Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

8UsA
active

First seen in Guardicore Centra

2018-03-27

Last seen in Guardicore Centra

2020-11-03

This campaign is identified by the Bash script it drops on infected servers, which is named 8UsA.sh. Its earliest incidents were observed in 2018, however, the most recent attacks wave started in June 2020. Breached servers connect to the command-and-control server and download a DDoS malware sample, compiled for the specific architecture. C2 communication is done over port 5555, and DDoS is done over Telnet (TCP port 23). It appears that the main C2 is hosted by Frantech Solutions, which no longer provides service.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathHashSize

/tmp/8UsA.sh, /tmp/8UsA.sh.1

3252d16c917965d9a7372cf5e32059ffd22a3a5b52bed4eacc4a8eb3ba33d59b

2.02 KB

/tmp/owari.x86, /tmp/owari.x86.1

4d70a6eaeda98ba583660dd642454b05f8aa62d6500c84c9d2e46b005b0d671b

40.59 KB

/tmp/8UsA.sh

d39f72fd484db049ab6e6c9c4bf6f5396ad445193fb45ec0fcd99da0de9ea1d1

1.96 KB

/tmp/8UsA.sh

7b7de7d272b0c3cae8411e25c336ffa840a2d02252d2dc4c9e19c621095fd93f

2.16 KB

/tmp/owari.x86

75146b5cf1863f004aedbe51bdad1c772df470c3082b12aa4b9082c063b84356

12.71 KB

/tmp/8UsA.sh

7751c12a32e86407f964287efc6a35aba8175bb7af21d130ac63bcc45702d29c

1.91 KB

/tmp/8UsA.sh

7c034bad3f774ed35196519a11855f2db90c89b40704325578f4bc86a1c5dc27

1.98 KB

/tmp/owari.mpsl

9361c0c4b833a1143b3c76bdb79306ceb0aa6faf91e532602531892d394be2e7

58.22 KB

/tmp/sector

a03217e35817289ea9f7e3877b7d0b334f8401d11ee8741c8708e1c01d1063c8

66.15 KB

/tmp/owari.mips

a71ee463efbfc4842f1ea3a0193070d323f70170552f0349e531b1c5d77e92e6

57.91 KB

/tmp/8UsA.sh

add0629388422274878ef3b2e584ec1ac41c457e9c2e64c867893b5593397614

1.86 KB

/tmp/3AvA

be3af93113bfc5df347470a79178ef8ff8113636653d696cd7a2b1ef27d3f085

50.13 KB

/tmp/sector.x86

c69b85dd8e39a10e828d9e51f7308b1c9bb637c40371e9a80ca7754eff5ebbeb

62.08 KB

/tmp/owari.arm5

c6c8b8dbf7b951860ce1232edaa33bd79e36c55ba885fe525204083a22ecaf01

36.23 KB

/tmp/sora

1d9a8cc4d03f6a2180a48ea8b1cd85d77888405142c16d9ec0e02136083cef42

43.78 KB

Attack Flow

Breached Services

HadoopYARN

SSH

Tags

Download and Allow Execution

Successful SSH Login

Download Operation

Access Suspicious Domain

Download File

Outgoing Connection

HTTP

SSH

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected

Download Operation

Process /usr/bin/wget generated outgoing network traffic to: 198.98.62.137:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: blamefran.net

Outgoing Connection

Access Suspicious Domain

The file /tmp/8UsA.sh was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/local/bin/dash generated outgoing network traffic to: 198.98.62.137:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: blamefran.net

Outgoing Connection

Access Suspicious Domain

/tmp/gang123isgodloluaintgettingthesebinslikedammwtf.x86 was downloaded

Download File

Connection was closed due to user inactivity