Nikhil "Kaido" Hegde

M&M: Malware and Musings

View on GitHub

NoaBot Botnet - Sandboxing with ELFEN and Analysis

Metadata

Table of Contents

Family Introduction

NoaBot is a Mirai-based botnet and possesses most of the original Mirai botnet’s capabilities. Its source code contains noticeable differences like the spreader is based in SSH and not Telnet. Akamai detected the NoaBot campaign in early 2023.

The sample analyzed in this post is an ELF executable targeted towards the MIPS 32-bit, little-endian architecture.

Sandboxing with ELFEN

Generally, a malware analyst performs sandboxing early in their workflow. The purpose of sandboxing is to quickly get a general idea of the malware sample’s capabilities - does it communicate over the network or encrypt files or establish persistence, etc. This information is useful in determining the next steps in the analysis workflow. I built the ELFEN sandbox to analyze Linux malware (file type: ELF) and provide this information. It is open-source and easy to set up.

Detonation

Unless it is known, a sample is usually submitted to a sandbox without any command-line arguments.

ELFEN submission

The analysis result summary is shown in the snap below:

ELFEN analysis summary

uClibc Compilation

The sample is compiled with uClibc, and more specifically, with a version between v0.9.21-v0.9.33.2 as evidenced by the string, npxXoudifFeEgGaACSncs[. ELFEN detects this open-source library usage.

uClibc usage

Brute-Forcing Credentials

ELFEN generates process memory dumps during detonation. Besides extracting printable strings from the dumps, ELFEN also applies Yara rules on them. Some in-memory strings in the analysis hint at credentials brute-forcing

Brute-forcing credentials

ELFEN detects the presence of well-known password patterns through a Yara rule.

ELFEN detects credentials

Persistence through Cron

The sample establishes persistence through a cron job that runs the sample every time the system reboots. The crontab file per user is located under the directory, /var/spool/cron/crontabs. ELFEN detects it as a dropped file and makes it available to the user for downloading. In this case, the sample also sets up command-line parameters when it runs through the cron job.

$ cat root
@reboot ./8zpeVaQk "$mimic|fuck" noa

ELFEN traces the crontab invocation and detects it:

Trace crontab invocation Detect crontab invocation

Accessing Secrets

The sample looks for a variety of secret information such as bash history, SSH private keys and user accounts information. Curiously, the sample does not seem to do anything (read/write) with the found files. A gap in tracing? Nevertheless, an analyst can likely make the assumption that the secret information is leveraged in some manner.

ELFEN detects this behavior:

Detect access to secrets

Accessing Bash History

The sample looks for .bash_history files at various locations. This file records a history of the commands that a user has entered in the Bash shell. ELFEN traces this behavior.

Accessing bash history

Accessing SSH Private Keys

The sample looks for user SSH private keys for multiple algorithms: RSA, DSA and Ed25519. These keys are used for authenticating the user over SSH. ELFEN traces this behavior.

Accessing SSH private keys

Accessing User Accounts Information

The sample looks for the /etc/passwd file. This contains information about user accounts on the system. Note that benign executables access this file as well during runtime. However, context is important. The sample also accesses other secrets, so access to /etc/passwd should not be ignored. ELFEN traces this behavior.

Accessing user accounts information

Process Name Change

The sample changes its process name to masquerade as a benign process. Specifically, the new process name can be one of many popular utilities such as mongod, nginx, smbd, sshd, etc. ELFEN traces and detects this behavior.

Trace process name change Detect process name change

Network Communications

Scanning through SSH

The sample scans ports 22 and 2222 (popular alternate port for SSH) for over 4000 IPv4 addresses. ELFEN traces this behavior. The original Mirai botnet spread through Telnet. Researchers at Akamai reported that NoaBot uses SSH.

Trace SSH scanner

ELFEN also captures network traffic into a PCAP and makes it available to the user for downloading. If the remote port is accepting connections, the sample sends a malformed SSH packet early in the SSH handshake. It contains the string, hi.

Malformed SSH packet

I observed that the sample does not send its SSH identification string first, as is usual in a normal SSH handshake. Instead, it waits for the server to send its identification string. It then replies with the malformed SSH packet.

My hypothesis is that the sample is trying to capture the server SSH identification string. Perhaps, to check if it’s vulnerable to a known exploit. It then sends the malformed SSH packet (the specific string, hi is irrelevant) to possibly avoid triggering any timeouts or RST packets from the server which may draw suspicion on server-side defenses. As seen in the snap above, the connection gracefully terminates with a FIN-ACK-ACK packet sequence.

C2 Domain

The sample reaches out to its C2, mimicmaster[.]online, which is currently unavailable.

C2 domain

From its Whois records, it can be seen that the domain is currently suspended.

C2 Whois

The last known IPv4 address for the domain was 185[.]193.126.118 as seen on VT.

C2 VirusTotal

ELFEN performs protocol analysis on the captured network traffic. At this point, only DNS protocol analysis is supported.

C2 DNS analysis

Summary

The NoaBot is yet another Mirai-based botnet, except it has notable differences in its capabilities like the SSH spreader. The main goal of this analysis was to demonstrate the usage of the ELFEN sandbox to quickly get insights into a given malware sample.

ELFEN supports features such as:

If you’ve not already, give ELFEN a try!

References

  1. ELFEN
  2. Malpedia
  3. You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance
  4. open, openat - open file
  5. Wiresharking Secure Shell (SSH)
  6. Whois
  7. VirusTotal
  8. ChatGPT
  9. uClibc