Arquivo_Complementar.txt

Conteúdo do arquivo

------------------------------------
INFORMAÇÕES TÉCNICAS COMPLEMENTARES:
------------------------------------

1. Monitorar as consultas DNS  inclusive as consultas do tipo TXT:

1.1. A seguinte expressão regular pode ajudar a encontrar consultas suspeitas e pode ser usada em logs com o comando grep ou em ferramentas de indexação que aceitem expressões regulares (ex: Kibana8): 
/([^.]+\.)+[0-9af]{8,63}\.[0-9a-f]{8,63}\.([^\s])+/. 

1.2. Exemplo de uso com o comando grep: 
grep -E '([^.]+\.)+[0-9a-f]{8,63}\.[0-9a-f]{8,63}\.([^\s])+' <arquivo>

1.3. A expressão foi criada com o objetivo de ter um índice baixo de falsos positivos, porém algumas consultas podem ficar de fora. 

2. Monitorar nos ativos de rede tráfego em portas altas como: 45345, 34535, 64543, 24645, 47623, 62537, 43253, 43753, 63424, 26424, 55667, 42859, 59637, 7938 e 54356. 

2.1. As portas podem mudar entre versões do artefato.

3. Indicadores de Comprometimento (IoC's):

3.1. HASHES (SHA256):
a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6
ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180
45eacba032367db7f3b031e5d9df10b30d01664f24da6847322f6af1fd8e7f01
f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c
81cc9e04d1db05bcfc0538e5b6bb2d65e78e2fd0f0dd66b672e5d18e6c63d44c
121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924

3.2. ARQUIVOS:
/etc/usb.h
/etc/usb.so
/etc/certbot.h
/etc/cert.h
/etc/kernelaudit
/etc/kerneldev
/etc/kerneldbus
/etc/mpt64.h
/etc/etc.so
/etc/dev.h
/etc/etc.h
/usr/include/linux/javautils
/usr/include/linux/java64x 
/usr/include/certbot.h
/lib/certbot.h
/lib/cert.h
/lib/search.so
/lib/mt64.so
/lib/kernelaudit.so
/lib/kerneldev.so
/lib/kerneldbus.so
/lib/etc.so
/lib/etc.h
/lib64/mt64.so
/lib64/subsys.so
/lib64/liblinux.so
/lib64/kerneldev
/lib64/kerneldev.so
/lib64/kerneldbus.so
/lib64/etc.so
/lib64/etc.h
/lib64/devutils.so
/lib64/kernelaudit.so

3.3. DOMÍNIOS:
cintepol.link
cintepol.net
cintepol.org
dpf.pm
prodesp.link
suport.link
assets.fans
bancodobrasil.dev
caixa.cx
prodesp.org
localdns.link
unibb.link
caixa.link
caixa.wf
brisanet.in

4. Regra YARA que pode ser usada para detectar artefatos e os hashes dos arquivos maliciosos conhecidos. Recomendamos executar a regra YARA na área do Sistema Operacional:

import "elf"

rule liblinux_rule {
 meta:
 description = "Liblinux"
 date = "2022-06-10"
 strings:
 $s1 = "keylogger" fullword ascii
 $s2 = "pampassword" fullword ascii
 $s3 = "download_script" fullword ascii
 $s4 = "execute_dns_code" fullword ascii
 $s5 = "xgetline" fullword ascii
 $s6 = "getaddrlist" fullword ascii
 $s7 = "getfilename" fullword ascii
 $s8 = "execlp@@GLIBC_2.2.5" fullword ascii
 $s9 = "orig_execve" fullword ascii
 $s10 = "cmdline.6841" fullword ascii
 $s11 = "decoded_table.10589" fullword ascii
 $s12 = "savepasswd" fullword ascii
 $s13 = "dns_txt_download" fullword ascii
 $s14 = "pipe@@GLIBC_2.2.5" fullword ascii
 $s15 = "prepare_pipe" fullword ascii
 $s16 = "fake_trace_objects" fullword ascii
 $s17 = "ChangetoDnsNameFormat" fullword ascii
 $s18 = "getline@@GLIBC_2.2.5" fullword ascii
 $s19 = "getnameinfo@@GLIBC_2.2.5" fullword ascii
 $s20 = "getpid@@GLIBC_2.2.5" fullword ascii
 condition:
 elf.number_of_sections >= 10 and
 uint16(0) == 0x457f and filesize < 200KB and
 15 of them
}

rule mt64_ {
 meta:
 description = "mt64"
 date = "2022-06-10"
 strings:
 $s1 = "keylogger" fullword ascii
 $s2 = "pampassword" fullword ascii
 $s3 = "xgetline" fullword ascii
 $s4 = "getfilename" fullword ascii
  $s5 = "orig_execve" fullword ascii
 $s6 = "cmdline.5912" fullword ascii
 $s7 = "savepasswd" fullword ascii
 $s8 = "pipe@@GLIBC_2.2.5" fullword ascii
 $s9 = "getenv@@GLIBC_2.2.5" fullword ascii
 $s10 = "log_cmd_line" fullword ascii
 $s11 = "getline@@GLIBC_2.2.5" fullword ascii
 $s12 = "fake_trace_objects" fullword ascii
 $s13 = "readdir64" fullword ascii
 $s14 = "erasefree" fullword ascii
 $s15 = "strstrmem" fullword ascii
 $s16 = ".eh_frame_hdr" fullword ascii
 $s17 = "orig_read" fullword ascii
 $s18 = "completed.6341" fullword ascii
 $s19 = "readlink@@GLIBC_2.2.5" fullword ascii
 $s20 = "orig_readdir.6135" fullword ascii
 condition:
 elf.number_of_sections >= 10 and
 uint16(0) == 0x457f and filesize < 100KB and
 17 of them
}

rule search_rule {
 meta:
 description = "search"
 date = "2022-06-10"
 strings:
 $s1 = "keylogger" fullword ascii
 $s2 = "download_script" fullword ascii
 $s3 = "pampassword" fullword ascii
 $s4 = "execute_dns_code" fullword ascii
 $s5 = "getaddrlist" fullword ascii
 $s6 = "getfilename" fullword ascii
 $s7 = "xgetline" fullword ascii
 $s8 = "execlp@@GLIBC_2.2.5" fullword ascii
 $s9 = "cmdline.6812" fullword ascii
 $s10 = "orig_execve" fullword ascii
 $s11 = "savepasswd" fullword ascii
 $s12 = "decoded_table.10560" fullword ascii
 $s13 = "prepare_pipe" fullword ascii
 $s14 = "pipe@@GLIBC_2.2.5" fullword ascii
 $s15 = "dns_txt_download" fullword ascii
 $s16 = "get_machine_id" fullword ascii
 $s17 = "getpid@@GLIBC_2.2.5" fullword ascii
 $s18 = "getifaddrs@@GLIBC_2.3" fullword ascii
 $s19 = "getenv@@GLIBC_2.2.5" fullword ascii
 $s20 = "getline@@GLIBC_2.2.5" fullword ascii
 condition:
 elf.number_of_sections >= 10 and
 uint16(0) == 0x457f and filesize < 200KB and
 15 of them
}

rule certbotx64 {
 meta:
 description = "certbotx64"
 date = "2022-06-10"
 strings:
 $s1 = " --exec -e <process> Execute the given process and link it to the stream."
fullword ascii
 $s2 = "COMMAND_EXEC [response] :: request_id: 0x%04x :: session_id: 0x%04x"
fullword ascii
 $s3 = "exec driver shut down; killing process %d" fullword ascii
 $s4 = "COMMAND_EXEC [request] :: request_id: 0x%04x :: name: %s :: command:
%s" fullword ascii
 $s5 = "exec: couldn't create process (%d)" fullword ascii
 $s6 = "Starting: /bin/sh -c '%s'" fullword ascii
 $s7 = "exec: couldn't create pipe (%d)" fullword ascii
 $s8 = "COMMAND_SHELL [response] :: request_id: 0x%04x :: session_id: 0x%04x"
fullword ascii
 $s9 = "[Tunnel %d] connection to %s:%d closed by the client: %s" fullword ascii
 $s10 = "[Tunnel %d] connection to %s:%d closed by the server!" fullword ascii
 $s11 = "By default, a --dns driver on port 53 is enabled if a hostname is" fullword ascii
 $s12 = "Error: dropped user account has root privileges; please specify a better"
fullword ascii
 $s13 = "It looks like you used --dns and also passed a domain on the commandline."
fullword ascii
 $s14 = "Creating a exec('%s') session!" fullword ascii
 $s15 = " --command Start an interactive 'command' session (default)." fullword
ascii
 $s16 = "Received FIN: (reason: '%s') - closing session" fullword ascii
 $s17 = "** Peer verified with pre-shared secret!" fullword ascii
 $s18 = "COMMAND_DOWNLOAD [request] :: request_id: 0x%04x :: filename: %s"
fullword ascii
 $s19 = "COMMAND_DOWNLOAD [response] :: request_id: 0x%04x :: data: 0x%x
bytes" fullword ascii
 $s20 = "exec: execlp failed (%d)" fullword ascii
 condition:
 elf.number_of_sections >= 10 and
 uint16(0) == 0x457f and filesize < 400KB and
 8 of them
}

rule kerneldev {
 meta:
 description = "kerneldev"
 date = "2022-06-10"
 strings:
 $s01 = "keylogger" fullword ascii
 $s02 = "px32.nss.atendimento-estilo.com" fullword ascii
 $s03 = "pampassword" fullword ascii
 $s04 = "kernelconfig" fullword ascii
 $s05 = "getserver" fullword ascii
 $s06 = "kerneldev" fullword ascii
 $s07 = "getaddrlist" fullword ascii
 $s08 = "/proc/self/cmdline" fullword ascii
 $s09 = "suporte42atendimento53log" fullword ascii
 $s10 = "threadmulti" fullword ascii
 $s12 = "ChangetoDnsNameFormat" fullword ascii
 $s13 = "kerneldev.so" fullword ascii
 $s14 = "log_cmd_line" fullword ascii
 $s15 = "sendlinedns" fullword ascii
 $s16 = "erasefree" fullword ascii
 condition:
 elf.number_of_sections >= 10 and
 uint16(0) == 0x457f and filesize < 60KB and
 8 of them
}

rule source {
 meta:
 description = "Source"
 date = "2022-06-10"
 strings:
 $s01 = "ChangetoDnsNameFormat" fullword ascii
 $s02 = "HIDDEN_IPS" fullword ascii
 $s03 = "HIDDEN_PORTS" fullword ascii
 $s04 = "PROCS_TO_HIDE" fullword ascii
 $s05 = "download_script" fullword ascii
 $s06 = "check_backdoor" fullword ascii
 $s07 = "check_proc" fullword ascii
 $s08 = "check_rw_hook" fullword ascii
 $s09 = "consttime_equal" fullword ascii
 $s10 = "dns_broadcast_request" fullword ascii
 $s11 = "dns_txt_download" fullword ascii
 $s12 = "ed25519_verify" fullword ascii
 $s13 = "endswith" fullword ascii
 $s14 = "erasefree" fullword ascii
 $s15 = "execute_dns_code" fullword ascii
  $s16 = "fake_trace_objects" fullword ascii
 $s17 = "gen_proc_net_ip" fullword ascii
 $s18 = "gen_proc_net_port" fullword ascii
 $s19 = "hidden_file" fullword ascii
 $s20 = "hidden_proc" fullword ascii
 $s21 = "hide_proc_net_connection" fullword ascii
$s22 = "keylogger" fullword ascii
 $s23 = "log_cmd_line" fullword ascii
 $s24 = "savepasswd" fullword ascii
 $s25 = "sendlinedns" fullword ascii
 $s26 = "strchr_reverse" fullword ascii
 condition:
 elf.number_of_sections >= 10 and
 uint16(0) == 0x457f and filesize < 400KB and
 8 of them
}

rule dnscat {
 meta:
 description = "Source"
 date = "2022-06-10"
 strings:
 $dnscat = "dnscat" ascii
 $s01 = "additional: %s => %s AAAA 0x%04x %08x" ascii
 $s02 = "additional: %s => %s CNAME 0x%04x %08x" ascii
 $s03 = "answer: %s => %s AAAA 0x%04x %08x" ascii
 $s04 = "answer: %s => %s CNAME 0x%04x %08x" ascii
 $s05 = "are directly connecting to the dnscat2 server." ascii
 $s06 = "COMMAND_DELAY [request]" ascii
 $s07 = "COMMAND_DELAY [response]" ascii
 $s08 = "COMMAND_DOWNLOAD [response]" ascii
 $s09 = "COMMAND_ERROR [request]" ascii
 $s10 = "COMMAND_EXEC [request]" ascii
 $s11 = "COMMAND_PING [request]" ascii
 $s12 = "COMMAND_SHELL [request]" ascii
 $s13 = "COMMAND_SHUTDOWN [request]" ascii
 $s14 = "COMMAND_UPLOAD [request]" ascii
 $s15 = "Creating DNS driver:" ascii
 $s16 = "Creating UDP (DNS) socket on %s" ascii
 $s17 = "dnscat" ascii
 $s18 = "dnscat.c" ascii
 $s19 = "dnscat2" ascii
 $s20 = "DNSCAT_DOMAIN" ascii
 $s21 = "DNSCAT_SECRET" ascii
 $s22 = "dns_to_packet" ascii
 $s23 = "Failed to calculate a shared secret" ascii
 $s24 = "Failed to drop privileges to %s!" ascii
 $s25 = "Failed to generate a keypair!" ascii
 $s26 = "Received a CNAME response: %s" ascii
 $s27 = "Received an AAAA response (%zu bytes)" ascii
 $s28 = "Received an illegal packet:" ascii
 $s29 = "Sending DNS query for: %s to %s:%d" ascii
 $s30 = "Starting DNS driver without a domain! This will only work if you" ascii
 $s31 = "That's not allowed! Either use '--dns domain=xxx' or don't use a --dns" ascii
 $s32 = "The dnscat2 client couldn't connect to the remote host!" ascii
 $s33 = "The only reason this can happen is if something is messing with" ascii
 $s34 = "The response didn't contain the domain name: %s" ascii
 $s35 = "The response was just the domain name: %s" ascii
 $s36 = "The server didn't respond to our re-negotiation request! Waiting..." ascii
 $s37 = "The server hasn't returned a valid response in the last %d attempts.. closing
session." ascii
 $s38 = "The server tried to close a tunnel that we don't know about: %d" ascii
 $s39 = "TUNNEL_CLOSE [request]" ascii
 $s40 = "TUNNEL_CLOSE [response]" ascii
 $s41 = "Type = ENC :: [0x%04x] session" ascii
 $s42 = "Type = FIN :: [0x%04x] session" ascii
 $s43 = "Unknown DNS type returned: %d" ascii
 $s44 = "Wow, this session is old! Time to re-negotiate encryption keys!" ascii
 $s45 = "You can also fix this by creating a proper /etc/resolv.conf" ascii
 $s46 = "You didn't pass any valid DNS types to use! Allowed types are TXT, CNAME,
MX, A, AAAA" ascii

condition:
 elf.number_of_sections >= 10 and
 uint16(0) == 0x457f and filesize < 400KB and
 $dnscat and
 5 of ($*)
}