FaNeL - Guardicore

Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

FaNeL active

First seen in Guardicore Centra 2019-06-14

Last seen in Guardicore Centra 2020-08-03

Seen in GGSN since the end of 2019, FaNeL cryptomining campaign seems to be operated by an individual hacker based in Romania. FaNeL compromises machines by breaching their SSH service, downloads various scripts to analyze the available resources (CPU, memory and disk space) and runs an XMRig cryptominer. FaNeL’s attack tools are made available to other attack groups and hacking amateurs – ASN prefixes, passwords lists and speed-testing scripts to name a few. Some of the attacks captured by Guardicore are tagged as ‘Human’, implying that the hacker is still testing and evaluating the attack flow and its efficiency.

IOC Repository

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Source IPs

Connect-Back Servers

Associated Files

Path	Hash	Size
/cybernetik.3x.ro/screen, /h4e/screen, /h4ex/screen.filepart…	2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80	244.12 KB
/home/mysql/a, /home/mysql/v.py, /home/mysql/v.py.1…	00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc	24.87 KB
/home/mysql/groot/1, /root/1, /root/.bad-gosh/1…	246fcc88606c73771e9ccfed22be1ee97636f65156b1076db2e506e16e732db3	189 bytes
/home/mysql/groot/2, /root/2, /root/.bad-gosh/2…	42237dd0eeacbddd1e07df21cd437cdf9c1b0282ac7b565d51589e57b39bffd1	119 bytes
/home/mysql/groot/random, /root/.bad-gosh/random, /root/bad-gosh/random…	6d8ffb2449a2e56d63c23e66aa367bd3a610adf96b288dfc8e52bffda15751af	184 bytes
/home/mysql/groot/3, /root/claiugosh/3, /root/cleangosh/3…	c2c5e4a271f8af56df3c091397e9db498f48434001e3d8b7e63cadd902e5adc9	187 bytes
/home/mysql/ninfo, /root/Nasa/ninfo, /root/ninfo…	19778a62055770a9e5f890e52227ccd39251bf23045c15383411638540ceabf7	2.87 KB
/home/mysql/groot/go, /root/gosh/go, /.sal/groot/go…	41c3ee93f8d79479d09ab1771be47ef4eac2a0829fc2d4f2d97320de509b9b84	815 bytes
/home/mysql/groot/anti-blackdor.anti, /root/gosh/anti-blackdor.anti, /var/tmp/gosh/anti-blackdor.anti	ff2d1dfec0d7f40d0045942cceda733184cbaf57fcf3e251c2e52b231ec4cefe	12.48 KB
/root/info	47f50a575dd6d3d835c52e324cacaef0d5f59f720c74fb2309698aed65d0e155	5.34 KB
/root/info	41bf5114307e1587974d3b36f4c5e71e46192027c67ccf51e0d5ddfcd3239251	5.36 KB
/root/gosh.zip.filepart	7e93262fc0b605814727a9b8a9d3b3b591e6ddf5cbb61189ee8831478edd436a	142.02 KB
/root/ozn.zip	a7814dc8c8533fe436ea0b9840212ae3878840c5ceff16c5762a4a599adaf83c	1011.85 KB
/root/v.py	27d6db7b554a79bf65373090fb91d2255b259374b520b239040a19f65a6fdbd0	48.52 KB
/root/v.py	c3c7ddd7069aeaf4213a593e8f142410cc39ac7c337171fb1f3c5eafccea6043	48.52 KB

Attack Flow

Breached Services

SSH

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List (Part of a Brute Force Attempt)

Successful SSH Login SSH Brute Force

A possibly malicious Download Operation was detected 2 times

Download Operation

History File Tampering detected from /bin/bash

Log Tampering

Process /bin/bash generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: tehnichost.biz

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: tehnichost.biz

Outgoing Connection
Access Suspicious Domain

The file /tmp/nitebins.sh was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz

Outgoing Connection
Access Suspicious Domain

/tmp/mipsel was downloaded

Download File

The file /tmp/mipsel was downloaded and granted execution privileges

Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz

Outgoing Connection
Access Suspicious Domain

The file /tmp/sh4 was downloaded and granted execution privileges

The file /tmp/x86 was downloaded and executed

Download and Execute

/tmp/armv6l was downloaded

Download File

The file /tmp/armv6l was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 4 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz 4 times

Outgoing Connection
Access Suspicious Domain

The file /tmp/i686 was downloaded and executed 2 times

Download and Execute

/tmp/powerpc was downloaded

Download File

The file /tmp/powerpc was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz

Outgoing Connection
Access Suspicious Domain

The file /tmp/i586 was downloaded and executed

Download and Execute

Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80 2 times

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz 2 times

Outgoing Connection
Access Suspicious Domain

The file /tmp/m68k was downloaded and granted execution privileges

The file /tmp/sparc was downloaded and granted execution privileges

/tmp/armv4l was downloaded

Download File

The file /tmp/armv4l was downloaded and granted execution privileges

/tmp/armv5l was downloaded

Download File

The file /tmp/armv5l was downloaded and granted execution privileges

Process /bin/bash generated outgoing network traffic to: 107.187.122.10:80

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: 107.in-addr.arpa

Outgoing Connection
Access Suspicious Domain

/tmp/bot.pl was downloaded

Download File

Process /usr/bin/perl generated outgoing network traffic to: 45.55.150.239:6667

Outgoing Connection

Stop Ransomware Attacks

Rethink Your Firewall

Zero Trust

Cloud Security

Segmentation Initiatives

Compliance

Industries

Campaign Information

Name

Customized Firewall Rules for Your Attack Surface

Indicators of Compromise

Source IPs

Connect-Back Servers

Associated Files

Attack Flow

Breached Services

Tags

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List (Part of a Brute Force Attempt)

A possibly malicious Download Operation was detected 2 times

History File Tampering detected from /bin/bash

Process /bin/bash generated outgoing network traffic to: 93.114.82.21:80

Process /bin/bash attempted to access suspicious domains: tehnichost.biz

Process /bin/bash attempted to access suspicious domains: tehnichost.biz

The file /tmp/nitebins.sh was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz

/tmp/mipsel was downloaded

The file /tmp/mipsel was downloaded and granted execution privileges

Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80

Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz

The file /tmp/sh4 was downloaded and granted execution privileges

The file /tmp/x86 was downloaded and executed

/tmp/armv6l was downloaded

The file /tmp/armv6l was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 4 times

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz 4 times

The file /tmp/i686 was downloaded and executed 2 times

/tmp/powerpc was downloaded

The file /tmp/powerpc was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz

The file /tmp/i586 was downloaded and executed

Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80 2 times

Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz 2 times

The file /tmp/m68k was downloaded and granted execution privileges

The file /tmp/sparc was downloaded and granted execution privileges

/tmp/armv4l was downloaded

The file /tmp/armv4l was downloaded and granted execution privileges

/tmp/armv5l was downloaded

The file /tmp/armv5l was downloaded and granted execution privileges

Process /bin/bash generated outgoing network traffic to: 107.187.122.10:80

Process /bin/bash attempted to access suspicious domains: 107.in-addr.arpa

/tmp/bot.pl was downloaded

Process /usr/bin/perl generated outgoing network traffic to: 45.55.150.239:6667

???? Return to Botnet Encyclopedia

© 2021 Guardicore

Coming to Black Hat? Make sure you come say hi 👋