A FortiGuard Labs Threat Analysis
Back then, we noticed a number of open directories in the C2 that revealed binaries for different architectures as well as list of targets queued for brute force attacks. What began as a simple brute forcer specifically targeting phpMyAdmin web app has updated its arsenal, turning it into a multi-service brute forcer. A tweet from another security researcher @gwillem confirms the threat that this botnet poses.
Given its impact, we decided to dig further in order to better understand the scale of this campaign and share our findings to the security community dealing with the same adversary.
This post shares our findings collected over the past several months (February 2019-September 2019) of monitoring this threat.
We have observed that the malware author has continued the development of its code. In fact, the new binaries now include the version info of the malware. Though there are a number of released versions, we will only focus on those versions where major functions and services were added. In summary, the earliest version was v1.5, and since then we have documented ten additional services added between then and its latest version, v3.11.
Below are the main_init() functions of v3.11, with comments referring to the versions where particular functions were added.
As shown above, new functions to support other services were gradually added to the malware on each release. We have already discussed some of the functions in a previous article. In summary, here is a breakdown of these functionalities.
We can categorize them into three main groups:
The table below lists the services and platforms it tries to compromise and their corresponding commands. (‘X’ means not supported.)
The C2 contains useful data, including the latest binaries, the jobs for each worker with the targeted hosts, and the credentials to be used for the brute force attack. A typical Stealthworker C2 contains the following:
Below is an example of the jobs received for worker=magentoBrt:
Every request to this URL returns around 300 fresh jobs.
It is important to note that the targets and credentials harvested from the C2 weren’t used for a brute force attack and were only used for statistics. In fact, harvesting jobs from the C2s takes away jobs meant for the malicious bots. This result in targets being spared from what should have been a brute force attack.
During our monitoring we were able to intercept more than 98 million jobs, which can be attributed to the following workers:
Half of the jobs targeted the SSH service. This doesn’t come as a surprise, since SSH is typically installed on servers for administrators to remotely login. Scanning for targets that are using WordPress and Magento platforms also comprise big chunks of the jobs being executed.
The continuous development and appearance of new Stealthworker samples and C2s demonstrate how active the campaign is, and that more attention needs to be drawn to these sustained brute force attacks, not only for e-commerce websites but also to all possible vulnerable systems that use weak credentials.
If you want to know more on Stealthworker, we will be presenting more of our findings at the upcoming AVAR 2019 Conference held in Osaka Japan, on November 6-9. Our presentation is titled “Digital Skimmers: How crooks are spying on your online shopping”, where we will be sharing the results of our continuous effort at tracking Stealthworker, as well as interesting campaigns we found on MageCart.
Fortinet detects Stealthworker binaries as ELF/Agent.FM!tr, Linux/StealthWorker.GO!tr, W32/ StealthWorker.GO!tr variants, and blocks all mentioned C2s.
= FortiGuard Lion Team =-
Stealthworker SHA-256 hashes:
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.