>A <b>FortiGuard Labs Threat Analysis<\/b><\/i><\/p>\n<p>Earlier this year, FortiGuard Labs <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/new-stealth-worker-campaign-creates-a-multi-platform-army-of-bru.html\">shared<\/a> their findings about a malware that was <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/02\/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks\/\">linked<\/a> to a compromised e-commerce website serving a malicious JavaScript skimmer. The malware forms a botnet called Stealthworker or GoBrut. It can infect both Windows and Linux machines and perform brute force attacks on targets sent by the botmaster.<\/p>\n<p>Back then, we noticed a number of open directories in the C2 that revealed binaries for different architectures as well as list of targets queued for brute force attacks. What began as a simple brute forcer specifically targeting phpMyAdmin web app has updated its arsenal, turning it into a multi-service brute forcer. A tweet from another security researcher <a href=\"https:\/\/twitter.com\/gwillem\/status\/1125363285883346945\">@gwillem<\/a> confirms the threat that this botnet poses.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_1961887269.img.png\/1571678569713\/stealthworker-one.png\" alt=\"Figure 1. Tweet from Gwillem\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Tweet from Gwillem<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Given its impact, we decided to dig further in order to better understand the scale of this campaign and share our findings to the security community dealing with the same adversary.<\/p>\n<p>This post shares our findings collected over the past several months (February 2019-September 2019) of monitoring this threat.<\/p>\n<h2>Overview<\/h2>\n<p>We have observed that the malware author has continued the development of its code. In fact, the new binaries now include the version info of the malware. Though there are a number of released versions, we will only focus on those versions where major functions and services were added. In summary, the earliest version was v1.5, and since then we have documented ten additional services added between then and its latest version, v3.11.\u00a0<\/p>\n<p>Below are the <i>main_init()<\/i> functions of v3.11, with comments referring to the versions where particular functions were added.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_924072226.img.png\/1571679271682\/stealthworker-two.png\" alt=\"Figure 2. main_init() function of v3.11\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. main_init() function of v3.11<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown above, new functions to support other services were gradually added to the malware on each release. We have already discussed some of the functions in a <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/new-stealth-worker-campaign-creates-a-multi-platform-army-of-bru.html\">previous<\/a> article. In summary, here is a breakdown of these functionalities.<\/p>\n<p>We can categorize them into three main groups:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_498564204.img.png\/1571679335863\/stealthworker-three.png\" alt=\"Table 1. Main functionalities\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Table 1. Main functionalities<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The table below lists the services and platforms it tries to compromise and their corresponding commands. (\u2018X\u2019 means not supported.)<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_1111912253.img.png\/1571679436566\/stealthworker-four.png\" alt=\"Table 2. List of brute force and check services\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Table 2. List of brute force and check services<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_193818515.img.png\/1571679468876\/stealthworker-five.png\" alt=\"Table 3. List of other services\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Table 3. List of other services<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_238352841.img.png\/1571679536570\/stealthworker-six.png\" alt=\"Table 4. Other functions \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Table 4. Other functions <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Command and Control<\/h2>\n<p>The C2 contains useful data, including the latest binaries, the jobs for each worker with the targeted hosts, and the credentials to be used for the brute force attack. A typical Stealthworker C2 contains the following:<\/p>\n<ul>\n<li><i>\/storage\/<\/i> \u2013 open directory for latest samples<\/li>\n<li><i>\/project\/active<\/i> \u2013 C2 server assigns the bot as a specific <i>worker<\/i><\/li>\n<li><i>\/gw?worker={worker}<\/i> \u2013 C2 server sends the targets for that <i>worker<\/i><\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_463307616.img.png\/1571679681016\/stealthworker-seven.png\" alt=\"Figure 3. Bot communication\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Bot communication<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Below is an example of the jobs received for <i>worker=magentoBrt<\/i>:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_1543595330.img.png\/1571679716162\/stealthworker-eight.png\" alt=\"Figure 4. Worker as magentoBrt\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Worker as magentoBrt<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Every request to this URL returns around 300 fresh jobs.<\/p>\n<p>It is important to note that the targets and credentials harvested from the C2 weren\u2019t used for a brute force attack and were only used for statistics. In fact, harvesting jobs from the C2s takes away jobs meant for the malicious bots. This result in targets being spared from what should have been a brute force attack.<\/p>\n<h2>Top Workers<\/h2>\n<p>During our monitoring we were able to intercept more than 98 million jobs, which can be attributed to the following workers:\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image.img.png\/1571679806004\/stealthworker-nine.png\" alt=\"Figure 5. Top workers\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Top workers<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Half of the jobs targeted the SSH service. This doesn\u2019t come as a surprise, since SSH is typically installed on servers for administrators to remotely login. Scanning for targets that are using WordPress and Magento platforms also comprise big chunks of the jobs being executed.<\/p>\n<h2>Summary<\/h2>\n<ul>\n<li>200 samples<\/li>\n<li>45 C2s<\/li>\n<li>98M+ jobs<\/li>\n<li>38M+ unique targeted hosts<\/li>\n<li>23 different versions<\/li>\n<li>Earliest observed version is v1.50 and the latest is v3.11<\/li>\n<\/ul>\n<p>The continuous development and appearance of new Stealthworker samples and C2s demonstrate how active the campaign is, and that more attention needs to be drawn to these sustained brute force attacks, not only for e-commerce websites but also to all possible vulnerable systems that use weak credentials.<\/p>\n<p>If you want to know more on Stealthworker, we will be presenting more of our findings at the upcoming AVAR 2019 Conference held in Osaka Japan, on November 6-9. Our presentation is titled \u201c<a href=\"https:\/\/www.avar2019.org\/agenda\/day-2\/digital-skimmers-how-crooks-are-spying-your-online-shopping\">Digital Skimmers: How crooks are spying on your online shopping<\/a>\u201d, where we will be sharing the results of our continuous effort at tracking Stealthworker, as well as interesting campaigns we found on MageCart.<\/p>\n<h2>Solution<\/h2>\n<p>Fortinet detects Stealthworker binaries as ELF\/Agent.FM!tr, Linux\/StealthWorker.GO!tr, W32\/ StealthWorker.GO!tr variants, and blocks all mentioned C2s.<\/p>\n<p>= FortiGuard Lion Team =-<\/p>\n<h2>IOCs<\/h2>\n<p><b>Stealthworker C2s:<\/b><\/p>\n<p>https:\/\/github.com\/fortiguard-lion\/StealthworkerIOC\/blob\/master\/Stealthworker_C2s.txt<\/p>\n<p><b>Stealthworker SHA-256 hashes:<\/b><\/p>\n<p>https:\/\/github.com\/fortiguard-lion\/StealthworkerIOC\/blob\/master\/Stealthworker_SHA256.txt<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/zpoU1Lt0v8g\/unveiling-stealthworker-campaign.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/unveiling-stealthworker-campaign\/_jcr_content\/root\/responsivegrid\/image_1961887269.img.png\/1571678569713\/stealthworker-one.png\"\/><br \/>Given the impact of the Stealthworker Campaign, FortiGuard Labs has continued to monitor this threat to better understand its scale. Learn more about their findings.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/zpoU1Lt0v8g&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16790","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16790"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16790\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16790"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}