A Single IP is Scanning Intensely, and Yields a List of Malware Loaders | F5 Labs
- by nlqip
Introduction
Welcome to the August 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data.
Last month, we observed the scanning for CVE-2017-9841 fell sharply, and this month is no different, with scanning for that vulnerability falling another 79% from July’s rate. Overall, it’s down 97.4% from its high-water mark in June of 2024.
CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 consumer routers, which has been consistently towards the top of our ranking, is now the most scanned for CVEs that we track, but it too is down from last month, falling off by 18.8% compared to July.
Researching an Aberration
We frequently look for anomalies not related to specific CVE scanning activity in our logs, and this month, we found one that’s worth mentioning.
We first noted that the overall level of scanning was up significantly from the month prior, having risen 90.9% in terms of total events observed.
Digging into this a bit, we were surprised to find that the top source and destination country combination was scanners located in Lithuania scanning US sensors. This is unusual, and became even more unusual when we found that the vast majority (99.9%) of that traffic was from just one IP address.
That IP address is 141.98.11.114, with a reverse DNS lookup of “srv-141-98-11-114.serveroffer.net”. Serveroffer.net appears to be a hosting infrastructure provider based out of the city of Kaunas, in Lithuania.
We looked back a bit further, across the whole of 2024 in fact, and we found that this IP has been scanning quite a lot but not very consistently.
Day | n |
07-21 | 7148 |
07-22 | 16083 |
07-25 | 16064 |
07-26 | 4016 |
07-31 | 12048 |
08-10 | 165916 |
08-11 | 82957 |
08-12 | 82956 |
08-16 | 68279 |
08-17 | 14679 |
08-18 | 165916 |
Table 1: Scanning activity of 141.98.11.114, broken out by month and day. Note that the scanning behavior is not constant and seems to happen a few days at a time.
We were initially expecting to find this IP scanning for a specific set of vulnerabilities, or at least a class of vulnerability, but this scanner seems to be trying to pull a lot of odd URLs.
There are 83,193 distinct URLs being scanned for by this IP, the majority of which appear to have a file extension present, for example “GET /kolomz.exe”. We’ve published this list to our github as “141.98.11.114_unique_urls.txt”. This immediately made us wonder if this scanner was attempting to find malware hosting sites, as many malware loaders we observe in our data follow a similar naming scheme. Its User-Agent header of “BotPoke” also was an interesting breadcrumb to follow.
File Extension | n |
.exe | 525305 |
(no extention present) | 20673 |
.sh | 14768 |
.bat | 13496 |
.apk | 10710 |
.hta | 6706 |
.vbs | 4613 |
.mips | 2912 |
.arm7 | 2784 |
.arm5 | 2752 |
all_others | 31343 |
Table 2: Analysis of file extensions present in scanned urls by 141.98.11.114
We found a few references online, some dating as far back as 2010, to a scanner exhibiting similar behavior, with the same User-Agent string, so this doesn’t seem to be anything out of the ordinary, except for the intensity of the scanning activity and the use of a single IP address.
We expanded our search for unique URLs by looking for any URL associated with the User-Agent “BotPoke”, and we’ve published a full list of the unique URLs found, all 105,797 of them, to our github repo as “full_list_PokeBot_URLs.txt”.
Both the published lists may be useful for threat hunting in web environments, as they contain names of common malware loaders, but please be aware that these files likely contain all sorts of filetypes, ranging from malware loaders, to cracked games, and much else besides. Please use these lists with caution, and we make no guarantees of correctness.
August Vulnerabilities by the Numbers
Figure 1 shows July attack traffic for the top ten CVEs that we track. CVE-2017-9841 has fallen off to 4th place, and CVE-2023-1389 has retaken the top spot. Also notable is the disappearance of CVE-2021-28481 from the top 10, and the appearance of CVE-2020-0618.
The regular movement on this graph is not surprising – scanning for different vulnerabilities varies significantly month to month.
Source link
lol
Introduction Welcome to the August 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data. Last month, we observed the scanning for CVE-2017-9841 fell sharply, and this month is no different, with scanning for that vulnerability falling another 79% from July’s rate. Overall, it’s down 97.4%…
Recent Posts
- Month in security with Tony Anscombe – October 2024 edition
- Google ‘Hiring Less’ As Operating Income Surges At Google Cloud
- LastPass warns of fake support centers trying to steal customer data
- Dell PowerMax And Dell PowerScale Get Big AI Upgrades
- Synology hurries out patches for zero-days exploited at Pwn2Own