Hello and welcome to the Wednesday, August 31st, 2022 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Brock Perry, one of our undergraduate interns, came across some neat malware in his honeypot. The attack first looks like

any other attack against OpenTelnet and SH ports. So if you're standard brute forcing, in this case,

the Raspberry Pi default credentials did gain access to the Honeypot.

They then kill competing malware, set up backdoors, for example, a new authorized

the keys file and the like.

So pretty much standard fare.

Where it gets a little bit more interesting is the kind of command and control channel

they're using.

The entire command control channel is implemented as a simple BAS script,

and within BASH they're actually implementing a not complete,

but sufficiently complete IRC client that even waits

and then verifies digitally signed commands.

And then of course, executes.

The script does not just launch a command line IRC client.

Instead, it uses the DEF TCP trick in order to get access to the IRC server.

So not even Netcat is required here.

The bot will then join a channel and wait for commands and then verify digital signature using

OpenSSL, which I guess is sort of the one external dependency in some ways that this script

still requires. Only uses MD5, not sure why they didn't go for a better hash, given

that the code really wouldn't be all that different, but well, it's still kind of interesting,

...