Found an RDP bruteforcer in the wild.
MD5 hash: e5855ed7b278e0bcf877d89c84b909ac
Obtained the binary from this URL: http://217.12.219.181/test/w.exe
Callback URL: http://78.154.54.42/www/cmd.php
Sends an HTTP POST request to it. Each time it connects to the above URL, it receives a new set of Server IP addresses to bruteforce along with the usernames and passwords.
Below you can see the multiple attempts to connect to the IP addresses on port 3389:
After sending an initial HTTP POST Request to the callback server, it will download a new binary:
URL of Binary: http://78.154.54.42/www/bin/1.exe?1680638915
This downloaded binary will replace the initially dropped, winlogon.exe file in the %appdata% folder with win!ogon.exe.
Below is the list of usernames and passwords used by it to perform the RDP bruteforcing:
logins:
pos
pos1
pos01
admin
administrator
micros
microssvc
client
client1
shop
station01
passwords:
admin
pos
pos1
pos01
password
Password
Password1
client1
administrator
micros
microssvc
shop
client
station
123456
Some of the subnets which this bruteforcer targets are:
71.221.6.0/24
68.223.28.0/24
68.223.29.12/24
24.223.48.0/24
24.224.49.0/24
54.223.70.0/24
54.223.71.0/24
68.31.92.0/24
68.31.93.0/24
24.223.114.0/24
24.223.115.0/24
50.223.136.0/24
68.31.156.0/24
68.31.157.0/24
50.223.177.0/24
68.223.199.0/24
68.223.200.0/24
Data is exchanged between the virus and the callback server over a plaintext communication channel.
Login Panel on the callback server:
http://78.154.54.42/www/
c0d3inj3cT
MD5 hash: e5855ed7b278e0bcf877d89c84b909ac
Obtained the binary from this URL: http://217.12.219.181/test/w.exe
Callback URL: http://78.154.54.42/www/cmd.php
Sends an HTTP POST request to it. Each time it connects to the above URL, it receives a new set of Server IP addresses to bruteforce along with the usernames and passwords.
Below you can see the multiple attempts to connect to the IP addresses on port 3389:
After sending an initial HTTP POST Request to the callback server, it will download a new binary:
URL of Binary: http://78.154.54.42/www/bin/1.exe?1680638915
This downloaded binary will replace the initially dropped, winlogon.exe file in the %appdata% folder with win!ogon.exe.
Below is the list of usernames and passwords used by it to perform the RDP bruteforcing:
logins:
pos
pos1
pos01
admin
administrator
micros
microssvc
client
client1
shop
station01
passwords:
admin
pos
pos1
pos01
password
Password
Password1
client1
administrator
micros
microssvc
shop
client
station
123456
Some of the subnets which this bruteforcer targets are:
71.221.6.0/24
68.223.28.0/24
68.223.29.12/24
24.223.48.0/24
24.224.49.0/24
54.223.70.0/24
54.223.71.0/24
68.31.92.0/24
68.31.93.0/24
24.223.114.0/24
24.223.115.0/24
50.223.136.0/24
68.31.156.0/24
68.31.157.0/24
50.223.177.0/24
68.223.199.0/24
68.223.200.0/24
Data is exchanged between the virus and the callback server over a plaintext communication channel.
Login Panel on the callback server:
http://78.154.54.42/www/
c0d3inj3cT
0 comments: