Shellbot victim overlap with Emotet network infrastructure
20 July 2020
In the fall of 2018, the security division of NTT Ltd. added botnet infrastructure detection capabilities to its Managed Security Services (MSS) and threat detection services. In the initial press release, there were limited details released on how our machine learning system leverages our access to NTT Ltd.’s global network infrastructure. We own and operate one of the world's largest tier-1 IP backbone having insight into a significant portion of the global internet traffic and is consistently ranked among the top five network providers in the world.
In this blog post, we’ll explain how our threat detection analysts used netflow data captured from our global internet infrastructure to uncover overlaps of the Emotet command and control (C2) infrastructure with a previously unknown IRC botnet.Once upon analysing Emotet traffic
It was observed by threat detection analysts that 16 Emotet command and C2s speak with the IP 22.214.171.124 over port
A correlation search on Open-Source Intelligence (OSINT) sources uncovered the following file hosted on the same IP:
Analysing foo.txt we came to the conclusion that it is an IRC Perl bot.
The settings are:
Simplifying the code above one step, we can see how the C2 IP is set, which port is used, the room to join and a list of admins which can send commands:
We connected to 126.96.36.199 with an IRC client in order to confirm the theory that there’s an IRC service running on port 65456:
Unexpectedly the IRC server went down, and we laid the project to rest. However, in February 2020, it was once again online and, this time, with a lot of fever victims connected. One day, the admin connected and sent commands in the channel:
As can be seen, the actor sent various commands which all involved the uninstallation of any victims still speaking with the C2. We’ll proceed with further analysis of the source code of the IRC bot.
Code similarities with Shellbot
Shellbot is an IRC bot which previously has been researched 1 2. The sample observed here stored in foo.txt has a subset of the functionalities of the Shellbot samples referenced by other researchers 3.
The bullet points over function name similarities and dissimilarities between foo.txt and the Shellbot sample 3 :
- 26 functions with the same name
- 17 function names only seen in Shellbot sample 3
- Five function names only seen foo.txt
Function name difference table, where green indicates that the function only exists in foo.txt and red shows it only exists in Shellbot sample 3 :
Throughout the code there are large code overlaps showing that the bot is built upon a similar code base but has been evolutionized by different actors over time.
Here’s an example of a code overlap where the only difference is that the function and variable names are in Portuguese and English:
The function name and code segment overlaps are confirmation that foo.txt is a Shellbot variant. The large availability of samples makes any attribution of the actor behind this activity unlikely.
In our backend, we’ve captured over 80 victims connecting over port 65456 to the C2. Based on OSINT data from Shodan on these victims, we attempted to find the common denominator for the likely original point of exploitation. We started by listing the used ports:
As can be seen, the most common ports show us no surprises, with port 22 used by 81%, indicating most victims to be *nix variants. Port 80 and 443 also occur on most of the victims, with a close to even distribution of NGINX and Apache, the ones classified as http or https are products unknown to Shodan:
We also tried to group by the number of victims affected by the same CVE, at most we only observed five victims were affected by the same CVE:
It might be that the actor is using scanners which exploits multiple known vulnerabilities and/or performs password bruteforce.
We consider the overlap of victims with Emotet C2s incidental. The massive amount of exploitation attempts which occur on the internet inevitably leads to multiple actors exploiting and operating on the same machines. Nevertheless, with this research we’ve been able to add detection for a previously unknown C2 server for the protection of our customers.
In the recently released 2020 Global Threat Intelligence Report, NTT Ltd. researchers and thought leaders share statistics and trends from the previous year. A key theme in this year’s report is ‘Attacks are focusing on web applications’. Read more about how attacks towards web applications and open-source software is changing the threat landscape here.Indicators of compromise
3 Sample from  331bafbf48e1ece5134bc42f4a9bd2be