One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1056827 |
| Date de publication | 2019-03-06 17:57:00 (vue: 2019-03-06 22:01:38) |
| Titre | Internet of Termites |
| Texte |
Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops.
That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible:
Termite is a useful networking and penetration testing tool, but we’re seeing it used in attacks to enable access to machines too. There has been little reporting on Termite, beyond a brief mention in a report by Kaspersky of an earlier version of Termite called “EarthWorm”. Below, we’ve provided an outline on some of the attackers we’re seeing deploying Termite.
Note: As we were publishing this, Symantec released a report on attackers using Termite in the 2018 attack stealing the health data of a quarter of the Singapore population.
How Termite and EarthWorm Work
Termite and EarthWorm are publicly available tools written by an employee of 360NetLab. They can be considered an updated version of the well known packet relay tool HTRAN.
Termite popped up on our radar when we were reviewing malicious binaries compiled to run on IoT architectures. Termite is available for a range of different operating systems and architectures including x86 ARM, PowerPC, Motorola, SPARC and Renesas.
This means an attacker can use a long chain of desktop, mobile and IoT devices to be able to connect through networks and DMZs.
Termite can act as a SOCKS proxy to bounce traffic, as well as a lightweight backdoor that can upload and download files, and execute shell commands:
The Termite help function
For example, this is a typical sequence of commands you may see when investigating a compromised machine:
Victim Host
On a victim host, the attacker listens for incoming connections:
agent.exe -l 8888
Attacker Host
Then the attacker connects to the compromised machine:
admin.exe -c [tartet_ip] -p 8888
And selects which compromised system to interact with:
goto 1
Then they start a SOCKS proxy on the system to route traffic through it:
socks 1080
And a shell on the compromised system that they can connect to with netcat:
shell 6666
Termite uses a di |
| Envoyé | Oui |
| Condensat | $/r $elf $external $home $string $string 01| 18c3accc4f65aae7bf7897adef35abdcca3697884860a6b5360e4f2d07bc26ed 1ae62dbec330695d2eddc7cb9a65d47bad5f45af95e6c8a803f0780e0749a3ad 27cd70b47588aa0a1c8d737cde89fe8de1351af49aa8f11378a1e26a40f268eb 3141ce911e3da8b0bf9744ef0603f7fac55be157eafc54995a752759882da1b2 3537b3eaad16d59c1f0c22d6cbcfe5a1b4542cc4f6a1e3135e26873c0dd4b06f 381774ed8d6d69975694247acc80e42831ee68b43583c8734af52adff8f73373 3af0857c9fae7e41683d34af7e04c6ed29439466761512ebbf28bad7561d092b 3d9aaac0a8e5c7eadd79d8d5c16119d04f4e9db7107fc44a1e32a8746a1ec375 44370c394c70f88cd9ecfb23f9d6570e2134761d1a04deea5205cec31469cfb0 459333b4765363526b2f76353941a5e1346e9a71433bd16c1e34a03c3c13bf6b 46af7c0674c69df2af1905ea58288f24d2d10e644d5446d8d2b71b251e8e70bd 58fcbf640b58a45f2fed22fdd70c5d73ae781274927a2def5f71cb3e4ce02a15 5bcac0a74645424d26b217b7725be826b7d558ecbce7ec5d3072d802e1834181 73fc266095e6d582b79db226145d0990129ad72c584863a61f3bd0e8056a0435 7aa2f4a66d72adefd632e15dee392cbeab0a843a4890598a9610660897b398f1 825790dbcdf9b7a69b9a566f71bc167a0a8353e735390c5815b247ac58efa817 8774f27021146a863accbf34199a378a28ed28a1c616b8741a1dc8021783a4ec 8b6d83c919ad123d4b27f3404604e99eeba9196cf81f3210a65d8ae1b89465a6 980fd1e947a8dd578c45bc76254b6aaa95b35e6ec33b8f41da268623500bd0f1 9b3d82bb1aff3a17a490dd4da09cd315d8e94a52b8caa31ef7a7cf2a89c9d87a a487628dc7647507f77cff66269d5d4588c7647e408b07ec0c4b1f16a93eefc4 a585eb434239e5c1714192482f20ec2483bf8eae4654ef77973524b3a151b455 activity; ad560a69ad6aa327b59c123683189dec416889616b652beaa666a5919fe13935 afb55dc8b4bcff758082efde93e5ca9c2a6a725b16a4c82e7675393bf46fecfd agent alert android any apache2012 apache2013 b1988efb8f1debd239e0c563f94d22362e43af77284796899f9987622ffb1463 classtype:trojan com com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; condition: content: cpu cryptomining d21cccc6cb3f8313098da5b7ad6a37b5349835a702b5caf8e794a7c6903f40c5 d57cbbc5b6f0d223b5a3470a6a444ea4ef49dad718cbe992c92cca935cfdac7d da584a49609de5985f5ba64cfb215f0c30c93fac11563ea32afa3820b3327139 data depth:4; description distance:4; distance:7; e05ef2747f973d6ae9e4bd5fbeede55b27afd44882b83b4aee79330e856757e8 earthworm earthworm/termite ef1d610dd78efae3dfa2eebade2ee76882b7e2b5df140aa068e25519d800bc63 epac example f8478ce363f824fc8dc14cebe84c29a4d12e66536c0250b9f12540e3a511935b file first flow:established hash hostnames https://github infection internet iot logv586 lport malware msg: name net offset:1; packet pcre: please qpoe reference:url relay reporting rev:1; rule send server; set sha256 sid:xxx; sock5 strangled strings: support suricata target tcp termite termites them tool trojan various within:5; within:9; x00+ x20 x7f xxx zany |00 |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.