The Growing Threat of Malware Concealed Behind Cloud Services

Affected Platforms: Linux Distributions

Impacted Users: Any organization

Impact: Remote attackers gain control of the vulnerable systems

Severity Level: High Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hosting methods lack. Over the past month, FortiGuard Labs has been monitoring botnets that have adopted this strategy, abusing cloud services to enhance their malicious capabilities. These botnets, such as UNSTABLE and Condi, have been observed leveraging cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices. Using cloud servers for C2 operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack. We have also observed a threat actor exploiting multiple vulnerabilities to target JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21, and Ivanti Connect Secure to amplify their attacks.

Figure 1: Attack flow

In this article, we will detail this threat actor's initial attack method and further explore the botnets being used. UNSTABLE Botnet Initial access by the UNSTABLE Botnet targets the JAWS Webserver RCE vulnerability, CVE-2016-20016, and retrieves the downloader script “jaws” from 45[.]128[.]232[.]15.

Figure 2: Attack packet

Figure 3: Downloader script "jaws"

It includes multiple binary files for 13 architectures executed using the parameter “jaws.exploit.” The UNSTABLE Botnet is a Mirai variant that uses XOR to encode its configuration. It has three main modules: exploitation, scanner, and DDoS attack. The exploitation module targets three vulnerabilities: CVE-2016-20016, CVE-2018-10561/10562, and CVE-2017-17215.

Figure 4: Exploitation module

The scanner module includes a hard-coded list of usernames and passwords that it uses for brute-force scanning of other endpoints in the network.

root Zte521 swsbzkgn taZz@23495859 grouter juantech tsgoingon telnet pass solokey oelinux123 password admin tl789 svgodie default GM8182 t0talc0ntr0l4! user hunt5759 zhongxing guest telecomadmin zlxx. telnetadmin twe8ehome zsun1188 1111 h3c xmhdipc 12345 nmgx_wapia klv123 123456 private hi3518 54321 abc123 7ujMko0vizxv 88888888 ROOT500 7ujMko0admin 20080826 ahetzip8 dreambox 666666 anko system 888888 ascend iwkb 1001chin blender realtek xc3511 cat1029 00000000 vizxv changeme 12341234 5up iDirect huigu309 jvbzd nflection win1dows hg2x0 ipcam_rt5350 antslq Figure 5: Scanner module and hard-coded username/password The DDoS attack module is a typical list that covers several protocols. The UNSTABLE botnet contains nine methods: attack_tcp_ack, attack_tcp_syn, attack_tcp_legit, attack_tcp_sack2, attack_udp_plain, attack_udp_vse, attack_udp_thread, attack_gre_ip, and attack_method_nudp. The botnets can choose the appropriate method based on commands from its C2 server. Condi DDoS Botnet FortiGuard Labs previously disclosed the Condi DDoS botnet, which continues to exploit CVE-2023-1389 to gain control of devices and execute its malicious activities. The binary file is hosted on “45[.]128[.]232[.]90” for distribution.

Once a device is infected, the malware kills off the competition and specific processes. It then sets up a connection to a central Command and Control (C2) server, “trembolone[.]zapto[.]org.”

Figure 6: Checking list for terminating process

Figure 7: Get the updated version of Condi Botnet

UDP Flooder and Process Checker FortiGuard Labs noticed the incident as the payload “ping -c 20 209.141.35.56,” which seemed unusual within such an attack. Since the IP address is neither the attack source nor the destination intranet, we suppose these two IP addresses, 45[.]128[.]232[.]229 and 209[.]141[.]35[.]56, might be controlled by the attacker simultaneously and one of them is a command and control (C2) server.

Figure 8: Attack traffic

The attack source IP address, “45[.]128[.]232[.]229,” has four files named “msgbox.exe,” “udp,” “udparm,” and “udpmips,” respectively. These are DoS tools for different Linux architectures, except “msgbox.exe,” which pops up a message box with the string “RAT.” The following analysis examines the “udp” file. The tool has an unmistakable usage message, “Usage: %s <IP> <SECONDS> [PORT],” while executing without any arguments.

Figure 9: Execution tool without arguments

When executing with the necessary “IP” and “SECONDS” arguments, the tool triggers a UDP flooding DoS attack using system-generated random characters.

Figure 10: Execution tool with arguments

Figure 11: UDP flooding traffic

The IP address “209[.]141[.]35[.]56” pinged by the compromised device is exploited by the attack source IP address “45[.]128[.]232[.]229” using the CVE-2023-1389 vulnerability. It was first met with a page that the FBI has seized due to its use as a DDoS service (Figure 12). However, FortiGuard Labs found the IP address also has another route, “hxxp://209[.]141[.]35[.]56/getters/,” which contains 19 malware variants for different Linux architectures. (see Figure 13)

Figure 12: Website seized page

aarch64 microblazebe aarch64be microblazeel arcle-750d mips arcle-hs38 mipsel armv4l nios2 armv5l openrisc armv6l powerpc armv7l riscv64 i586 sh4 m68k sparc m68k-68xxx x86_64-core-i7 m68k-coldfire x86-core2 m68k-coldfire.gdb x86-i686 xtensa-lx60 Figure 13: The malware for different Linux architectures We focus on analyzing the file for architecture “x86-i686.” The malware creates a socket and checks whether the C2 server is valid. If not, it terminates the program. If the server is confirmed reachable, the malware sets up a connection with C2 server “45[.]128[.]232[.]229,” which is the exploit CVE-2023-1389 source IP address, executes the “ps” command, and gathers process-related output information.

Figure 14: Set C2 server IP address

The malware executes the command “ps -eo pid,comm --no-headers” through “/bin/bash” to get all process PIDs (Process IDs) and command names running without a header line.

Figure 15: Executes command

It then leverages the obtained PIDs (Process IDs) to further check the commands of those executing processes using “/proc/<PID>/comm.”

Figure 16: Read process command

Afterward, the malware sends related information to the C2 server.

Figure 17: Sending information to the C2 server

According to our analysis, the attackers seem to have a cloud command and control (C2) server (45[.]128[.]232[.]229) and a network-attached malware storage (209[.]141[.]35[.]56). The attacker first checks to see if the leveraged device can reach the network-attached malware storage to download malware and execute the following attack stages. Skibidi This malware, which we named “Skibidi,” was spread by the attacker using two different vulnerabilities simultaneously. One is CVE-2023-1389 in TP-Link Archer AX21, which botnets have continuously exploited since it was launched, as detailed in the report produced by FortiGuard Lab. The other is CVE-2024-21887 in Ivanti Connect Secure, which caused a sensation in April 2024.

Figure 18: Attack traffic through Ivanti Connect Secure (CVE-2024-21887)

Figure 19: Attack traffic through TP-Link Archer AX21 (CVE-2023-1389)

Attackers first download the “Skibidi” malware with a downloader script. It downloads and executes each malware to determine the proper Linux architecture attack.

Figure 20: Downloader script

arm4 mips arm5 mipsel arm6 ppc arm7 sh4 x86_64 Figure 21: The malware targets Linux architectures The following analysis is based on the malware “skibidi.x86_64.” While executing the malware, it displays the string “youre not skibidi enough.”

Figure 22: Executes the malware

It then calls the Linux function “ptrace” to handle the process on the victim host. The malware sends signals like a debugger to the sub-program, the malware itself, to fork another process to evade detection.

Figure 23: Call "ptrace" function

The malware then decodes strings encoded by XOR for the behaviors creating process and popping up execution result string.

Figure 24: XOR encoded strings

It calls the system function “prctl,” which manipulates the calling process by naming it with the XOR-encoded strings “-bash” and “x86_64.”

Figure 25: Process of the malware

Afterward, the malware tries to connect with its C2 server through a socket. Meanwhile, it uses the system call “select” to listen to the events of files the attacker is interested in, such as process events.

Figure 26: Call “select” function