Full Report
In one attack chain, a Bash script retrieved from 0x0[.]st was used to install TinyProxy via common package managers like apt, yum, or dnf. The script then modified configuration files to allow unrestricted external access (Allow 0.0.0.0/0), exposing the proxy service on port ...
Analysis Summary
# Tool/Technique: TinyProxy Deployment via Compromised SSH
## Overview
This describes the stage of an attack where compromised Linux SSH servers are leveraged to install and configure the TinyProxy software. The primary goal appears to be establishing unauthorized proxy services, likely for command and control, data exfiltration, or anonymizing subsequent malicious activity.
## Technical Details
- Type: Tool (Software Installation/Configuration)
- Platform: Linux (Servers running package managers like apt, yum, dnf)
- Capabilities: Installing proxy software, modifying configuration files to create unrestricted external access.
- First Seen: Based on publication date, June 2025 (contextual timeframe).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access (Contextual, as this follows SSH compromise)
- T1110 - Brute Force (Implied prerequisite via SSH credential compromise)
- TA0002 - Execution
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- TA0008 - Lateral Movement (If used to pivot)
- TA0011 - Command and Control
- T1090 - Proxy
## Functionality
### Core Capabilities
- **Automated Installation:** Utilization of a Bash script to initiate the installation of TinyProxy using native Linux package management tools (`apt`, `yum`, `dnf`).
- **Configuration Modification:** Altering TinyProxy configuration files to explicitly allow connections from any external IP address ($\text{Allow } 0.0.0.0/0$).
- **Service Exposure:** Exposing the resulting proxy service, typically on port 8888.
### Advanced Features
- The use of an initial retrieval source (`0x0[.]st`) suggests the use of a trusted or specialized repository/server for staging the installation scripts.
## Indicators of Compromise
- File Hashes: N/A (Script hash not provided)
- File Names: Bash script retrieved from `0x0[.]st`
- Registry Keys: N/A (Linux target)
- Network Indicators: N/A (Proxies are egress points, not necessarily specific C2 domains)
- Behavioral Indicators: Execution of packet manager commands (`apt install tinyproxy`, `yum install tinyproxy`, etc.) following script execution; modifications to TinyProxy configuration files to include `Allow 0.0.0.0/0`.
## Associated Threat Actors
- Unknown (Reported as part of a general campaign exploiting compromised SSH servers).
## Detection Methods
- Signature-based detection: Signatures for the initial retrieval script from `0x0[.]st`.
- Behavioral detection: Monitoring for the modification of standard configuration files related to proxy services (e.g., TinyProxy config files) to include overly permissive access rules like `Allow 0.0.0.0/0`. Monitoring execution of package managers initiated by non-standard or unauthorized scripts.
- YARA rules if available: N/A
## Mitigation Strategies
- Prevention measures: Implement geo-blocking and strong firewall rules to restrict inbound and outbound connections unless strictly necessary.
- Hardening recommendations: Disable password-based SSH authentication in favor of SSH keys; enforce Multi-Factor Authentication (MFA); regularly audit configuration files (e.g., for proxy services) for unauthorized permissive access settings.
## Related Tools/Techniques
- Sing-box Deployment: Mentioned as an alternative tool used in related variants, indicating the threat actor focuses on deploying flexible, often legitimate, proxy frameworks.
***
# Tool/Technique: Sing-box
## Overview
Sing-box is a legitimate and modern open-source proxy framework. In this attack context, it is being deployed on compromised servers to provide advanced proxying capabilities, likely to bypass network restrictions or obscure follow-on malicious traffic.
## Technical Details
- Type: Tool (Proxy Framework/Software)
- Platform: Linux (Target)
- Capabilities: Supports advanced proxy protocols including vmess-argo, vless-reality, and Hysteria2, allowing for sophisticated traffic tunneling and evasion.
- First Seen: N/A (Tool developed independently, but observed in this attack context around June 2025).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy (Implied capability depending on configuration)
## Functionality
### Core Capabilities
- **Advanced Protocol Support:** Enables support for modern tunneling and obfuscation protocols (vmess-argo, vless-reality, Hysteria2).
- **Legitimate Software Abuse:** Leverages a standard, often legitimate, tool for illicit proxying.
### Advanced Features
- Ability to configure protocols designed to mimic legitimate traffic patterns, aiding in network evasion.
- Deployment via scripts sourced from GitHub suggests use of automated deployment mechanisms.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Sing-box binaries/executables
- Registry Keys: N/A
- Network Indicators: Traffic utilizing VLESS or VMESS protocols originating from the compromised server.
- Behavioral Indicators: High system resource utilization immediately preceding connection establishment; execution of numerous system reconnaissance commands before Sing-box installation scripts are run.
## Associated Threat Actors
- Unknown (Associated with the group compromising Linux SSH servers and deploying proxies).
## Detection Methods
- Signature-based detection: Signatures for known Sing-box installation scripts sourced from unknown GitHub repositories.
- Behavioral detection: Detection of system reconnaissance commands following initial access, especially those preceding the installation of network utilities. Monitoring outbound connections utilizing protocols like VLESS/VMESS from servers not intended for such use.
- YARA rules if available: N/A
## Mitigation Strategies
- Prevention measures: Strict outbound network policies limiting the ports and protocols that internal hosts can initiate.
- Hardening recommendations: Strictly control which users/processes can execute scripts downloaded from external sources (e.g., GitHub) on production servers.
## Related Tools/Techniques
- TinyProxy: Another proxy tool deployed in related attack chains, suggesting the actors use whichever proxy software is easily accessible or best suited for the current objective.