A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name FaNeL | |
First seen in Guardicore Centra | 2019-06-14 |
Last seen in Guardicore Centra | 2020-08-03 |
Seen in GGSN since the end of 2019, FaNeL cryptomining campaign seems to be operated by an individual hacker based in Romania. FaNeL compromises machines by breaching their SSH service, downloads various scripts to analyze the available resources (CPU, memory and disk space) and runs an XMRig cryptominer. FaNeL’s attack tools are made available to other attack groups and hacking amateurs – ASN prefixes, passwords lists and speed-testing scripts to name a few. Some of the attacks captured by Guardicore are tagged as ‘Human’, implying that the hacker is still testing and evaluating the attack flow and its efficiency. | |
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Connect-Back Servers
- 93.114.82.179
- 93.114.82.154
- 93.114.82.176
- 93.114.82.21
- 151.101.2.219
- 89.42.133.67
- 188.212.100.2
- 198.241.62.98
- 184.182.243.153
- 74.115.39.234
- 114.82.21.123
- 64.71.219.236
- 164.113.60.33
- 185.11.146.136
- 89.42.133.65
- 86.127.31.73
- tehnichost.biz
- fanelishere.ro
- www.speedtest.net
- nasapaul.com
- www.fanelishere.ro
- speedtest-wichita.kanren.net
- speedtest.ideatek.com
- speedtest.rd.ks.cox.net
- myspeed.giantcomm.net
- kanren.net
- 107.in-addr.arpa
- hb.from-ks.com
- havilandtelco.com
- hbcomm.net
- _http._tcp.archive.ubuntu.com
Associated Files
| Path | Hash | Size |
|---|---|---|
/cybernetik.3x.ro/screen, /h4e/screen, /h4ex/screen.filepart… | 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80 | 244.12 KB |
/home/mysql/a, /home/mysql/v.py, /home/mysql/v.py.1… | 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc | 24.87 KB |
/home/mysql/groot/1, /root/1, /root/.bad-gosh/1… | 246fcc88606c73771e9ccfed22be1ee97636f65156b1076db2e506e16e732db3 | 189 bytes |
/home/mysql/groot/2, /root/2, /root/.bad-gosh/2… | 42237dd0eeacbddd1e07df21cd437cdf9c1b0282ac7b565d51589e57b39bffd1 | 119 bytes |
/home/mysql/groot/random, /root/.bad-gosh/random, /root/bad-gosh/random… | 6d8ffb2449a2e56d63c23e66aa367bd3a610adf96b288dfc8e52bffda15751af | 184 bytes |
/home/mysql/groot/3, /root/claiugosh/3, /root/cleangosh/3… | c2c5e4a271f8af56df3c091397e9db498f48434001e3d8b7e63cadd902e5adc9 | 187 bytes |
/home/mysql/ninfo, /root/Nasa/ninfo, /root/ninfo… | 19778a62055770a9e5f890e52227ccd39251bf23045c15383411638540ceabf7 | 2.87 KB |
/home/mysql/groot/go, /root/gosh/go, /.sal/groot/go… | 41c3ee93f8d79479d09ab1771be47ef4eac2a0829fc2d4f2d97320de509b9b84 | 815 bytes |
/home/mysql/groot/anti-blackdor.anti, /root/gosh/anti-blackdor.anti, /var/tmp/gosh/anti-blackdor.anti | ff2d1dfec0d7f40d0045942cceda733184cbaf57fcf3e251c2e52b231ec4cefe | 12.48 KB |
/root/info | 47f50a575dd6d3d835c52e324cacaef0d5f59f720c74fb2309698aed65d0e155 | 5.34 KB |
/root/info | 41bf5114307e1587974d3b36f4c5e71e46192027c67ccf51e0d5ddfcd3239251 | 5.36 KB |
/root/gosh.zip.filepart | 7e93262fc0b605814727a9b8a9d3b3b591e6ddf5cbb61189ee8831478edd436a | 142.02 KB |
/root/ozn.zip | a7814dc8c8533fe436ea0b9840212ae3878840c5ceff16c5762a4a599adaf83c | 1011.85 KB |
/root/v.py | 27d6db7b554a79bf65373090fb91d2255b259374b520b239040a19f65a6fdbd0 | 48.52 KB |
/root/v.py | c3c7ddd7069aeaf4213a593e8f142410cc39ac7c337171fb1f3c5eafccea6043 | 48.52 KB |
Attack Flow
Breached Services | SSH |
Tags | 1 Shell Commands Log Tampering HTTP SSH Download and Execute SSH Brute Force Outgoing Connection Access Suspicious Domain Successful SSH Login Download Operation Download and Allow Execution Download File |
Incident Summary
A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List (Part of a Brute Force Attempt) | Successful SSH Login SSH Brute Force |
A possibly malicious Download Operation was detected 2 times | Download Operation |
History File Tampering detected from /bin/bash | Log Tampering |
Process /bin/bash generated outgoing network traffic to: 93.114.82.21:80 | Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: tehnichost.biz | Outgoing Connection Access Suspicious Domain |
The file /tmp/nitebins.sh was downloaded and granted execution privileges | |
Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 | Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz | Outgoing Connection Access Suspicious Domain |
/tmp/mips was downloaded | Download File |
The file /tmp/mips was downloaded and granted execution privileges | |
Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 3 times | Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz 3 times | Outgoing Connection Access Suspicious Domain |
/tmp/mipsel was downloaded | Download File |
The file /tmp/mipsel was downloaded and granted execution privileges | |
Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80 | Outgoing Connection |
Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz | Outgoing Connection Access Suspicious Domain |
The file /tmp/sh4 was downloaded and granted execution privileges | |
The file /tmp/x86 was downloaded and executed | Download and Execute |
/tmp/armv6l was downloaded | Download File |
The file /tmp/armv6l was downloaded and granted execution privileges | |
Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 4 times | Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz 4 times | Outgoing Connection Access Suspicious Domain |
The file /tmp/i686 was downloaded and executed 2 times | Download and Execute |
/tmp/powerpc was downloaded | Download File |
The file /tmp/powerpc was downloaded and granted execution privileges | |
Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 | Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz | Outgoing Connection Access Suspicious Domain |
The file /tmp/i586 was downloaded and executed | Download and Execute |
Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80 2 times | Outgoing Connection |
Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz 2 times | Outgoing Connection Access Suspicious Domain |
The file /tmp/m68k was downloaded and granted execution privileges | |
The file /tmp/sparc was downloaded and granted execution privileges | |
/tmp/armv4l was downloaded | Download File |
The file /tmp/armv4l was downloaded and granted execution privileges | |
/tmp/armv5l was downloaded | Download File |
The file /tmp/armv5l was downloaded and granted execution privileges | |
Process /bin/bash generated outgoing network traffic to: 107.187.122.10:80 | Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: 107.in-addr.arpa | Outgoing Connection Access Suspicious Domain |
/tmp/bot.pl was downloaded | Download File |
Process /usr/bin/perl generated outgoing network traffic to: 45.55.150.239:6667 | Outgoing Connection |
Connection was closed due to timeout |