The Ever-shifting Habits of Cloud-focused Malware Campaigns

so welcome to breaking ground we've got mayor here to speak to us about the ever shifting habits of cloud mare campaigns but before we get started we want to thank some of our sponsors Adobe prism Cloud sem group blue cat nudge all out in the vendor area for you to check out with some pretty cool swag with some of them all of them all right cell phones these talks are being live streamed so we ask that you do not take pictures or keep your phone on silent if you want to take photos of the slide that's okay please be careful with um taking photos for of other people after we finish there's going to be some time for Q&A so please be sure

to hold those until the end and with that let's get started thank you hello everyone and welcome to my talk and so before we get started on the agenda for today I'd like to first introduce myself so I'm m M and I'm the threat research lead for K security prior to working at K I was a MOS malware researcher for several years and I also have a background in devops engineering and digital forensics so I've published several blogs detailing Research into new and emerging malware families conducted by myself and my colleagues at the R&D team at K I've spoken about this research at various conferences including black hat EU bides and Geron so this is actually my second time

speaking at bsides Las Vegas the first time being last year and I'm very grateful to the organizers for having me back once again so for anyone interested in our research or in Cloud Security in general you can follow me on Twitter or X as it's now known at the handle on screen I'll also be answering any questions as mentioned previously so let's move on to the agenda for today so anyone that was at my talk last year will likely remember that I focused on two distinct malware families these families were named coin Stomp and abcb and we'd been tracking them over the course of 2022 now given that I was eventually invited back to bides lb it seems like

this formula was something of a success and therefore I've decided to do a similar talk this time but covering two new campaigns both of these campaigns were discovered and analyzed over the course of the past year so the first of these campaigns is a family of cloud focused hacs named Legion whose purpose is to harvest credentials for various SMTP services and hijack them for spamming purposes so we'll take a look at some of the more interesting features of Legion including the tools ability to to persist in AWS environments and the tools exploitation of AWS sces and other cloud-based SMTP Services I'll then move on to discuss diot who are an emerging cryptojacking group whose payloads that we discovered

after detecting an interesting attack pattern on one of our Cloud honey pox so we'll take a look at a specific dcot campaign that leveraged multiple interl binary payloads which of course resulted in lots of complaint complaints sorry during analysis so we'll also will discuss some of the group's objectives including their propensity for doxing and deployment of botnet Agents On Target hosts and finally I'll wrap up this session with some observations and predictions for cloud and general Linux malware before giving you the chance to answer to ask any questions so as you've probably gathered there's quite a lot to cover here so we'll dive straight in with our first family Legion so to give everyone a quick

overview Legion is written in Python and designed to exploit misconfigured web servers for the purpose of harvesting credentials the tool automates the process of gathering these credentials which provide access to cloud-based SMTP Services Legion will then attempt to access these services and even send test emails on behalf of the operator in preparation for spamming campaigns now since it's written in Python and contains no obfuscation Legion executables aren't particularly difficult to analyze one slightly annoying thing about them is that they tend to be in the region of 21,000 lines long which makes me think that the developers have yet to learn the concept of modularity so I'm being careful not to use the term malware too much with

Legion as although it is technically malicious software it doesn't infect the user's own machine or attempt to obscure its functionality in any way for this reason we personally would class this as a hack tool given that it's used to facilitate cyber attacks rather than to conduct them so acknowledging this Legion contains some features that you might expect from traditional hack tools included buled exploits for conducting rce on servers running Apache and PHP and and the ability to contuct Target enumeration via showan providing you supply a likely stolen API key so the tool also contains some AWS specific features which is what made it interesting to us in the first place if it manages to successfully

retrieve AWS credentials from targeted servers it will then automate the process of inserting a back door into the AWS account acting as a processor mechanism rather interestingly Legion also contains a very rudimentary AWS credential brute forcing feature the efficacy of which is dubious but entertaining to analyze nonetheless so before moving on to discuss the functionality of Legion let's discuss its distribution method and some details that we uncovered about the background of this hack tool after after first encountering Legion we managed to trace his Origins back to a public telegram group using an embedded telegram group ID extracted from the primary payload it soon came became apparent to us that this group was being used to

advertise and sell the malware to potential operators at the time we accessed it the group had around 1,90 members and had been active since February 2021 now either that's a lot of people interested in exploiting cloud services to conduct malware campaigns or it's a lot of overly enthusiastic malware researchers so along with the embedded telegram group ID the original Legion sample we encountered also contained references to a telegram user named my Legion from strings seen in the sample we assumed that my Legion was actually the developer behind the tool so We examined messages in the telegram group to see if we could find any discussion authored by this user when we did access the group we

expected to find the my Legion user listed as the group's admin instead there were actually several messages from the real admin warning users of scams being conducted by the my Legion user so the admin didn't provide any context but it appears that the copy of Legion we encountered was being illegitimately circulated by the my Legion user so from this telegram group we discovered a YouTube channel with the name Forza tools which included several tutorials for using Legion Forza tools also happened to be the username of the real admin warning members about the my Legion scammer so from this we concluded that Legion was likely a paid hack tole distributed and sold by the user fora

tools so with that background out of the way let's focus on legion's functionality Legion is highly opportunistic and relies on serious misconfigurations in Target web servers for the majority of its functionality however that isn't to say it's unlikely to succeed as I'm sure most of you know these types of configurations are common methods of initial access particularly in Cloud environments so Legion is designed to Target servers running a variety of common web Technologies these include content Management systems and web applications based on pure PHP or Frameworks such as Lille its core functionality is to identify these servers and attempt to retrieve application secrets from them once targets are identified get requests are sent to resources at a

number of hard-coded paths and this determines whether or not res resources located at these paths are publicly accessible so these resources include things like PHP infos scripts and environment files which have the potential to include application Secrets if the tool successfully retrieves any of these files it will then run a series of regular Expressions over the contents to extract credentials for various web servers web services sorry you can see an example of the files themselves in the table on this slide so one of the services specifically targeted by Legion is twio and for those of you that don't know twio are a company that developed tools for automating communications methods so these this includes things

like programmatically making phone calls sending or receiving SMS messages and other Ms of communication so here's a code snippet from Legion showing how the malware scrapes twio secrets from exfiltrated credential files now there's nothing particularly fancy going on here just simple regular expressions for twio Secrets embedded in the credential files that the tool targets so one of these regular Expressions targets T string identifiers or SIDS SDS are 34 character Iden identifiers that are used to query specific twio resources via their API typically they're prefixed with two characters allowing you to identify the resource type now Legion doesn't seem particularly concerned with any specific resource type and instead just grabs any value assigned to the twio Sid

environment variable it also does the same for the twio token environment valuable which is likely used to store an author ization token so if successful any extracted credentials are saved to a file and reported to the operator via standard out now we've already mentioned legion's deliberate targeting of AWS and this slide demonstrates the method taken to extract credentials for further exploitation in this example we can see the tool utilizing a similar process as the one described previously but this time attempting to retrieve an AWS secret access key ID and corresponding secret access key from any exfiltrated environment files Legion assumes that these credentials will be stored under the AWS access key ID and AWS secret access key

envar respectively now this is a safe assumption as this convention appears in many AWS tutorials and Sample code of course it relies on another series of regular expression to discover these secrets and save them for later use so I'll give you a quick overview of all of the services targeted by Legion before moving on to discuss the AWS specific functionality in some more detail so on this slide is a list including the majority of services targeted by Legion so if you're at all familiar with these Services you'll recognize that they're either cloud storage Services payment services or Communications platforms and this gives us some insight into the motivation behind the development of this hack tool it also supports our theory that

the primary use for Legion is to access these services for spamming purposes which will come back to so now that we've covered the credential exfiltration aspect of Legion let's move on to discuss some of the AWS specific features that are relevant to those of us working in Cloud security so before we get stuck into this I want to give a big shout out to Ian Al from permiso so Ian noticed an earlier variant of Legion and posted some interesting information about the persistence mechanism on LinkedIn prior to our discovery of the sample he also wrote a really interesting blog about some of the AWS functionality that Legion exhibited and collaborated with us on a Blog for the

first sample that we discovered so I'd highly recommend reading his take on it now as we've already discussed Legion attempts to scrape AWS secret access keys from misconfigured web servers and applications given that this method is particularly opportunistic the tool also includes a failback option in the event that no AWS credentials are discovered and retrieved environment files users are offered the option to Brute Force AWS credentials using a simple generator function and we'll cover this in more detail in a coming slide so I've already mentioned the Tool's ability to provide the operator with persistent access to an AWS environment and as you might imagine Legion achieves this by creating a malicious IM user and inserting it into

the target AWS account using the stolen credentials from the previous stage an attacker created I am group is also added to the account to which the malicious user is added on top of that the infamous AWS administrator access manage policy is then attached to this group and the IM am user ultimately inherits the permissions associated with this policy so with all of this in place Legion can perform automated actions with Amazon's simple email service or sces so let's have a look at some code examples of this so first of all let's take a look at legion's AWS credential brute forcer now before discussing this I think it's worth stressing The Brute forcing AWS credentials in this manner

is incredibly unlikely to be successful I won't attempt to calculate the probability of success with this method but you can probably imagine that it will be very low so as you can see on the slide here the function simply builds up a list of 16 alpha numeric characters and appends them to the Akia prefix now for those of you that don't know the Akia prefix is used for long-term credentials reserved for I am users or the account rout user so this procedure results in a string resembling a valid AWS access key ID once this is created an AWS secret access key is created using a similar method resulting in a credential pair in a valid

format so Legion logs the number of AWS keys that it creates using this method and writes them to a file for later use now lace work posted an analysis of a similar malware or Hackle family that they named androx ghost androx ghost included a similar brute forcing function and L work concluded that its inclusion was likely a novelty more than anything else and we would agree with this given how statistically unlikely this procedure is to succeed now onto some slightly more serious functionality so I mentioned already that Legion enables persistence in AWS environments to achieve this the tool uses credentials stolen from the environment file enumeration stage and creates an I am user with a username

score Legion so from periso noticed that earlier variants neglected to tag this newly created user providing a detection opportunity for Defenders however in the sample that we encountered we as we can see on the slide here this newly created user is assigned a tag with the key owner and a hardcoded value of Ms Boh haris is possible that this was added in reaction to Ian's posts on detecting Legion activity by hunting for new IM users without tags so with the malicious IM user in place permissions need to be defined so that the operator can access resources and services within the account to achieve this a new I am group named SCS admin group is created and the MS bahis

user is added to it Legion then goes ahead and creates a policy based on the administrator access AWS managed policy and attaches it to this group we can see an example of this in the create new policy function which is visible on this slide so of course anyone working in Cloud security knows that this is this essentially gives users within the group full access to all AWS services including access to the Management console itself providing that it's been enabled crucially it also allows Legion operators to access AWS simple email service or sces which of course is aws's cloud SMTP service so the function also includes some error handling to rename the assigned policy if it exists and it

achieves this by calling the jangle get random string function and appending the resulting string to administrator access now since we know Legion is concerned primarily with SMTP abuse it should come as no surprise that the tools next steps are to set up and interact with the SCS service the function on the slide here demonstrates the approach taken by the tool to set up an SCS client via the AWS SDK for python which is of course boto 3 this function also performs additional configuration like setting the default AWS region and defining credentials both of which are required to establish the to3 client so of course given the malicious IM user is operating under permissions granted by the administrator access

manage policy there should be no barriers faced by the tool when attempting to access sces and with this configuration in place Legion operator is now able to send emails and query account information as we'll see on this next slide so with the SCS client established Legion proceeds to query the send quter assigned to the compromised account this is of course valuable information if your intention is to conduct spamming operations via SC Legion operator now knows how many outbound emails are permitted to be sent from this account and can use this for the benefit of their campaign information about the sand quter can also be used to avoid detection in the environment by ensuring that the operator doesn't

trigger any Belling or quota alerts so Legion also lists identities associated with the sces account and typically this would be email addresses or domains used to send the emails so after these basic Discovery operations Legion then proceeds to send a test email which includes the result of the Tool's automated Discovery mechanisms in the body successful delivery of this email confirms to the operator that the AWS account has been compromised and that the malicious user has access to the SC service so moving on now to discuss another notable feature of Legion one thing that stood out to us during our analysis was the Tool's ability to conduct SMS spamming Via SMS over SMTP to achieve this the tool uses

credential exfiltrated via the methods described previously to access various out automated Communications platforms some of these tools provide SMS over SMTP support and Legion can leverage this to deliver a Spam SMS messages so the tool targets various US Mobile carriers including AT&T T-Mobile and so on some of the character some of the carriers sorry are now defunct suggesting that the code for this has been around for some time so Legion uses an interesting method of generating alternative numbers to Target via scraping area codes and carrier keys from the website random phon numbers.com so we'll take a quick look at this on the next slide to conduct the scraping Legion uses simple python scraping mechanism via the Beautiful soap HTML paing

Library this allows the tool to retrieve carrier keys and area codes to which a series of digits can be added to make a a valid mobile number custom number generation code is used to create the rest of the mobile number similar to how the alpha numeric strings were added to the Akia prefix for secret access key IDs now due to the significantly lower entropy associated with mobile numbers this is much more likely to result in valid targets for the operator's campaign additional SMS hijacking functionality includes the ability to write out these numbers to a file for later use and Legion can also ingest predetermined carrier keys and area codes an example of the carrier selection and SMS body code can be seen

on this slide so I mentioned in the overview of the tool that Legion includes some traditional Hackle functionality and this included things like bundling X exploits for web Technologies like PHP so let's examine these features in a bit more detail another thing that caught our attention during analysis of the was the bundling of an exploit of the cve 2017 9841 vulnerability and PHP itself now since I'm not expecting anyone here to remember CV numbers off the top of their heads I'll explain this vulnerability in a bit more detail the vulnerability enables unauthentic ated remote code execution via an HTTP post request containing a PHP open tag substring the post needs to be directed at publicly accessible resources within

the SL vendor folder specifically the eval standard in.php file this allows arbitrary PHP code to be executed on the server itself and could be used for all kinds of nasty stuff like starting a reverse shell and retrieving additional payloads now as with many things in the world of malware it's reasonable to assume that the code for this exploit was lovingly repurposed most likely from public proof of Concepts released at the time of the vulnerabil discovery it's unclear whether the legion developer has some information to suggest this vulnerability is still common in the wild or if they've simply included it as they're already targeting service running PHP regardless an example of the exploit code can be seen on the slides

here early in the function you can see a hardcoded path to the eval standard in.php resource being assigned to a variable named path Legion then defines a PHP info string before proceeding to build up the malicious payload the python request module is then used to deliver the string via an HTTP post request and the tool checks the response to see if the exploit was successful Legion then proceeds to report the status of the exploit back to the operator so with the core functionality out of the way let's look at some changes we noticed in recent updates to this family of hack tools so an interesting technique that's gaining popularity with the malware campaigns we analyze at K is the

reporting of campaign statistics via Discord this provides an easy way for attackers to programmatically report key information about their allware campaigns back to a centralized location furthermore traffic designed for Discord is unlikely to be blocked in many environments so in legion's case later variants utilize this technique to track and store campaign statistics that were traditionally reported via standard out or written to files on disk this particular variant creates a Discord embed and populates it with values like the number of vulnerable sites discovered number of successful rcees and the number and the total number of sites processed and this is sent back via an HTTP post request so that it can be displayed in the operator's channel of

choice SSH exploitation was another feature that appeared in some capacity in the original Legion sample that we encountered however it appeared like the developers had yet to finish the code for it in all samples seen by Koo code to pars a list of exfiltrated datab credentials to extract username and password pairs was present the tool attempted dish using the envirment file passing technique we've already examined and looking for values like dbor password if these are found recent samples use these credentials pairs in combination with a matching host value to attempt to log into the host over SSH now of course this assumes that the database credentials previously retrieved by the tool are being reused for SSH which would be very stupid so

this seems unlikely to me but I suppose you might as well try so it also adds another feature to the tool that might make it more marketable to potential

customers so that's just that's us just about covered Legion now so with that in mind let's move on to our next malare campaign from an emerging cryptojacking group named dcot so dcot are a group that we became acquainted with after discovering an interesting attack pattern on one of our Honeypot sensors they are malware as a service developers and are known for targeting Linux servers to conduct cryptojacking and other attacks the group takes its name after the Romanian organized crime police unit but they previously referred to themselves as mexil if you go ahead and search for meils you'll find some research into prior campaigns conducted by this group and we'll get an idea of their ttps so initial triage of the payloads

retrieve from our Honeypot allowed us to quickly attribute this campaign to diecut thanks to a number of excellent blogs by Bit Defender and akami from their investigation of their C2 server led to the discovery of a group of new payloads that hadn't yet been reported on and this included a marai based botnet agent a self-propagating initial access tool and a custom Miner another interesting finding was the discovery of a video which included doxing of other online individuals that the group appeared to be feuding with there was no discussion of dcot doxing abilities in previous Research into this group's activities so we thought that it would be useful to mention here several members of the Rival group

appeared during the course of the video and their personal details including photographs full names home addresses and online handles are exposed it is suspected that the individuals in this video are members of a rival hacking group but it wasn't clear what they'd done to anger D in the first place text included in the video was written in the Romanian language and the addresses were all located in Romania and this fitted with our attribution is that I believ that dcot are a Romanian group now dcot doxing capabilities are interesting but it's malware in particular that we focus on which leads me nicely to this graphic describing the execution flow of the campaign directed at our Honeypot

infrastructure dcot campaigns typically involve a long execution chain with multiple payloads and their outputs forming interdependent relationships we've attempted to illustrate these relationships in this graphic but I'll discuss them further detail in the com in the coming slides so as you can see from the graphic the group uses a combination of elfes written in golang which is a Linux attacker favorite of course they also use PL text Shell scripts regular compiled elves written in languages like C and shc elves which are compiled shell scripts now this can make analysis feel laborious even in situations where the payloads themselves aren't particularly complex it also demonstrates St cot's awareness of the malware analysis process and their attempts to slow this

down as much as possible the group's campaigns contain some relatively distinctive ttps the first of these is the use of the upx Packer with a modified header typically when packing an executable with upx a header is added which includes a magic bite sequence representing the letters u and X followed by an exclamation mark this allows the executable to be unpacked with the upx command line utility a typical anti- unpacking measure is to modify this header so that it's no longer recognized as being packed by upx by the utility so this of course confuses the upx CLI to and prevents it from unpacking the binary now fortunately aai researcher Larry cash dollar released an excellent tool named upx deck which allows you to

automatically locate and restore the modified bites to the values that the upx tool expects with the binary repaired you can then unpack it as normal now this technique is certainly not unique to dcot but it gives an interesting insight into the group's capabilities so moving on now to another obfuscation technique I mentioned iot's use of shc executables in the execution chain graphic a couple of slides previously for those that don't know shc executables are essentially shell scripts compiled into an elf they are heavily utilized by dcot for loaders registering persistence and preparing the target from mining via a custom Fork of XM rig it's likely that shc is used for for obfuscation purposes as it

prevents the compiled script from being read in plain text however the resulting binaries didn't contain additional obfuscation so we're trivial to analyze so this brings us back to a technique you'll remember was utilized by later versions of Legion the use of Discord for campaign reporting Dao also make use of Discord for reporting campaign stats and we identified four distinct channels used as part part of this campaign in this slide's example we can see some decompiler output from a function in one of the campaign's primary payloads which we'll come back to in a later Slide the function contains a curl request with a hardcoded Discord web hook qrl now generally this function would be invoked after some system Discovery

procedures with the results being sent in the post body further analysis showed that the channels were generated likely by an automated method within an 11-minute time frame on the 26th of April 2023 which was shortly before the not we noticed the activity in our honeypop so each of the web hooks found in this payload of the campaign were used to send information about compromis machines back to Discord now moving on to analysis of the payloads themselves we focused our efforts on the payload named aliases which is a custom SSH brute forcing tool used for initial access in this campaign aliases is a 64bit elf written in goang and is responsible for ingesting a list of Target IPS and

credentials to conduct a Brute Force attack shortly after execution the sample will perform a get request to an attacker run IP API sorry using a hard-coded API key this hardcoded key appeared to be reused across dcot samples and wasn't specific to a particular C campaign the API request returns with a Discord web hook URL which seem to be neglected in favor of the hardcoded hooks we mentioned earlier prior to the execution of aliases an executable named Chrome is launched now Chrome isn't particularly interesting from an analysis perspective but it plays an important role in the campaign Dynamic analysis quickly revealed that it was an internet scanner most likely a fork of the popular internet scanner Zed map now since Zed

map is open source it's very easy for attackers to customize it to add obfuscation or additional functionality so D cot's Fork seemed relatively close in functionality to the original with the only notable change being the ability to write out scan results to a file in the working directory which were then ingested by aliases as a Target list for brute forcing so moving on now to look at some the shc executables utilized by dcot this first executable was a payload named update and it had a number of key responsibilities to ensure success of the campaign update acts is a loader and its main purpose is to retrieve the Chrome payloads we discussed in the previous Slide the sample also retrieves the

alias' SSH brute forcer if it doesn't exist on the Target now payload which confusingly is the actual name of this payload is is another shc executable utilized by dcot payload is mainly responsible for retrieving the XM rig Miner and preparing the system for mining the sample includes logic to only conduct minor related operations if the target has more than four processor cores payload also determines whether it's running under root and changes the Root's password if so before sending a Json file named send. Json back which included the password so with the payloads out the way I thought I'd include this recent finding that we made before we finish up so during some unrelated darket research we

encountered an onion link for a hidden service which was tagged with the dcot name naturally this caught our eye and we decided to take a closer look we discovered this rather amusing homepage that you can see in the screenshot to the left of the slide the homepage claimed to be the home of dcot hackers and included some hilarious testimonies an example of which can be seen on the right now rather interestingly the developers of this site had linked out to some press coverage of our Research into dcot of which they seem to be proud of now we think that this hidden service was most likely operated by an impersonator involved in scamming individuals wishing to contract the real

diecut for assistance in resolving extramarital Affairs however it was an interesting and rather humorous finding nonetheless so I think we perhaps are running out of time so I'm going to skip over this just to give us a bit of a recap so we've covered two recent malware campaigns analyzed by myself and my colleagues at Ko and I hope that you all enjoyed hearing the findings now if anyone has any questions then please feel free to request a mic and I'll answer them just now or give me a shout on Twitter after the conference so I hope that you all enjoy the rest of your time in Vegas and I hope to see you all again

soon thank you does anyone have any question so we can pass the mic around and everyone can hear everyone's ready to party well I have a question then um you mentioned cloud and Linux you can't really speak about that without mentioning kubernetes have there been any findings in that area um so there has been quite a lot of third party reporting of cloud attacks against kubernetes um I can't actually think of one off the top of my head but I know that it exists it's not something that we've seen personally um but we have seen attacks against serous environments so we discovered Denia last year which was the first publicly um reported uh malware targeting serverless environment

specifically um but yeah we're yet to stumble on something that's kubernetes specific hopefully we do though that would be very cool well thank you mayor

and enjoy the rest of the conference the last talk coming up thank you thanks everyone okay