A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name 8UsA | |
First seen in Guardicore Centra | 2018-03-27 |
Last seen in Guardicore Centra | 2020-11-03 |
This campaign is identified by the Bash script it drops on infected servers, which is named 8UsA.sh. Its earliest incidents were observed in 2018, however, the most recent attacks wave started in June 2020. Breached servers connect to the command-and-control server and download a DDoS malware sample, compiled for the specific architecture. C2 communication is done over port 5555, and DDoS is done over Telnet (TCP port 23). It appears that the main C2 is hosted by Frantech Solutions, which no longer provides service. | |
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Connect-Back Servers
- 198.98.62.137
- 185.101.105.129
- 198.46.202.18
- 194.15.36.242
- 82.202.235.20
- 107.189.10.118
- 174.138.1.225
- 23.94.179.44
- 209.141.57.185
- 157.230.29.251
- 185.244.25.217
- 37.49.224.34
- 46.243.189.101
- 206.189.77.130
- 40.121.81.249
- blamefran.net
- colocrossing.com
- malvantos.org.uk
- m5afa2gx5a78.duckdns.org
- fenxiangleyuan.com
- donotreportsecuritytests.net
- imbrication.me
- no-reverse-dns-configured.com
- greenoptimistic.com
- hostwindsdns.com
Associated Files
| Path | Hash | Size |
|---|---|---|
/tmp/8UsA.sh, /tmp/8UsA.sh.1 | 3252d16c917965d9a7372cf5e32059ffd22a3a5b52bed4eacc4a8eb3ba33d59b | 2.02 KB |
/tmp/owari.x86, /tmp/owari.x86.1 | 4d70a6eaeda98ba583660dd642454b05f8aa62d6500c84c9d2e46b005b0d671b | 40.59 KB |
/tmp/8UsA.sh | d39f72fd484db049ab6e6c9c4bf6f5396ad445193fb45ec0fcd99da0de9ea1d1 | 1.96 KB |
/tmp/8UsA.sh | 7b7de7d272b0c3cae8411e25c336ffa840a2d02252d2dc4c9e19c621095fd93f | 2.16 KB |
/tmp/owari.x86 | 75146b5cf1863f004aedbe51bdad1c772df470c3082b12aa4b9082c063b84356 | 12.71 KB |
/tmp/8UsA.sh | 7751c12a32e86407f964287efc6a35aba8175bb7af21d130ac63bcc45702d29c | 1.91 KB |
/tmp/8UsA.sh | 7c034bad3f774ed35196519a11855f2db90c89b40704325578f4bc86a1c5dc27 | 1.98 KB |
/tmp/owari.mpsl | 9361c0c4b833a1143b3c76bdb79306ceb0aa6faf91e532602531892d394be2e7 | 58.22 KB |
/tmp/sector | a03217e35817289ea9f7e3877b7d0b334f8401d11ee8741c8708e1c01d1063c8 | 66.15 KB |
/tmp/owari.mips | a71ee463efbfc4842f1ea3a0193070d323f70170552f0349e531b1c5d77e92e6 | 57.91 KB |
/tmp/8UsA.sh | add0629388422274878ef3b2e584ec1ac41c457e9c2e64c867893b5593397614 | 1.86 KB |
/tmp/3AvA | be3af93113bfc5df347470a79178ef8ff8113636653d696cd7a2b1ef27d3f085 | 50.13 KB |
/tmp/sector.x86 | c69b85dd8e39a10e828d9e51f7308b1c9bb637c40371e9a80ca7754eff5ebbeb | 62.08 KB |
/tmp/owari.arm5 | c6c8b8dbf7b951860ce1232edaa33bd79e36c55ba885fe525204083a22ecaf01 | 36.23 KB |
/tmp/sora | 1d9a8cc4d03f6a2180a48ea8b1cd85d77888405142c16d9ec0e02136083cef42 | 43.78 KB |
Attack Flow
Breached Services | HadoopYARN SSH |
Tags | Download and Allow Execution Successful SSH Login Download Operation Access Suspicious Domain Download File Outgoing Connection HTTP SSH |
Incident Summary
A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List | Successful SSH Login |
A possibly malicious Download Operation was detected | Download Operation |
Process /usr/bin/wget generated outgoing network traffic to: 198.98.62.137:80 | Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: blamefran.net | Outgoing Connection Access Suspicious Domain |
The file /tmp/8UsA.sh was downloaded and granted execution privileges | Download and Allow Execution |
Process /usr/local/bin/dash generated outgoing network traffic to: 198.98.62.137:80 | Outgoing Connection |
Process /usr/local/bin/dash attempted to access suspicious domains: blamefran.net | Outgoing Connection Access Suspicious Domain |
/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.x86 was downloaded | Download File |
Connection was closed due to user inactivity |