Bulbature, beneath the waves of GobRAT
2024-10-2 16:17:1 Author: blog.sekoia.io(查看原文) 阅读量:39 收藏

Key Takeaways

  • Since mid 2023, Sekoia Threat Detection & Research team (TDR) investigated an infrastructure which controls compromised edge devices transformed into Operational Relay Boxes used to launch offensive cyber attack.

  • The infrastructure has constantly evolved with a total of 63 servers identified and analysed, and is still operating at the time of publication of this report.

  • On some servers, it is possible to find installation scripts as well as the GobRAT and Bulbature malware. Other servers provide a view of the administration interface used to manage compromised hosts and launch attacks.

  • Several traces lead us to suggest that this infrastructure might be used by several operators originating from China.

Context

On 9 October 2023, the Threat Detection & Research (TDR) team published a private report regarding an attack campaign on edge devices also documented by the JPCERT/CC on 29 May 2023. Since then, the network infrastructure has remained active and dozens of new hosts were deployed with the same characteristics as those initially identified. These hosts are monitored via the Sekoia C2 Tracker project and are capitalised within the Sekoia Intelligence Center (IC). 

In our 2023 report, we assessed that this infrastructure was very likely used to support operations of multiple intrusion sets, likely of Chinese origin, due to certain traces attributing the attacks and the victimology observed, which mainly included edge devices transformed into Operational Relay Boxes (ORB). For some years now, we observe that China uses edge devices as ORB to conduct offensive cyber campaigns, as previously reported in link with the Quad7 operator or the APT31 infrastructure. Although there was few open source information on GobRAT, TDR decided to investigate this threat in depth. 

This investigation is still in progress as of September 2024, and we will focus on highlighting the infrastructure and the different types of hosts identified. The cut-off date for indicators included in this report is 5 September 2024. 

Initial findings

The initial findings came from a self-signed certificate that was used on a staging host identified by the JPCERT/CC:

Subject DNC=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Issuer DNC=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Serial NumberDecimal: 587046745646849621397962336094648657285118811505
Validity Period2021-05-16T06:47:34 to 2031-05-14T06:47:34
SHA-2563ab014dd8cc7878c4e840be84b111e6fa71de221c42c14b0becaf3827a744ab9
SHA-1d0d3975b5b900b3af2dce973428475f022b16f60
MD5af4ad0bd9221ffc63ae5acff4034834a

In 2023, when other staging hosts were analysed, one host was using a second, distinct certificate:

Subject DNO=mkcert development certificate, OU=a@a-virtual-machine
Issuer DNO=mkcert development CA, OU=a@a-virtual-machine, CN=mkcert a@a-virtual-machine
Serial NumberDecimal: 77481536472298673143899330019234134150
Validity Period2021-12-21T01:38:57 to 2024-03-21T01:38:57
SHA-25627b6567f260dd689200bbda0794341b1edcf6039cfc1ae7adf0bc6477a16a1f9
SHA-174fe94844a337da4bdc2988609fb3c4df3f3b78d
MD5e4b7b3a2610ad706a83667a5bac7cd31

Since we started monitoring the infrastructure, it was the first time – and only occasion – that a second certificate was observed, likely an error by the operator. It led us to uncover two new host types correlating the overall infrastructure. Since 2023, these two certificates were used to identify 63 different hosts, including 20 that were still active at the time of writing.

In this report, we provide a comprehensive analysis of each type of these servers.

Down the rabbit hole: Infrastructure overall

Our analysis revealed a network architecture from staging servers to administration panels. This overall infrastructure was observed following an analysis of over 5,000 files on hosts that used these two self-signed certificates mentioned above. Based on our analysis, we illustrated the different infrastructure components as follows:

GobRAT and Bulbature infrastructure. Source: Sekoia TDR Team

This infrastructure involves compromised edge devices that, once infected, download from attackers’ staging servers two different malicious codes: GobRAT and Bulbature. These two codes seem to have different purposes. 

GobRAT, which has been already documented by the JP-CERT, is a swiss-army knife backdoor written in Go which has standard RAT functionalities and is also used to relay specific attacks from the compromised devices such as DDoS or vulnerability exploitation campaigns. It seems to be used to gather intelligence from the networks associated with the compromised edge devices.

Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the compromised edge device into an ORB to relay attacks against final victims networks.

Infection chain used to compromise edge devices

ORBs

We have been able to observe edge devices compromised and transformed into ORBs by GobRAT and Bulbature (initially called “kkrn”) malware. The following infection chain can therefore be described in four main steps:

Infection chain of edge devices compromised and transformed into ORBs (Operational Relay Boxes) by GobRAT and Bulbature. Source: Sekoia TDR Team
  • Step 1: The operator deploys staging servers, which host Bash scripts as well as GobRAT and Bulbature malware.
  • Step 2: The operator compromises edge devices.
  • Step 3: The operator runs Bash scripts that download malware from the staging servers, and runs them.
  • Step 4: The edge device communicates with staging servers and Bulbature C2 & Dispenser. It is transformed into an ORB.

Staging servers

The list of staging servers at the date of writing is as follows:

Staging host IPASNAS NameHosting Country
38.54.56.5AS138915KAOPU-HK Kaopu Cloud HK LimitedJapan
38.54.85.246Hong Kong
38.60.134.236France
38.60.221.32Russia
38.60.221.63
38.60.221.174
38.60.223.51
38.60.223.81
38.60.221.145

All the currently active hosts are located under the same autonomous system AS138915, but it was not always the case historically, since other ASNs have also been observed since 2023. It is worth mentioning that this autonomous system is increasingly used by Chinese intrusion sets. Nevertheless, all these staging servers host malicious files served on port 443 (HTTPs) or 58888 (HTTP or HTTPS). On these ports, we have identified an open directory under /static/, containing the following files

FilenameTypeFile InfoCreation Date
sshdeny1.shBlock scriptBourne-Again shell script2024-07-19
hold_by_bot.shDaemon scriptBourne-Again shell script2024-07-31
zoneController.shDaemon scriptBourne-Again shell script2024-07-19
zonedelete.shDelete scriptBourne-Again shell script2024-07-19
zonesetup.shStart scriptBourne-Again shell script2024-07-19
zoneupdate.shUpdate scriptBourne-Again shell script2024-07-23
zoneRestart.shUpdate scriptBourne-Again shell script2024-07-19
bulbatureBulbature malwareELF 64-bit LSB executable (x86-64)2024-07-31
zone.x86_64GobRAT malwareELF 64-bit LSB executable (x86-64)2024-07-19
zone.i686GobRAT malwareELF 32-bit LSB executable (Intel 80386)2024-07-19
zone.armGobRAT malwareELF 32-bit LSB executable (ARM)2024-07-19
zone.mipsGobRAT malwareELF 32-bit LSB executable (MIPS)2024-07-19
frpc.x86_64FRP (Fast Reverse Proxy)ELF 64-bit LSB executable (x86-64)2024-07-19
frpc.i686FRP (Fast Reverse Proxy)ELF 32-bit LSB executable (Intel 80386)2024-07-19
frpc.armFRP (Fast Reverse Proxy)ELF 32-bit LSB executable (ARM)2024-07-19

This open directory contains installation and management scripts, tools and two backdoors, GobRAT and Bulbature. In total, more than 200 files were found on the staging servers, and the first records of these files date back to 2022. Although there are variations, mainly due to the fact that many scripts contain hard coded domains, they all behave in the same way and perform the same actions.

Bash scripts

Full details of the chain of compromise carried out by the Bash scripts are available in Appendix 1: Bash scripts. These Bash scripts include code for:

  • Installing and running malware;
  • Ensuring persistence;
  • Blocking other potential attackers;
  • Making the host publicly accessible by disabling security mechanisms.

It is also possible to notice that update scripts are included which have the effect of deleting scripts and malware and reinstalling them entirely. This indicates a desire to keep access to a compromised device and to push out new versions of the malware, probably with new functionalities.

Malware interactions

GobRAT is a RAT developed in Go language providing 22 types of commands that are runned from a staging server, as reported by the JPCERT/CC. Its capabilities are as follows:

  • Obtains a new C2 configuration
  • Starts, stops or confirms a reverse shell connection
  • Executes shell commands
  • Reads/writes a specified file
  • Fingerprints host
  • Captures system state data
  • Sets new communication channel for TCP/UDP
  • Runs a SOCKS5 proxy (compatible with specified port and password)
  • Runs a Fast Reverse Proxy (FRP) binary (well known and available on Github)
  • Attempts to login on services like SSH, Telnet, Redis, MySQL or PostgreSQL
  • Sends HTTP/HTTPS requests to a specified IP
  • Sends HTTP/HTTPS Dictionary attack to a specified IP
  • Performs DDoS attacks using SYN, TCP, UDP, HTTP, ICMP

By analysing the content of installation scripts, it was possible to group together all the names, ports and running methods of the malware. They are constantly found in the same place in the staging servers open directory, and they are also executed at the same time.

MalwareAliasRun commandLocal portRemote port
GobRATapached
icon_x
asus_x
./zone.[ARCH] -dNone80 (TCP, HTTPS)
Bulbaturebulbature
kkrn
mostise
myet
rhabdia
scindwise
out_arm
out_mipsle
asus_x
level
./bulbature -d [PORT]
./bulbature [PORT]
Random (UDP)
5500 (UDP)
8001 (TCP)
8080 (TCP)

However, it is not yet obvious how Bulbature behaves due to a very high level of obfuscation. The figure below highlights the interactions observed during the infection process of an edge device:

The interactions of GobRAT and Bulbature observed during the infection process of an edge device

On this diagram, the orange-coloured data shows the parts that could not be fully identified. Despite this fact, the following steps can be observed:

  • Step 1: zoneupdate.sh downloads Bash scripts as well as GobRAT and Bulbature malware from a staging server.
  • Step 2: GobRAT and Bulbature are dropped and executed.
  • Step 3a: GobRAT exchanges data over TCP with a staging server.
  • Step 3b-0
    • Step 3b-1: When Bulbature is launched without any arguments (./bulbature), it connects to the Bulbature Dispenser, a server which is designed to send back a list of three [IP]:[PORT] Bulbature C2.
    • Step 3b-2: Bulbature malware connects to Bulbature C2 using an IP address with port from the list received in the previous step.
    • Step 3b-3: Bulbature listens on a random UDP port, and data is exchanged with the IP and the port of Bulbature C2 selected on the previous step.
  • Step 3-c0
    • Step 3c-1: When Bulbature is launched with an argument (./bulbature 5500 or ./bulbature -d 5500), Bulbature listens on the port entered as an argument in UDP and exchanges data with Bulbature C2.
    • Step 3c-2: Bulbature listens on port 8001 (TCP), bound to localhost only.

Bulbature has been the primary source of challenges encountered during the analysis. At the time of writing, it has not been possible to identify all its features and network interactions. Based on the results obtained, it appears that its behaviour is more complex than GobRAT and connects to a different infrastructure cluster than GobRAT. 

Bulbature is developed in C, compiled for x86-64, ARM or MIPS architectures and packed with UPX. It contains anti-analysis techniques such as:

  • Strings encryption: strings are encrypted using a simple xor
  • Control Flow Flattening (CFF)

The CFF complicates reverse engineering significantly. To address this issue, we tested two techniques: 

  • The use of the d810 plugin. In some cases, this plugin removes the CFF completely or partially.
  • The development of a custom IDA Pro script to reconstruct the original control flow. Unfortunately, various special cases hindered its effectiveness.

Moreover, all samples of Bulbature are stripped and contain more than 1000 functions. Bulbature is statically compiled with the mbedtls library and makes extensive use of asynchronous programming. This further complicated our analysis, preventing us from gaining a precise understanding of its function and role. 

Nevertheless, Bulbature appears to be a malware with functionalities that are primarily network-related, along with other basic features such as executing local commands.

The analysis still allowed us to identify two encrypted Bulbature C2 Dispenser servers: nbt201.dynamic-dns[.]net:8080 and eyh.ocry[.]com:443. Then, we also were able to retrieve a list of Bulbature C2 servers.

Proxies provider interface

Among all hosts that have a self-signed certificate (MD5: af4ad0bd9221ffc63ae5acff4034834a), several of them share the same behaviour and we call them Proxies provider. It has not been possible to establish a clear correlation between them and GobRAT or Bulbature, so it could be linked to another piece of malware. At the time of writing, these two servers are active:

IPv4ASNAS NameHosting Country
47.96.119.186AS37963ALIBABA-CN-NET Hangzhou Alibaba AdvertisingChina
178.128.96.236AS14061DIGITALOCEAN-ASNSingapore

The first port 8080 (HTTPS) is hosting a web interface where a login is required. By investigating the open directories of these hosts, we were able to discover an open directory containing HTML, Javascript and CSS files: the webadmin console’s unpacked frontend  source code. As a result, it was possible to visualise the interface without the data and extract various API endpoints.

The second port is listening on port 8888 (HTTPS) and hosts an API. The following endpoints have been identified:

EndpointGoal
/v1/wire-guard/tunnelDisplay all “Security Tunnels” (proxies)
/v1/wire-guard/nodeDisplay all “Nodes” (compromised hosts)
/v1/wire-guard/nodegroup/allDisplay all “Nodes Groups” (group of compromised hosts)
/v1/wire-guard/eventlog/allDisplay all server logs
/v1/wire-guard/settingDisplay settings (timer alarm)
/v1/wire-guard/user/listDisplay all users
/v1/wire-guard/userDisplay the current user
/v1/wire-guard/passwordReset password
/v1/wire-guard/loginConnect the user (only the “root” account is authorised to connect)

Browsing the “Security Tunnel” view

When the path /dist#/ of these hosts is consulted, the following interface is displayed.

Proxies provider interface

In the home view called “Security Tunnel”, we find a table that is probably listing proxies tunnels. When a user wants to add one via the “Add” button, a window appears. When the “Generate Mode” field is checked at “Select”, a new dialog appears offering to select one of the protocols: WireGuard, OpenVPN, L2TP, PPTP, SSTP, SOCKS5, SOCKS4 or HTTPS. Based on the fields displayed, it seems possible for an operator to create an on-demand proxy tunnel.

Browsing the “Nodes” view

Next, in the “Nodes” view, a table is displayed containing the columns “Name”, “IP”, “Node Group”, “Status” and “operation”. When the “Add” button is clicked, the following window is displayed:

Proxies provider interface

Judging by the form fields in this window, it can be deduced that the “Nodes” used in the “Security Tunnel” correspond to compromised edge devices. When adding a new node, the user is asked to select whether “Auto deploy first” or “Have been deployed by script”.

Finally, in the “Setting” view of the interface, the following page can be found:

Proxies provider interface

When an operator creates a proxy tunnel, if he keeps using the same connection for too long (at least 60 minutes here), an alert will prompt on the interface.

We can conclude that this proxies provider interface allows an operator to create on-the-fly proxies tunnels compatible with several Proxy/VPN protocols. Based on the interface we can deduce that the proxies are deployed directly on the compromised edge devices. Furthermore, the alarm mechanism indicates a desire to rotate the proxy tunnel as soon as possible. This is a typical behaviour of attacker groups trying to cover their tracks, thereby reducing the traces of operations carried out.

GobRAT administration interface

Still based on the certificate (MD5: af4ad0bd9221ffc63ae5acff4034834a), it was possible to identify another cluster of servers. The discovered interface is related to the administration of the GobRAT malware with high confidence. This interface has the same functionalities as those implemented in GobRAT such as performing DDoS, executing commands, doing reconnaissance or performing attacks.

IPv4ASNAS NameHosting Country
38.54.85.70AS138915KAOPU-HK Kaopu Cloud HK LimitedHong Kong
38.54.85.164AS138915KAOPU-HK Kaopu Cloud HK LimitedHong Kong
38.54.85.178AS138915KAOPU-HK Kaopu Cloud HK LimitedHong Kong
38.60.203.167AS138915KAOPU-HK Kaopu Cloud HK LimitedHong Kong
103.57.248.40AS9009M247Hong Kong
176.97.73.171AS9009M247Japan
38.60.203.21AS138915KAOPU-HK Kaopu Cloud HK LimitedHong Kong
38.54.85.21AS138915KAOPU-HK Kaopu Cloud HK LimitedHong Kong
38.60.203.141AS138915KAOPU-HK Kaopu Cloud HK LimitedHong Kong

Several servers use different HTTP ports: 14739, 42208, 42308, 52208, 58162, and provide the same service. When a user tries to browse these ports, the body response is always the same:

{“message”: “need login”, “success”:0}

However, on any of these hosts, the path /assets leads to an open directory containing thousands of JavaScript, CSS and image files. There are several dozen versions of the interface, but all of them have the same structure and functionality. Since only the files used to display the front-end of the interface were available, it is possible to visualise what the interface looks like when a user is connected, but without the dynamic data.

Browsing home page

The home page consists of a table showing the aggregation of compromised edge devices, with different columns. These devices can be of different types as suggested by the “Category” field (routers, cameras, NAS, Linux or other). Still, they can also have different compatibilities according to the “Flags” field, which includes different processor architectures (x86_64, i686, ARM), operating systems (Linux, Windows), protocols (TCP or UDP) and the level of privilege acquired (Root). It is also possible to filter by the country in which they are located and whether or not they are running. To the left of this home page, a panel allows users to navigate to other views.

Screenshot of the home page of the GobRAT administration interface, rebuilt locally
Screenshot of the home page of the https://38.54.85[.]21:52208/interface, rebuilt locally

Browsing the “Task List” view

When the “Task List” view is consulted, it displays a table containing columns indicating actions in progress. Above, it is possible to filter, refresh or create new ones, which redirect to a new tab. A new window appears, offering three ways of creating tasks:

  • “Weak password”: seems to create a brute force attack task against specific or random hosts. The services targeted can be SSH, Telnet, MySQL, Redis or PostgreSQL. Users can also choose an existing credentials dictionary, or upload it.
Screenshot of the "Task List" view in the GobRAT administration interface.
  • “Exp” (for Exploit): creates a campaign designed to exploit a web vulnerability against pre-selected targets. It is possible to select a specific exploit (called a “Plugin” in the interface) or to select them all.
Screenshot of "Exp" task creation in the GobRAT administration interface.
Screenshot of “Exp” task creation
  • “DDoS”: creates a distributed denial-of-service (DDoS) attack campaign against a single target (IP or domain), or a block of IP addresses (called an “IP Segment” in the interface). It is possible to choose one or more specific ports, to start the campaign at a delayed time or to choose a vulnerability to be used.
Screenshot of "DDos" task creation in the GobRAT administration interface.
Screenshot of “DDos” task creation

Browsing the “Plugin” view

Moving on, the “Plugin” view lists all the web vulnerability exploits created. This page is designed to build custom network template actions that can be automatically deployed against targets. Four exploitation template types are available: “Exp”, “Web Admin”, “Camara” (note the typo) and “DDos”:

Screenshot of a "Plugin Exp" creation in the GobRAT administration interface.
Screenshot of a “Plugin Exp” creation

The interface provides precise settings of expected network behaviour. For instance, when the “Exp” plugin is selected, it is possible to enter the expected behaviour when a HTTP request is sent using the “Success Body Contains” or “Failed Body Contains” fields. It is also possible to modify its metadata, and the user can create complex sequences by adding steps as desired.

Browsing other views

Other views are available in the left-hand panel. The “Password Dictionnary” view allows the operator to create lists of username and password combinations that can be reused against targets. The “Ip Segment/Domain” view prompts the user to add one or more IP address blocks that can be reused for targeting. Also, there are views for each campaign type launched using the plugins, which monitor progress and results in real-time.

Browsing views that are not displayed

The fact that we had to rebuild the interface locally means that it is not possible to display all the pages available solely by using a web browser. However, analysing the JavaScript code makes it possible to discover new routes that can be accessed via the interface.

The route /deploybots contains a feature called “Add Script”, which displays the following window:

The $URL_HOME variable referenced in this modal corresponds exactly to the one used in all the Bash scripts found in the staging hosts.

Finally, the route /install seems to prompt the user to install a new staging server, automatically by using SSH or manually by downloading an archive.

Screenshot of the "/install" path
Screenshot of the “/install” path

References to the GobRAT and Bulbature malware can be found in the “Install Server Manually” section. If the operator enters an IP address or URL, an archive named zone.tar.gz can be downloaded containing all the installation bash scripts and malware pre-configured to be hosted and accessible from a compromised host. Files in this archive correspond to the name of the GobRAT zone.[ARCH] malware and traces have been found in other open directories.

Other open directories

Only on a single host, we found an open directory containing files corresponding to an export of compromised devices. The following file appears to be on the main page. This is a sample of the file with some columns removed:

IPFlagLocationVersionBelongOnlineMessage
[REDACTED]L,A,R,U,T,PSouth Korea2.0.7.2AdminYesRT-AC68U
[REDACTED]
.asuscomm.com
[REDACTED]L,A,R,U,T,PUnited States2.0.7.2AdminYesRT-AC68U
[REDACTED]L,A,R,T,U,PSweden2.0.7.2AdminYesRT-AC68U [REDACTED]
.asuscomm.com
[REDACTED]L,A,R,U,T,PHong Kong2.0.7.2AdminYesRT-AX56U [REDACTED]
.asuscomm.com
[REDACTED]L,A,R,U,T,PTaiwan2.0.7.2AdminYesRT-AX95Q no
[REDACTED]France1.0.AdminNoexit status 1
[REDACTED]Australia1.0.AdminNoLinux [REDACTED]
4.14.24-qnap
[REDACTED]L,A,RRussia1.0.resource_adminYesexit status 127

This file contains 74,944 lines, each one being a compromised host. We can therefore deduce that on 11 July 2023 (given the date generated in the file name), this infrastructure included a botnet of almost 75,000 ORBs. A detailed study of the data in this file will be made in the “Victimology” section.

Also, an export of data from the “Task List” view was found. Here is a sample of this file, which contains 58 lines:

IPPortUsernamePasswordCreateTimeTask NameType
[REDACTED]9022root[REDACTED]28/02/2024 02:29Nonessh
[REDACTED]6379alpine[REDACTED]28/02/2024 02:33Noneredis
[REDACTED]23admin[REDACTED]15/01/2024 12:48Nonetelnet
[REDACTED]23support[REDACTED]15/01/2024 12:50telnetroutertelnet
[REDACTED]23mg3500[REDACTED]15/01/2024 12:50telnetroutertelnet

This data indicates a credentials bruteforce campaign, where it is clearly possible to observe the credentials obtained.

Furthermore, another folder stores temporarily uploaded files. Here is a list of all the files found, the “Creation Date” column is based on file metadata:

FilenameCreation DateNumber of rows
[ok]【CVE-2019-9082】Thinkphp5.txt2024-07-05355,149
[ok]【CVE-2019-13956】discuz mlv3.txt2024-07-05118,474
[ok]【CVE-2017-5638】S2-045 远程代码执行漏洞2.txt2024-07-05325,963
1705313101_1.txt2024-01-15500,001
telnetlinux.txt2024-01-15800,000
tw_ssh.txt2024-01-15842,457
own-0209-7.txt2023-04-07131,071
own-0209-10.txt2023-04-07133,621
own-0209-11.txt2023-04-073,061
own-0209-41.txt2023-04-0768,341
own-shiz-0214-0.txt2023-04-070
own-telnet-0222-0.txt2023-04-07308,551
own-telnet-sz-02.txt2023-04-0711,133,553
ssdaf0222.txt2023-04-07308,551
test_ip_range1.txt2023-04-070
test_range_ip.txt2023-04-0765,536
wys_test_range_ip.txt2023-04-0765,536
lilin-38w-ip.txt2023-04-07396,874
ssh-ip-500k.txt2023-04-07500,000
dlink-20221208.txt2023-04-0764,399
draytek1.txt2023-04-0742,699
drapal7-30w.txt2023-04-07600,599
ssh-ip.txt2023-04-07500,000
iot-telnet-50k.txt2023-04-07499,999
tw-telnet-60w-quchong.txt2023-04-07625,333
qnap-all-fofa.txt2023-04-071 377,932
drupal-ip-60w.txt2023-04-07600,599
0321-000.txt2023-03-211 488,177
0321-etest.txt2023-03-21448,876
own-telnet-0320-5.txt2023-03-20352,085

In total, 22,657,437 hosts are included. Observing the number of lines in these files, it is very likely that this data comes from an export of network infrastructure indexing engines such as Fofa (as suggested by the “qnap-all-fofa.txt” file). Based on the filenames, there are three types of targeted hosts: 

  • Hosts with shared remote administration services such as Telnet or SSH;
  • Hosts with an associated service and country (as suggested by the tw_ssh.txt file, which would correspond to all the IPs in Taiwan hosting an SSH service);
  • Type of device, as suggested by the file qnap-all-fofa.txt or draytek1.txt, which contains the IP addresses of appliances manufactured by Qnap or Draytek.

To summarise all the features included in this interface, we can deduce that an operator can use these lists of assets to try to compromise them automatically or manually using web vulnerabilities or accounts dictionaries. Once compromised, they can be remotely controlled and used as relays to launch DDoS attacks and exploit final targets.

Victimology identified form the open directories on the GobRAT administration interface

We were unable to obtain a comprehensive victimology because real-time data access was not available in both interfaces we examined. However, we can still draw up a victimology based on an interface export carried out on 11 July 2023 found in open directories on the GobRAT administration interface.

Countries infected by GobRAT and Bulbature. Source: Sekoia.io TDR Team

Among the 74,944 retrieved hosts, a total of 139 different countries were found.

The United States had the highest number of infected hosts, with 28,452 hosts, four times more than the next country, Hong kong. These infections might indicate a strategy to get as close as possible to their targets. This is particularly relevant in the context of the ongoing US-China tensions.

In second place comes Hong Kong with a total of 7,418 hosts, and in third place Sweden with 6,017 hosts. The fact that these countries are among the top 3 infected hosts most probably shows that the operator wants to obtain exit nodes or targets three continents: North America, Europe and Asia. Finally, between 2,000 and 3,000 compromised hosts are found in the following countries: Singapore, Canada, Taiwan, United Kingdom, Germany and Italy.

Still, on the 74,944 hosts, a column filters hosts by their characteristics: network protocols, processor architecture, Operating System, whether it has open services, and if the operator has administrator access. Based on this, it is therefore possible to draw a distribution of hosts types:

Distribution of infected hosts types by Bulbature and GobRAT malware. Source: Sekoia Threat Detection and Research Team

Most of these hosts are Linux routers with ARM system architecture and a public IP address, which confirms that they are indeed edge devices. The details in other columns indicate that they are mainly manufactured by Asus or Qnap. The transport protocols are both TCP and UDP, corresponding to the running behaviour of the GobRAT and Bulbature malware. Of note, although a “W” field for Windows is mentioned, no such host was identified.

Conclusion

The investigation we conducted since 2023 provided us with a comprehensive overview of the features of this cluster of activity. Similar to the previous Sekoia.io publications, this architecture, consisting of compromised edge devices acting as ORBs, allowing an operator to carry out offensive cyber operations around the world near to the final targets and hide its location by creating on-demand proxies tunnels.

Considering the functionalities included in the Proxies provider interface and the GobRAT administration interface, operators have an automated technical toolkit, enabling them to carry out massive exploitation or DDoS attacks. Each of these interfaces has user management functionalities, suggesting that they are being used by several operators. Inside this ecosystem, GobRAT and Bulbature malware operate in a complex way: the level of obfuscation is considered to be particularly advanced. The various network interactions are difficult to identify, indicating a genuine intention by operators to conceal infrastructures. Several version numbers associated with malware have been recovered, implying a constant evolution of their functionalities since at least 2022.

Since 2023, we have seen several ties to China. Traces in the code, interfaces historically configured with a single language, the repeated use of AS138915 “KAOPU-HK Kaopu Cloud HK Limited” and the predominantly North American targeting. This type of infrastructure, which implies compromised appliances directly exposed on the internet, is also very present in the Chinese state-sponsored ecosystem. Given the evidence at hand, we assess with a high level of confidence that this threat originates from China.

Indicators of compromise

Several indicators are not shared in this report. If you are a national CERT or LEA, we can share IOCs and samples with you under TLP:AMBER classification. Please contact tdr [ at ] sekoia [ dot ] io.

The following table lists all active indicators as of 5 September 2024 (cut-off date of this report), which have certificates mentioned in the Initial Findings.

TypeIPv4ASNHosting CountrySelf signed certificate fingerprint (MD5)
Staging host38.54.56.5AS138915Japanaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.54.85.246AS138915Hong Kongaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.60.134.236AS138915Franceaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.60.221.32AS138915Russiaaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.60.221.63AS138915Russiaaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.60.221.174AS138915Russiaaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.60.223.51AS138915Russiaaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.60.223.81AS138915Russiaaf4ad0bd9221ffc63ae5acff4034834a
Staging host38.60.221.145AS138915Russiaaf4ad0bd9221ffc63ae5acff4034834a
Proxies provider interface47.96.119.186AS37963Chinae4b7b3a2610ad706a83667a5bac7cd31
Proxies provider interface178.128.96.236AS14061Singaporee4b7b3a2610ad706a83667a5bac7cd32
GobRAT administration interface38.54.85.70AS138915Hong Konge4b7b3a2610ad706a83667a5bac7cd33
GobRAT administration interface38.54.85.164AS138915Hong Konge4b7b3a2610ad706a83667a5bac7cd34
GobRAT administration interface38.54.85.178AS138915Hong Konge4b7b3a2610ad706a83667a5bac7cd35
GobRAT administration interface38.60.203.167AS138915Hong Konge4b7b3a2610ad706a83667a5bac7cd36
GobRAT administration interface103.57.248.40AS9009Hong Konge4b7b3a2610ad706a83667a5bac7cd37
GobRAT administration interface176.97.73.171AS9009Japane4b7b3a2610ad706a83667a5bac7cd38
GobRAT administration interface38.60.203.21AS138915Hong Konge4b7b3a2610ad706a83667a5bac7cd39
GobRAT administration interface38.54.85.21AS138915Hong Konge4b7b3a2610ad706a83667a5bac7cd40
GobRAT administration interface38.60.203.141AS138915Hong Konge4b7b3a2610ad706a83667a5bac7cd41

This table lists the Bulbature Dispenser and Bulbature C2s that have been collected in 2024.

TypeIPv4 or domainPort
Bulbature Dispensereyh.ocry.com443
Bulbature Dispensernbt201.dynamic-dns.net8080
Bulbature C238.180.29.2298245
Bulbature C238.180.128.527598
Bulbature C238.60.223.2084557
Bulbature C2139.84.230.1987335
Bulbature C238.180.74.1736114
Bulbature C245.32.33.923558
Bulbature C2139.84.147.2297860
Bulbature C264.176.56.2528927
Bulbature C2139.84.177.2446542
Bulbature C2139.84.163.732225
Bulbature C238.180.191.1182814
Bulbature C238.60.212.2337038
Bulbature C238.180.74.147144
Bulbature C245.77.34.1488158
Bulbature C238.54.50.1633296
Bulbature C2139.84.170.907170
Bulbature C2154.205.128.2103591
Bulbature C2139.180.139.125118
Bulbature C238.60.212.1678764
Bulbature C25.34.176.1502666
Bulbature C238.180.106.1673973
Bulbature C2154.223.21.1605972
Bulbature C25.34.178.1443652
Bulbature C238.60.203.837121
Bulbature C2176.97.73.2156894
Bulbature C238.54.50.2534805
Bulbature C238.180.29.56214
Bulbature C238.180.188.926733
Bulbature C2154.90.63.1568080
Bulbature C264.176.228.782119
Bulbature C245.76.177.403053
Bulbature C2139.59.43.673242
Bulbature C2154.90.62.2473472
Bulbature C2154.223.21.802694
Bulbature C238.180.106.1796648
Bulbature C2154.90.62.2015914
Bulbature C2188.116.22.593632
Bulbature C2154.223.21.1814873
Bulbature C238.60.206.783314
Bulbature C2154.223.20.2158640
Bulbature C264.176.47.1337216
Bulbature C238.60.196.868784
Bulbature C2139.84.174.1028835
Bulbature C264.227.130.486088
Bulbature C238.180.189.1085984
Bulbature C238.180.106.122572
Bulbature C267.219.101.1515989
Bulbature C2158.247.223.1252109
Bulbature C238.60.203.614516
Bulbature C2139.180.200.783499
Bulbature C2154.90.63.2152280
Bulbature C238.60.212.135049
Bulbature C2207.148.125.755893
Bulbature C2108.61.127.1864001
Bulbature C238.180.9.25226
Bulbature C2141.164.47.2482251
Bulbature C2154.223.21.166259
Bulbature C266.42.34.878262
Bulbature C2154.205.136.1605366
Bulbature C291.196.70.1654572
Bulbature C2207.148.69.748225
Bulbature C2139.180.212.2246771
Bulbature C2140.82.38.2253748
Bulbature C2139.84.227.522474
Bulbature C2154.205.155.37497
Bulbature C238.180.74.2364818
Bulbature C238.54.56.457507
Bulbature C238.180.74.1807462
Bulbature C2176.97.73.1997422
Bulbature C2104.238.176.1715468
Bulbature C238.54.88.2482882
Bulbature C264.176.49.894524
Bulbature C2139.84.167.486004
Bulbature C2139.59.80.774538
Bulbature C2195.80.148.1422410
Bulbature C2154.205.128.1942621
Bulbature C2154.205.137.2487192
Bulbature C268.183.89.486450
Bulbature C238.180.74.2288976
Bulbature C245.76.154.2414281
Bulbature C278.141.218.2398717
Bulbature C238.54.50.1207288
Bulbature C238.54.85.2444986

The following files were retrieved from the staging host https://38.60.221[.]145/static/, and are those described in this report. However, around 200 variations of these files were found on all the staging hosts.

FilenameTypeSHA256sumSHA1sumMD5sum
bulbatureBulbature malware41e189a5b68f305ab6251a06475b76777bda0d035ea06cd569306ed5c98bdc98b7328e89017b9c56e9a77150bcd9e01f023590b3e988b0adfc9d606dba66e839394c01a0
zone.armGobRAT malware48b243fd7ed8bc0b7ce663f0b3fc34f07fcf9fb04bf8bceaff8b7453ab4e531844f2f951fdcf2b88c1f6565fae4c806019fe397cd16a8d41950cd226240072fe1cb2b43f
zone.x86_64GobRAT malware91eaa94223c12ddc89eca5220a8c57f0254f587f73c9edc161fc161a56e2c2f0a6ad4538b145567ded3e7df723e9777944bd3b45fc0521c22cef4423e9fd440d1f788d4c
zone.i686GobRAT malwareb1c21264a60edb64895c8c61507211a829f13068541f875b615e6c1c363122bac049cdaf68906e280ce6e99ffe046caa13e4369fea9c445106d86372849b522f4aeae193
zone.mipsGobRAT malware726ac8f88c4585ccb2ce2e3325726230dc7bd2c7f6667085ac2f665c4ce3fb46b8788656c6c8bca00abb2d83672fde546ac2bf3e4a8462db712c05190b2741b36567fc4e
frpc.i686FRP (Fast Reverse Proxy)676cf55076127dab1403c3322d38bf72b62f8aaff25534e5af7b02fc1474a9c030a3b3ffaf025d93850402de323387f1ebc5ca7a9e5870fc5fadd943307eecaef74bbf69
frpc.x86_64FRP (Fast Reverse Proxy)a6d184715cbb596edac024089ae493785ba3c4519b493946c8f850b4bd08836c2a596d8db43e35951fb820588eed43872606f15431ced0d01855ce9b66a9fb786edc8d90
frpc.armFRP (Fast Reverse Proxy)141bc0c7413665970cc33ba7b31f8e2ab0d1f9fb0363478aa6d3fd444e6745a448a2a15803ca7784e61dccc9435786d4203ce48bdabdabcdd97652c9175a18b3ee8847f8
hold_by_bot.shDaemon script869a6cd8205af5ec1bf04e6abf0ff79f12e62a8eeae129b9e219e1179520bac397d79325e0ffc55ff277bc24cc1f91b5c518c82c0c417d9d857aff511cb0d9713a511126
zoneupdate.shUpdate script0858c36ed2cf29d9f7de3d7b8d595e45d888da422e76bc9c9115a8f25027d5e7181d629ed8faad17c5548e05fdcd48e24969a0bdf501977e0b01d0a9c7a737ad0e197223
zonesetup.shStart script6632fe263bf687fb8d46dd29eaf90601350681aa1930a14e2aba2a16f6c3e04088094c3907cb4a69bc25fe9feb1867dfbca33437a034dd3eac327bd318b2e5f22aa24385
zoneController.shDaemon script743e15f8cfd54077406635bea803b26c574b1b5c3862b132779a8cf52d9ef9038197abcad20e2d14bde93d5af0199c3ebdd9b77f7e5ea306574e2237dc5b3902fba2d173
sshdeny1.shBlock script1f3a0144e717e7d93fe65877b4945a25c03b0722b6761e8fc96c8b5e62be3e46a860a33f8ec6f0f4d91a413ef3fe3b0aab45f232f75d14bcc6d67dc7a03f734eff951b35
zoneRestart.shUpdate script173e2f90de78f8288e0172e900693d228ae1071cc80a4fe02a09af6cd37358e9b41466642674365e73428f9899a36986ced18c5d71b5c7a5ae58129bffadda3cc42dbcd1
zonedelete.shDelete script667dd21bc252eb7d7415fc13ab996575bbe451062d82c94b14d6ba750d95ab645e85de2e35f1fccb66cb92f7d9efc59c7cd25ac2855856f0d98cb3500acd524cde3f966f

When the operator compromises an edge device, he begins by running “zonesetup.sh”. This script downloads “zoneController.sh” from a staging server, modifies its permissions to make it executable, then runs it.

In the meantime, “zoneController.sh” checks every 6,000 seconds to ensure that the “apached” process (corresponding to “zone.[ARCH]”, GobRAT) is running, and if it is not, it downloads a script from a specified URL, modifies its permissions to make it run, then runs the script in the background. Runned in an infinite loop, this script ensures that GobRAT is run persistently.

The operator runs the “zoneupdate.sh” script, which performs the most important infection operations on the host:

  • Installs “wget”;
  • Increases the user process limit;
  • Stops and disables the firewall service;
  • Empties the firewall rules;
  • Creates a directory called “/zone”;
  • Deletes several files and directories in /zone. 

The fact that the user’s native configurations are modified indicates that the operator wishes to manipulate a large amount of data on this host, freeing himself from the default weak limits on edge devices.

It then downloads GobRAT malware depending on the host’s system architecture, as well as Bulbature and other Bash scripts, placing them in the “/zone” directory.

Following this, it checks whether processes named “hold_by_bot.sh”, “apached”, “frpc.[ARCH]” and “bulbature” are running, and terminates them if they are found.

After this, it:

  • Deletes several files and directories in “/zone”;
  • Moves temporarily downloaded files to their final locations;
  • Changes their permissions to make them run.

Finally, it:

  • Configures the “/etc/rc.local” file to run “zone/hold_by_bot.sh”
  • Empty the iptables rules at start-up
  • Adds periodic run of “/zone/sshdeny1.sh” to the crontab file
  • Increases the file and process limits in two security configuration files;
  • Runs “hold_by_bot.sh” in the background;
  • Empties the iptables rules again;
  • Stops and disables the firewalld service. 

In this way, the compromised or deployed host will be accessible without any restrictions from remote access.

In “zoneupdate.sh”, it is possible to see the use of “hold_by_bot.sh”. This will check every 6 seconds whether the GobRAT and Bulbature processes are running, and if not, it will restart them and record the date and time of each restart in a log file. Once again, this suggests the use of a persistence mechanism.

Also, “zoneupdate.sh” install and run “sshdeny1.sh”, which:

  • Identifies IP addresses with failed connection attempts;
  • Counts them and adds those with more than 5 failures to “/etc/hosts.deny” to block SSH access;
  • Records the date and time of the block. 

In this way, the operator reduces the chances of compromise by another actor, by blocking the possibility of brute force authentication attacks.

Whatsmore, “zonedelete.sh” and “zoneRestart.sh” can be found on a staging server open directory, but are not run by any of these bash scripts. It therefore seems that these scripts are launched by the operator itself.

The “zoneRestart.sh” script adds “hold_by_bot.sh” to the “/etc/rc.local” file so that it runs at start-up if it is not already there. It terminates GobRAT-related processes if they are running, then runs “hold_by_bot.sh” in the background.

Finally, the “zonedelete.sh” script deletes all files and directories in the “/tmp” folder, then abruptly terminates all processes whose command line contains “tmp”. However, this script does not seem to erase all traces of run of downloaded malware, since they are also in the “/zone” directory.

This concludes the analysis of the nesting of bash scripts hosted on staging servers.

Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here :

Share this post:


文章来源: https://blog.sekoia.io/bulbature-beneath-the-waves-of-gobrat/
如有侵权请联系:admin#unsafe.sh