A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
NameYart7 | |
| First seen in Guardicore Centra | 2020-09-02 |
| Last seen in Guardicore Centra | 2020-09-22 |
Yart7 is a DDoS campaign targeting SSH servers. The botnet spreads by brute-forcing SSH servers. After a successful login, the attacker connects to the C&C server and downloads a malicious payload named 7rtya, one which suits the victim machines’s architecture.Once the malware is executed, the compromised machine starts sending DDoS packets to tens of thousands of IP addresses over the Telnet protocol (TCP port 23).Since the beginning of this campaign in early September 2020, only three source IPs have been seen, two of which are based in Austria.We named the campaign Yart7, which is an anagram of the malware filename. | |
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Connect-Back Servers
Attack Flow
Breached Services | SSH |
Tags | Download and Allow Execution HTTP Successful SSH Login 1 Shell Commands Download Operation Listening Download File Outgoing Connection SSH Brute Force Download and Execute SSH |
Incident Summary
| A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List (Part of a Brute Force Attempt) | Successful SSH Login SSH Brute Force |
| A possibly malicious Download Operation was detected 2 times | Download Operation |
| Process /bin/bash generated outgoing network traffic to: 45.145.185.94:80 | Outgoing Connection |
| /tmp/uDvrLib.sh was downloaded | Download File |
| Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80 | Outgoing Connection |
| The file /tmp/7rtya.x86 was downloaded and granted execution privileges | |
| The file /tmp/95bS was downloaded and granted execution privileges 2 times | |
| The file /tmp/95bS was downloaded and executed 4 times | Download and Execute |
| Process /tmp/95bS started listening on ports: 38273 | Listening |
| Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80 | Outgoing Connection |
| The file /tmp/7rtya.mips was downloaded and granted execution privileges | Download and Allow Execution |
| Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80 2 times | Outgoing Connection |
| The file /tmp/7rtya.mips64 was downloaded and granted execution privileges | Download and Allow Execution |
| The file /tmp/7rtya.mpsl was downloaded and granted execution privileges | Download and Allow Execution |
| Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80 | Outgoing Connection |
| The file /tmp/7rtya.arm was downloaded and granted execution privileges | Download and Allow Execution |
| Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80 2 times | Outgoing Connection |
| The file /tmp/7rtya.arm5 was downloaded and granted execution privileges | Download and Allow Execution |
| The file /tmp/7rtya.arm6 was downloaded and granted execution privileges | Download and Allow Execution |
| The file /tmp/95bS was downloaded and granted execution privileges | |
| Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80 4 times | Outgoing Connection |
| The file /tmp/7rtya.arm7 was downloaded and granted execution privileges | |
| The file /tmp/7rtya.ppc was downloaded and granted execution privileges | |
| /tmp/7rtya.m68k was downloaded | Download File |
| The file /tmp/95bS was downloaded and granted execution privileges | Download and Allow Execution |
| Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80 | Outgoing Connection |
| /tmp/7rtya.sh4 was downloaded | Download File |
| The file /tmp/7rtya.spc was downloaded and granted execution privileges | Download and Allow Execution |
| Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80 | Outgoing Connection |
| The file /tmp/7rtya.arc was downloaded and granted execution privileges | |
| Connection was closed due to timeout |