by Seth Elo
We are no strangers to online code repositories and social media being abused for malicious intents. Attackers will use services like these in hopes to make their malware harder to detect, easier to manage, and give their bot’s C2 communications a lower chance of being blocked.
Recently, RA Labs found a novel implementation of these practices. We discovered a script kiddie abusing SourceForge to host a full fledged panel for the Andromeda botnet.
The panel’s gateway was discovered at http://antonio24[.]sourceforge[.]net/andr/image.php via this sample. The command and control is a default install of the Andromeda panel. A key indicator of this was the sample using Andromeda’s default RC4 key for communicating with its servers. Other indicators were the download of ‘pack’ files from the domain. These pack files are associated as modules to increase the capabilities of the Andromeda botnet by allowing the malware to grab form posts, applies a rootkit to the machine, and open a SOCKS4 proxy.
Andromeda is a botnet that is designed to use different modules to accomplish various tasks for the bot herder. Andromeda has been used in the past to steal credentials from users, download other malware, and log keystrokes. Its capabilities are up to the availability of modules. For further reading on Andromeda, Avast has written a detailed report that can be read here: https://blog.avast.com/andromeda-under-the-microscope
The user, Antonio24, was also hosting other scripts under different projects. One particular was a bash script that attempts to download files from browsersecurity[.]gq and execute them on a host. This script is most likely used as an additional payload for an IRC botnet (see: https://pastebin.com/e62qZMqm) run by the same user. The impact of this script was not able to be further analyzed as the host it attempts to download from is no longer online. Although, after a quick google search we were able to find that this domain had been used to host other malicious content, including a JavaScript Botnet called Cloud-9. We were able to associate this user to accounts on Github, which has similar scripts to what is hosted on his SourceForge account, and VK.
While this may not be overly sophisticated, it was quite an interesting find and a good reminder that legitimate services are often abused for malicious intents.
Indicators of Compromise: URLs: http://antonio24[.]sourceforge.net/andr/image.php (Check-in/Beacon)http://antonio24[.]sourceforge.net/andr/f.pack (Andromeda Module Pack)http://antonio24[.]sourceforge.net/andr/r.pack (Andromeda Module Pack)http://antonio24[.]sourceforge.net/andr/s.pack (Andromeda Module Pack)
Domains: browsersecurity[.]gq
File Hashes (SHA-256): Andromeda Sample: 36693f8ce896c304bf679c2c7399cb7805f896a430b15c07129eef3a68d1b2b7
Andromeda Module Packs: Bab1bd5e75f743dec562e94d644150343e42888bb3035053e7bd4ab8dfda581b 16a4db7f6de87391798a53ff0e1b06ed3f33b84860627a7e418aa90a2f8a9723 7664f5915e0fe8fe5179ea8a3824e542b734a8212c498e39aabac83c268e4f91
Malicious shell script from Antonio24’s sourceforge site: 6d0b265f6f671bc7ae8e287ee33712b374d8e68327867fe18bc372a8c2f63695