Table of Contents
Case 1: Darkhotel APT
Case 2: Poison Ivy (APT-C-01)
Index of /
Home Operation and Maintenance Safety Example analysis of using ZoomEye to find APT attacks

Example analysis of using ZoomEye to find APT attacks

May 27, 2023 pm 07:19 PM
apt zoomeye

The data online on ZoomEye is in overwrite and update mode, which means that if the data is not scanned in the second scan, the updated data will not be overwritten. The data on ZoomEye will retain the banner data obtained in the first scan. This The mechanism actually has a good scene fit in this kind of malicious attack source tracing: after the download servers used by malicious attacks such as Botnet, APT and other attacks are discovered, they are usually directly deactivated and abandoned. Of course, some are also targets of hacking. Very violent and went offline immediately! Therefore, many attack sites are likely to be cached online by ZoomEye.

Of course, the data provided in the ZoomEye history API can be queried for each scan regardless of whether you cover it or not. However, the currently provided ZoomEye history API can only be queried through IP, not through Keyword matching search, so we need to use it in conjunction with the ZoomEye online cache data search and positioning mentioned above.

Case 1: Darkhotel APT

A few days ago, I actually mentioned it in the "Black Technology" Knowledge Planet, but there is just a "bug" that needs to be fixed: the IE 0day used by Darkhotel this time should It is CVE-2019-1367 instead of CVE-2020-0674 (thanks to 勋肉丁@奇安信). Of course, this "bug" does not affect the theme of this article.

Example analysis of using ZoomEye to find APT attacks

As can be seen from the above picture, we used ZoomEye online data to locate the IP address of a Darkhotel puddle attack site at that time. We used ZoomEye SDK to query the history of this IP:

╭─heige@404Team ~╰─$python                                                                                                                                    Python 2.7.16 (default, Mar 15 2019, 21:13:51)[GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)] on darwinType "help", "copyright", "credits" or "license" for more information.
 import zoomeye
 zm = zoomeye.ZoomEye(username="xxxxx", password="xxxx")
 zm.login()
 u'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX...'
 data = zm.history_ip("202.x.x.x")
 22
Copy after login

List the time nodes and corresponding port services that include this IP data in ZoomEye historical data

 ...
 >>>for i in data['data']:
 ...     print(i['timestamp'],i['portinfo']['port'])
 ...
 (u'2020-01-28T10:58:02', 80)
 (u'2020-01-05T18:33:17', 80)
 (u'2019-11-25T05:27:58', 80)
 (u'2019-11-02T16:10:40', 80)
 (u'2019-10-31T11:39:02', 80)
 (u'2019-10-06T05:24:44', 80)
 (u'2019-08-02T09:52:27', 80)
 (u'2019-07-27T19:22:11', 80)
 (u'2019-05-18T10:38:59', 8181)
 (u'2019-05-02T19:37:20', 8181)
 (u'2019-05-01T00:48:05', 8009)
 (u'2019-04-09T16:29:58', 8181)
 (u'2019-03-24T20:46:31', 8181)
 (u'2018-05-18T18:22:21', 137)
 (u'2018-02-22T20:50:01', 8181)
 (u'2017-03-13T03:11:39', 8181)
 (u'2017-03-12T16:43:54', 8181)
 (u'2017-02-25T09:56:28', 137)
 (u'2016-11-01T00:22:30', 137)
 (u'2015-12-30T22:53:17', 8181)
 (u'2015-03-13T20:17:45', 8080)
 (u'2015-03-13T19:33:15', 21)
Copy after login

Let’s take a look at the time nodes and ports that were implanted in IE 0day for water hole attacks:

>>> for i in data['data']:
 ...     if "164.js" in i['raw_data']:
 ...             print(i['timestamp'],i['portinfo']['port'])
 ...
 (u'2020-01-28T10:58:02', 80)
 (u'2020-01-05T18:33:17', 80)
 (u'2019-11-25T05:27:58', 80)
 (u'2019-11-02T16:10:40', 80)
 (u'2019-10-31T11:39:02', 80)
 (u'2019-10-06T05:24:44', 80)
Copy after login

Obviously the approximate time range of this watering hole attack is from 2019-10-06 05:24:44 to 2020-01-28 10:58:02. In addition, this IP is obviously not purchased by the attacker. VPS and the like, but directly attacked a specific website as a "watering hole" for attack. It is certain that this IP website had been invaded as early as 2019-10-06! From the nature of the website of this puddle, we can basically infer that the main target of Darkhotel’s attack is the users who visit this website!

Let’s continue to list which port services this IP opened in 2019 to help us analyze possible intrusion points:

>>> for i in data['data']:
 ...     if "2019" in i['timestamp']:
 ...             print(i['timestamp'],i['portinfo']['port'],i['portinfo']['service'],i['portinfo']['product'])
 ...
 (u'2019-11-25T05:27:58', 80, u'http', u'nginx')
 (u'2019-11-02T16:10:40', 80, u'http', u'nginx')
 (u'2019-10-31T11:39:02', 80, u'http', u'nginx')
 (u'2019-10-06T05:24:44', 80, u'http', u'nginx')
 (u'2019-08-02T09:52:27', 80, u'http', u'nginx')
 (u'2019-07-27T19:22:11', 80, u'http', u'nginx')
 (u'2019-05-18T10:38:59', 8181, u'http', u'Apache Tomcat/Coyote JSP engine')
 (u'2019-05-02T19:37:20', 8181, u'http', u'Apache Tomcat/Coyote JSP engine')
 (u'2019-05-01T00:48:05', 8009, u'ajp13', u'Apache Jserv')
 (u'2019-04-09T16:29:58', 8181, u'http', u'Apache httpd')
 (u'2019-03-24T20:46:31', 8181, u'http', u'Apache Tomcat/Coyote JSP engine')
Copy after login

A very typical JSP operating environment, in May 2019 At that time, port 8009 was opened. Problems such as weak passwords for Tomcat backend management have always been common means of penetration~~

By the way, in fact, this attack also involves another IP, because this IP-related port banner is because The update has been covered, so it cannot be searched directly through ZoomEye online search. However, if you know the IP, you can also use the ZoomEye historical data API to query the historical data of this IP. I will not go into details here.

Case 2: Poison Ivy (APT-C-01)

For detailed reports on Poison Ivy (APT-C-01), please refer to https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf We directly focus on

"A tool used by the Poison Ivy organization to control and distribute attack payloads Control domain name http://updateinfo.servegame.org"

"Then download the payload from

hxxp://updateinfo.servegame.org/tiny1detvghrt.tmp
Copy after login

"

URL, we first try to find the corresponding domain name IP, obviously not much has been gained at this time:

╭─heige@404Team ~╰─$ping updateinfo.servegame.orgping: cannot resolve updateinfo.servegame.org: Unknown host
Copy after login

In Qi Anxin’s report we can see that the download server WEB service directory used can be traversed

Example analysis of using ZoomEye to find APT attacks

So we should be able to directly try to search for the file name "tiny1detvghrt.tmp", and sure enough we found it

Example analysis of using ZoomEye to find APT attacks

##Here we can basically confirm the updateinfo. The IP corresponding to servegame.org is 165.227.220.223. Then we start to query the historical data in the old way:

  >>> data = zm.history_ip("165.227.220.223")
    >>> 9
    >>> for i in data['data']:
     ...     print(i['timestamp'],i['portinfo']['port'])
     ...
     (u'2019-06-18T19:02:22', 22)
     (u'2018-09-02T08:13:58', 22)
     (u'2018-07-31T05:58:44', 22)
     (u'2018-05-20T00:55:48', 80)
     (u'2018-05-16T20:42:35', 22)
     (u'2018-04-08T07:53:00', 80)
     (u'2018-02-22T19:04:29', 22)
     (u'2017-11-21T19:09:14', 80)
     (u'2017-10-04T05:17:38', 80)
Copy after login
Continue to look at the time interval of this tiny1detvghrt.tmp deployment:

>>> for i in data['data']:
 ...     if "tiny1detvghrt.tmp" in i['raw_data']:
 ...             print(i['timestamp'],i['portinfo']['port'])
 ...
 (u'2018-05-20T00:55:48', 80)
 (u'2018-04-08T07:53:00', 80)
 (u'2017-11-21T19:09:14', 80)
Copy after login
At least we can determine from The attack has already been deployed at the end of November 2017. There is another time node before this time node: 2017-10-04 05:17:38. Let’s take a look at his banner data:

>>> for i in data['data']:
 ...     if "2017-10-04" in i['timestamp']:
 ...             print(i['raw_data'])
 ...
 HTTP/1.1 200 OK
 Date: Tue, 03 Oct 2017 21:17:37 GMT
 Server: Apache
 Vary: Accept-Encoding
 Content-Length: 1757
 Connection: close
 Content-Type: text/html;charset=UTF-8nbsp;HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 
  <title>Index of /</title>
 
 <h2 id="Index-of">Index of /</h2>
  
Copy after login
           
Name a> Last modified a> Size a> Description a>

doajksdlfsadk.tmp a> 2017-09-15 08:21   4.9K  
doajksdlfsadk.tmp.1 a> 2017-09-15 08:21   4.9K  
doajksdlrfadk.tmp a> 2017-09-27 06:36   4.9K  
dvhrksdlfsadk.tmp a> 2017-09-27 06:38   4.9K  
vfajksdlfsadk.tmp a> 2017-09-27 06:37   4.9K  
wget-log a> 2017-09-20 07:24   572   

From this It can be concluded from the banner data that this is different from the well-targeted post-intrusion implant puddle in the first case. This should be a server that is independently controllable by the attacker. From the naming method and files of doajksdlfsadk.tmp The sizes (both 4.9k) can basically be inferred that this time node should be the attacker's actual combat drill before launching the attack! Therefore, this IP server was prepared for APT attacks from the beginning, and was abandoned directly after being discovered!

The above is the detailed content of Example analysis of using ZoomEye to find APT attacks. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Example analysis of using ZoomEye to find APT attacks Example analysis of using ZoomEye to find APT attacks May 27, 2023 pm 07:19 PM

The data online on ZoomEye is in overwrite and update mode, which means that if the data is not scanned in the second scan, the updated data will not be overwritten. The data on ZoomEye will retain the banner data obtained in the first scan. This mechanism is here In fact, there is a good scene fit in the traceability of this kind of malicious attack: the download servers used by malicious attacks such as Botnet, APT and other attacks are usually directly deactivated and discarded after being discovered. Of course, some are hacked targets, and they are also very violent. Go offline directly! Therefore, many attack sites are likely to be cached online by ZoomEye. Of course, with the data provided in the ZoomEye history api, you can query the number of banners obtained by each scan regardless of whether you cover it or not.

What is the difference between Linux package management tools yum and apt? What is the difference between Linux package management tools yum and apt? May 30, 2023 am 09:53 AM

Generally speaking, famous Linux systems are basically divided into two categories: RedHat series: Redhat, Centos, Fedora, etc.; Debian series: Debian, Ubuntu, etc. yum (YellowdogUpdater, Modified) is a Shell front-end package manager in Fedora, RedHat and SUSE. apt (AdvancedPackagingTool) is a shell front-end package manager in Debian and Ubuntu. Overview Generally speaking, the famous Linux systems are basically divided into two categories: RedHat series: Redhat, Cento

How to analyze APT Trojans based on the threat intelligence cycle model How to analyze APT Trojans based on the threat intelligence cycle model May 14, 2023 pm 10:01 PM

About the Threat Intelligence Processing Cycle Model The term "Threat Intelligence Processing Cycle" (F3EAD) originates from the military. It is a method for organizing resources and deploying troops designed by the US Army's commanders at all levels of the main combat arms. The Network Emergency Response Center draws on this method and processes threat intelligence information in the following six stages: Threat Intelligence Processing Cycle Application of the F3EAD Threat Intelligence Processing Cycle Model Step 1: Find a date on a certain month and deploy it on the partner's public cloud server The "Onion" system alarm found a suspected Trojan horse program, so the emergency response team quickly started the emergency response process: stakeholders and others gathered the group with one click and called in. The victim system is isolated for investigation. The security system and audit logs are exported for traceability analysis. Preparation of business system architecture and code-related information to analyze intrusion breaches and victims

Tutorial on compiling and installing Docker on Ubuntu 18.04 system. Tutorial on compiling and installing Docker on Ubuntu 18.04 system. Feb 19, 2024 pm 02:03 PM

The following is a tutorial for compiling and installing Docker on Ubuntu18.04 system: Uninstall the old version of Docker (if installed): sudoaptremovedockerdocker-enginedocker.iocontainerdrunc Update system packages: sudoaptupdatesudoaptupgrade Install Docker dependencies: sudoaptinstallapt-transport-httpsca-certificatescurlsoftware-properties-commonAdd Docker Official GPG key: curl-

How to change Ubuntu's apt-get update source? How to change Ubuntu's apt-get update source? Jan 05, 2024 pm 03:40 PM

Manually modify Ubuntu's apt-get source 1. Use the ssh tool to connect to Ubuntu (I use xshell) 2. Type cd/etc/apt/3 on the command line and back up the source.list file in this directory (you must have sudo permissions) ), then there is a source.list.bak file. 4. Clear the source.list file content (note: it cannot be restored after clearing, so you need to perform the previous step to back up the file in advance). At this time, use sudo to prompt that the permissions are insufficient. Switch directly to the root user and execute this command. 5. Use vim to open source.list, press the i key to enter the editing mode, paste the source address to be modified, and then press

Tutorial on installing php8 on deepin system. Tutorial on installing php8 on deepin system. Feb 19, 2024 am 10:50 AM

To install PHP8 on Deepin system, you can follow the steps below: Update the system: Open a terminal and execute the following command to update the system packages: sudoaptupdatesudoaptupgrade Add Ondřej SurýPPA source: PHP8 can be installed through Ondřej SurýPPA source. Execute the following command to add the source: sudoaptinstallsoftware-properties-commonsudoadd-apt-repositoryppa:ondrej/php Update the package list: Execute the following command to update the package list to get PHP in the PPA source

Tutorial on compiling and installing MySQL5.7 on Ubuntu 20.04 system. Tutorial on compiling and installing MySQL5.7 on Ubuntu 20.04 system. Feb 19, 2024 pm 04:57 PM

MySQL 5.7 can be installed by using the official MySQL APT repository. The following are the steps to install MySQL5.7 through the official APT repository on Ubuntu20.04 system: Add the MySQLAPT repository: wgethttps://dev.mysql.com/get/mysql-apt-config_0.8.17-1_all.debsudodpkg-imysql -apt-config_0.8.17-1_all.deb During the installation process, you will see a configuration interface. Select the MySQLServer version as 5.7, and then complete the configuration. Update package list: sud

Can't find yum and installation method in Ubuntu system! Can't find yum and installation method in Ubuntu system! Mar 02, 2024 pm 01:07 PM

yum is the package manager in the RedHat series distributions (such as RHEL and CentOS), while Ubuntu uses another package manager called apt (AdvancedPackageTool). In Ubuntu systems, you can use the apt command to manage software packages. Following are the basic steps to install packages in Ubuntu system: Update package index Before performing any installation operation, first execute the following command to update the package index: sudoaptupdate Installing a package Use the following command to install a specific package: sudoaptinstallpackage_name will "package_name&#822

See all articles