June 17, 2019

AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability

Original release date: June 17, 2019 Summary The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known […]
June 21, 2019

An Analysis of Linux.Ngioweb Botnet

Background On May 27, 2019, Our Unknown Threat Detect System highlighted a suspicious ELF file, and till this day, the detection rate on VT is still […]
June 21, 2019

Linux.Ngioweb分析报告

背景介绍 2019年5月27号,360Netlab 未知威胁检测系统发现一个可疑的ELF文件,目前仅有一款杀毒引擎检测识别。通过详细分析,我们确定这是一款Proxy Botnet,并且是Win32.Ngioweb[1]恶意软件的Linux版本变种,我们将它命名为Linux.Ngioweb。它与Win32.Ngioweb共用了大量代码,不同的是它新增了DGA特性。我们注册了其中一个DGA C2域名(enutofish-pronadimoful-multihitision.org),并对它进行Sinkhole处理以此来观察Bot连接情况。 此外,我们还观察到大量部署WordPress的Web服务器被植入Linux.Ngioweb 恶意软件。尽管Bot程序由Web容器对应的用户组运行并且权限很小但还是能够正常工作,并被充当Rotating Reverse Proxy[2]节点。 目前,我们还没有看清楚Linux.Ngioweb攻击者的目的,但我们猜测他可能会监听代理网络流量。 Linux.Ngioweb概览 Linux.Ngioweb Bot样本的主要功能是在受害者的机器上实现Back-Connect Proxy[3]。攻击者将多个Bot构建为一个Proxies Pool,并通过双层C2协议控制,然后提供Rotating Reverse Proxy Service。 Linux.Ngioweb逆向分析 样本信息 MD5: 827ecf99001fa66de513fe5281ce064d ELF 64-bit LSB executable, […]
July 1, 2019

An Analysis of Godlua Backdoor

Background On April 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few vendors as mining related trojan […]