To obtain a better perspective of attacks worldwide, Trustwave has implemented a network of honeypots located in multiple countries across the globe. By distributing honeypots in such a manner, we can gather a reliable set of information on the methods and techniques used by attackers and their botnets.

In our pursuit to explore the current threat landscape, we established a honeypot sensors network across six countries: Russia, Ukraine, Poland, UK, China, and the United States. In this blog, we present the most intriguing findings from our research into exposing vulnerable enterprise applications, such as Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP.

BSL_20212_1

Figure 1. Honeypot Sensors Locations

 

Cyber Threats in the Wild: Key Observations

During a six-month period that ended in May 2023, we collected and analyzed vast amounts of data from over 38,000 unique IPs and downloaded more than 1,100 unique payloads served during exploitation attempts. Almost 19% of the total recorded web traffic was malicious, and botnets were responsible for over 95% of the malicious web traffic detected.

We encountered multiple targeted attacks directed at specific honeypots, where threat actors sought to exploit the enterprise applications under examination. The primary objective of these attacks was to upload a web shell, enabling attackers to carry out further actions against the potential victims that our sensors were mimicking. A web shell is a malicious script or program that provides unauthorized access and control over a compromised website or web server. It is typically uploaded by an attacker to gain administrative-level privileges and execute arbitrary commands on the target system.

One of such attacks hit our US and UK-based honeypots where the attackers used Fortra GoAnywhere MFT vulnerability – CVE-2023-0669 aiming to upload a web shell that had not been reported previously. In the case of Fortinet FortiNAC CVE-2022-39952, we witnessed active exploitation only six days after the release of the proof-of-concept (PoC) code. It shows how quickly threat actors leverage new exploits after PoCs are posted.

Through analysis of the payloads served in the exploits, we were able to identify the particular botnets targeting our sensors. Our investigation revealed that the Mirai, Mozi, and Kinsing botnets accounted for 95% of the recorded exploit   attempts conducted over the HTTP/HTTPS protocol. These malware families are the most widespread and their main objective is to exploit vulnerabilities in Internet-connected devices and assemble them into botnets used to either carry out Distributed Denial of Service (DDoS) attacks, or mine cryptocurrencies.

BSL_20213_2

Figure 2. HTTP/HTTPS Traffic Classification Recorded by Honeypot Sensors

 

Mirai Botnet – Exploited Vulnerabilities

Mirai gained significant attention when its source code was leaked and made publicly available in 2016, leading to the emergence of new threat actors who have modified and enhanced its capabilities.  The original Mirai creators were prosecuted in 2017.

Mirai is self-propagating malware that specifically targets vulnerable IoT devices running Linux. Once a device is successfully compromised, it is transformed into a bot, which can then be utilized to launch Distributed Denial-of-Service (DDoS) attacks. The malware spreads by scanning the Internet for other susceptible devices to infect.

BSL_20214_3

Figure 3. Mirai – Exploited Vulnerabilities Captured by Sensors and Exploit Traffic Volume Distribution

Our sensors in the US and Poland recorded increased Mirai botnet traffic compared to sensors in other countries, such as Ukraine, China, United Kingdom, and Russia. The observed trend was not particularly significant. It is possible that there were more infected devices on the network, but it is also likely that with a larger number of sensors deployed across Poland and the US, the results would have been more uniform.

All Exploited Vulnerabilities Uncovered During Reverse Engineering of Collected Mirai Botnet Samples 

BSL_20215_4

Figure 4. Look at the functions and Exploit templates in one of the acquired Mirai samples

We captured the exploit attempts and downloaded the binaries. We can see there are exploit templates embedded in the code. Once installed, the binary automatically starts scanning the network using the templates in order to exploit and infect new devices to turn them into bots.

Method Endpoint  Vendor/Product CVE/EDB
GET /shell MVPower DVR EDB-41471
GET /adv,/cgi-bin/weblogin.cgi ZyXEL NAS CVE-2020-9054
GET /setup.cgi Netgear EDB-25978
GET /backupmgt/localJob.php Seagate BlackArmor NAS CVE-2014-3206
GET /language/Swedish TVT DVR/CCTV
GET /index.php NoneCms V1.3 CVE-2018-20062
GET /cgi-bin/masterCGI Alcatel OmniPCX CVE-2007-3010
GET /cgi-bin/rtpd.cgi D-Link IP Cameras CVE-2013-1599
GET /cgi-bin/ Netgear R7000 / R6400 CVE-2016-6277
GET /qsr_server/device/getThumbnail LG SuperSign EZ CMS 2.5 CVE-2018-17173
GET /board.cgi Vacron NVRs
GET /card_scan.php Linear eMerge E3 1.00-06 CVE-2019-7256
GET /stainfo.cgi? Ubiquiti AirOS CVE-2010-5330
GET /cgi-bin/kerbynet ZeroShell 3.9.0 CVE-2019-12725
GET /status.cgi FASTGate Fastweb CVE-2018-20122
POST /UD/act Eir D1000 Router CVE-2016-10372
POST /HNAP1/ D-Link HNAP CVE-2015-2051
POST /picdesc.xml Realtek SDK CVE-2014-8361
  /login.gch    
POST /manager_dev_ping_t.gch ZTE ZXV10 H108L
  /getpage.gch    
POST /cgi-bin/mainfunction.cgi DrayTek CVE-2020-8515
POST /ctrlt/DeviceUpgrade_1 Huawei HG532 CVE-2017-17215
POST ztp/cgi-bin/handler Zyxel USG FLEX CVE-2022-30525
POST /GponForm/diag_Form Dasan GPON Routers CVE-2018-10561
POST /tmUnblock.cgi Cisco Linksys E Series CNVD-2014-01260
POST /apps/a3/cfg_ethping.cgi CTEK SkyRouter CVE-2011-5010
POST /debug.cgi Linksys WAP54G CVE-2010-1573
POST / SonicWall GMS CVE-2018-9866

Figure 5. Mirai Botnet – All exploited Vulnerabilities found in the collected samples

 

Mozi Botnet – Exploited Vulnerabilities

Mozi is a peer-to-peer (P2P) botnet that operates using a BitTorrent-like network and infects IoT devices such as network gateways, routers, and digital video recorders (DVRs). It operates by exploiting weak telnet passwords and taking advantage of numerous unpatched vulnerabilities in IoT devices.

BSL_20216_6

Figure 6. Mozi Botnet – Exploited Vulnerabilities Captured by Sensors and Exploit Traffic Volume Distribution

Our honeypot framework design allowed us to capture the majority of payloads served by 1-step exploits utilized by the botnets. These exploits commonly involved operations such as ‘wget’ or ‘curl’. Furthermore, through the process of reverse engineering the botnet binaries provided us further insights into their behavior and the specific vulnerabilities exploited.

BSL_20217_7

Figure 7. Look at the default passwords leveraged by Mozi to infect devices

BSL_20218_8

Figure 8. Look at the Mozi sample Exploit templates

 

All Exploited Vulnerabilities Uncovered During Reverse Engineering of Collected Mozi Botnet Samples

Method Endpoint  Vendor/Product CVE/EDB
GET /shell MVPower DVR EDB-41471
GET /setup.cgi Netgear DGN1000 / DGN2200 EDB-25978
GET /cgi-bin/ Netgear R7000 / R6400 CVE-2016-6277
POST /soap.cgi D-Link DIR Routers     CVE-2013-7471
GET /language/Swedish TVT DVR/CCTV
GET /board.cgi Vacron NVRs
POST /UD/act Eir D1000 Router CVE-2016-10372
POST /HNAP1/ D-Link HNAP CVE-2015-2051
POST /picdesc.xml Realtek SDK CVE-2014-8361
POST /ctrlt/DeviceUpgrade_1 Huawei HG532 CVE-2017-17215
POST /GponForm/diag_Form Dasan GPON Routers CVE-2018-10561

Figure 9. Mozi Botnet – All exploited Vulnerabilities found in the collected samples

 

Kinsing Botnet – Exploited Vulnerabilities

Kinsing is a Golang-based malware with the objective of installing XMRig cryptocurrency miner.

Kinsing leverages multiple CVEs to achieve RCE in order to infect Linux systems. After successful exploitation, an installer script is downloaded and executed. It specifically targets and terminates competing processes, such as Docker images and instances involved in cryptocurrency mining. To avoid detection, it tries to disable and uninstall security solutions like Alibaba Cloud Security Center (Aegis), Tencent Cloud service, or AppArmor. In some cases, it also downloads and installs the Kinsing Rootkit module before proceeding to installation of the Kinsing Bot binary. To ensure persistence, the installer script is added to the cron schedule.

Once executed, Kinsing establishes communication with the C2 server and retrieves the spre.sh spreader script. This script enables lateral movement to other machines using SSH keys found on the victim’s file system. Finally, the XMRig crypto miner is downloaded and installed.

BSL_20219_10

Figure 10. Kinsing Infection Chain on Linux

On Windows machines, the infection mechanism is simplified, with only one reported attack vector: CVE-2020-14883, a Remote Code Execution (RCE) vulnerability in Oracle WebLogic Server. Once the victim machine is successfully exploited, an XML file named wbw.xml is downloaded and executed. It then attempts to download a PowerShell script named ‘1.ps1’ onto the victim’s machine. Subsequently, the ‘1.ps1’ script downloads an executable file for the XMRig cryptocurrency miner, along with a json configuration file. We have confirmed the presence of this attack vector by downloading the wbw.xml and ‘1.ps1’ files from the payload servers used in the Linux infection chain.

BSL_20220_11

Figure 11. XML file used by Kinsing’s Oracle WebLogic exploit for Windows

Unlike Mozi and Mirai botnets, Kinsing does not contain hard-coded exploit templates within its code.

BSL_20221_12

Figure 12. Kinsing Botnet – Exploited Vulnerabilities Captured by Sensors and Exploit Traffic Volume Distribution

BSL_20222_13

Figure 13. Look at the Kinsing sample functions and command dispatcher code

The dispatcher code is part of the code that processes the commands received from the attacker-controlled Command & Control (C2) server.

Kinsing stores RC4-encrypted C2 URL addresses in the binary, allowing for easy decryption using the hex encoded key referenced in the ‘getActiveC2Curl’ function. Communication with the C2 server utilizes the RC4 cipher as well but the encryption key is different.

BSL_20223_14

Figure 14. Kinsing C2 URLs decrypted using CyberChef

BSL_20224_15

Figure 15. Response from Kinsing C2 decrypted using CyberChef

BSL_20225_16

Figure 16. Kinsing Infrastructure Pivot using data from collected samples

 

Enterprise Application Exploits and Persistence via Web Shells

During our observation, we encountered multiple targeted attacks directed at specific honeypot sensors, where threat actors sought to exploit the enterprise applications under examination.

The primary objective of these attacks was to upload a web shell, enabling attackers to carry out further actions against our sensors. However, due to the manner in which our honeypots were implemented, we were unable to scrutinize the subsequent actions that the attackers might have taken. Consequently, we can only speculate on what the attackers hoped to accomplish with their activities.

While we did not spot the exploitation of new vulnerabilities in the wild, we observed rapid adaptation of publicly disclosed proof-of-concept (PoC) code by attackers who targeted our honeypots.

In the case of FortiNAC CVE-2022-39952, we witnessed active exploitation only six days after the release of the proof-of-concept (PoC) code.

CVE-2023-0669 – Fortra GoAnywhere MFT RCE

Between March 5, 2023 and March 18, 2023, our honeypot sensors for Fortra GoAnywhere MFT were hit by scan traffic targeting vulnerable license endpoint ‘/goanywhere/lic/accept’. Attackers usedtwo IPs: 14.190.186.61 and 14.244.239.227, belonging to a Vietnamese ISP. The payload was meant to confirm presence of CVE-2023-0669 vulnerability by triggering a DNS lookup to specific domains.

BSL_20228_microsoftteams-image-1

Figure 17. Fortra GoAnywhere MFT – CVE-2023-0669 Attacks

Despite the not using the URL-safe variant of Base64 encoding, the documentation of the Apache Base64 method utilized in the vulnerable Servlet indicates that the decoding process seamlessly handles both variants. Therefore, the decryption of data would still succeed.

On March 29, 2023, our US-based honeypot sensors were targeted against CVE-2023-0669, from an IP address 89.45.6.52 belonging to Chinese data center provider. The payload carried by malicious request was aimed to ‘echo’ a simple Java web shell into the adminroot directory: ‘/home/goanywhere/HelpSystems/GoAnywhere/adminroot/goshell.jsp’.

BSL_20226_17

Figure 18. Fortra GoAnywhere MFT – CVE-2023-0669 Attacks

BSL_20227_18

Figure 19. Decoded Fortra GoAnywhere Exploit Payload with Functional Web Shell

BSL_20205_19

Figure 20. Decoded Web Shell listening for cmd parameter submitted in the requests

Shortly after, the honeypot sensors were hit by requests from the same IP to the ‘/goanywhere/goshell.jsp’ endpoint and contained a ‘cmd’ parameter meant to verify whenever the exploitation was successful. 

BSL_20196_capture-2

Figure 21. Contents of the cmd parameter sent in request meant to verify successful exploitation.

On April 8, 2023, we observed the exact same behavior targeting our honeypots in the UK. This time however, the attacker used a different IP address: ‘185.44.77.144’ belonging to a UK ISP provider.

CVE-2022-36804 – Atlassian Bitbucket RCE

On December 26, 2022, our honeypot instances in Russia and one instance in Poland were targeted with the Bitbucket CVE-2022-36804 exploit. The attacker used IP address 207[.]148[.]27[.]4 belonging to a US-based hosting provider and aimed to install a simple Linux reverse shell. 

BSL_20206_21

Figure 22. Look at the Linux reverse shell code used by the attacker.

On March 23, 2023, we observed additional attempts from this IP address trying to install a web shell following an exploit of a WordPress vulnerability.  

BSL_20207_22

Figure 23. Decoded web shell code carried by malicious request targeting Bitbucket

Performing an open search provided us with interesting information about this attacker and his  possible motives  . As evidenced by his profile picture taken from an article about conflict in Libya, the attacker seems to be a politically motivated individual interested in developing and selling exploits and exploitation tools. Our investigation uncovered that he is also a member of Anonymous Morocco and ‘actively’ exploits vulnerable websites for defacement. 

BSL_20208_23

Figure 24. Capitos Kamal GitHub repository

BSL_20209_24

Figure 25. Capitos Kamal YouTube channel

BSL_20210_25

Figure 26. Kapitos Kamal and his defacement statistics

 

CVE-2022-39952 – FortiNAC RCE

CVE-2022-39952 was disclosed on February 16, 2023, with PoC codes released a few days later. Not long afterwards, scans for this vulnerability and exploitation attempts started reaching our honeypot sensors. All the observed attackers used modified versions of the public PoC codes. We observed some attackers giving just minimal effort, modifying only the C2 server IP address, and leaving default names like ‘payload’ in their exploits. Below is the comparison between FortiNAC RCE PoC code available on GitHub and the payload captured on one of our honeypot sensors.

BSL_20211_26

Figure 27. Attackers modifying only IP address in publicly disclosed PoC, leaving words like ‘payload’

 

CVE-2022-1388 – F5 Big-IP iControl REST RCE

F5 released a patch for CVE-2022-1388 on May 4, 2022, with PoC codes and first exploitation attempts being disclosed not long after. This vulnerability is being exploited to this day. On April 11, 2023, the attacker tried to exploit this vulnerability with C2 server 106[.]246[.]224[.]219.

Exploitation attempts of CVE-2022-0543 in Redis Debian packages and VMware Workspace One Access CVE-2022-22954 were also observed coming from this IP address more than a year ago. It’s interesting to see that while some IP addresses might be valid only for a few hours as IoCs, others are valid for an extended amount of time.

Conclusion 

Mozi, Kinsing, and Mirai botnets are persistent and continue to pose a threat in the cybersecurity landscape. These botnets exploit vulnerabilities in various applications, putting a wide range of unpatched systems at risk.

The observed targeted attacks utilizing web shells highlight the presence of threat actors exploiting specific enterprise applications. These attacks were aimed at gaining unauthorized access and conducting further malicious actions against potential victims. Organizations must prioritize robust security measures to protect against targeted attacks leveraging exploits and web shells. This includes regularly patching vulnerabilities, implementing strong access controls, conducting thorough security assessments, and monitoring network traffic for suspicious activities. The reliance solely on Indicators of Compromise (IOCs) as a defensive measure may prove ineffective in detecting and mitigating such attacks as actors are increasingly using VPN services and benign IP addresses belonging to various Internet Service Providers (ISPs) that lack a previous malicious reputation. This evasion technique allows them to bypass traditional IOC-based detection mechanisms. 

This type of research directly informs the rest of Trustwave on current TTPs used in the wild and allows us to better protect our software and service customers across all offerings. We published the IOCs relevant to this article instead of disclosing all of them as many are widely known and documented.

Indicators of Compromise:

Malware Payload Server
Kinsing  http://185[.]122[.]204[.]197
Kinsing http://185[.]122[.]204[.]196
Kinsing http://185[.]17[.]0[.]226
Kinsing http://194[.]40[.]243[.]206
Kinsing  http://194[.]40[.]243[.]205
Kinsing http://194[.]38[.]23[.]2
Kinsing http://194[.]38[.]20[.]225
Kinsing http://194[.]38[.]20[.]196
Kinsing http://194[.]38[.]20[.]27
Kinsing http://185[.]246[.]90[.]206
Kinsing http://185[.]246[.]90[.]205
Kinsing http://185[.]246[.]90[.]203
Kinsing http://185[.]209[.]29[.]94
Kinsing http://185[.]122[.]204[.]197
Kinsing http://93[.]185[.]166[.]75
Kinsing http://62[.]113[.]115[.]166
Kinsing http://62[.]113[.]113[.]60
Kinsing http://194[.]38[.]20[.]196
XMRig Miner http://31[.]184[.]240[.]34
XMRig Miner http://31[.]184[.]240[.]34
Malware C2 Server
Kinsing http://194[.]169[.]160[.]157
Kinsing http://193[.]187[.]173[.]76
Kinsing http://185[.]224[.]212[.]104
Kinsing http://185[.]237[.]224[.]182
Kinsing http://185[.]221[.]154[.]208
Kinsing http://185[.]154[.]53[.]140
Kinsing http://109[.]248[.]59[.]253
Kinsing http://93[.]189[.]46[.]81
Kinsing http://93[.]189[.]42[.]217
Kinsing http://91[.]240[.]87[.]98
Kinsing https://rolibztiz3zfysof5q2rja6airtmbw74am4oc4rgqsh3ktir6zwdmzid[.]onion:80
Malware File Name Hash Type Hash
Mirai mips SHA256 f65fb40e8aa071ed3bd5456126815d60bc3afd2e18944edc1e5fcf2ea6477429
SHA1 f16e973723bbc3c6bad8f2dd293cf053c80958d7
MD5 039d17f061bf87a3a01f9c15b431f916
Mirai paralysis.arm SHA256 13e121ddab68b8c7bc87a13b5e20dcb020b6b9e82c0b9e83727fed9e231747f5
SHA1 4fefc51e9e6e9437768be5b2d1b285ed52e59325
MD5 8403e5c476d3927afc5b7648ee544f84
Mirai paralysis.arm SHA256 a3df063e24dc5325c9ab6b8c10a709d436213cf08626d890c605d2e2626f91d4
SHA1 e1768e47fc9604c3bc7a582445bab7277754843a
MD5 f7bbe2947a9613604885c3b99f19cdc6
Mirai dlink.sh SHA256 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc
SHA1 0e9246139e1056e165231b637ecbc91eab940c31
MD5 7dbbc27e3aad4bf3d8a3990f009e208b
Mirai ascaris.x86 SHA256 605069eb2915b8305081cce83c9b6fa7fd2cc753eea6c7d1eaa5e6ef72de70e2
SHA1 a44db161abe6605088ec432c9dfe8f2da6ad73ca
MD5 5fe70eb42ada8bb26aef44f6403608cd
Mirai aktualisieren.sh SHA256 f3733ae22fa27070ae108266565739dc27b155a74a7cfdc1b1463499811677e1
SHA1 a1e40f74db3d60fa3979669bc6f04ee9645e3d0b
MD5 136cb346a1c491814e2a8089951eb0c3
Mirai x86_64 SHA256 4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b
SHA1 a8e2e981933e36f6a4bfac4367c997a80da3568e
MD5 11188e86ff8cbe58b33b838d995abc70
Mirai sh4 SHA256 3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d
SHA1 168358916c26d85dbdd5ced8e6f66f0e012032f1
MD5 d04a8151e294e63fe2206e64006e08a4
Mozi Mozi.a SHA256 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
SHA1 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
MD5 eec5c6c219535fba3a0492ea8118b397
Mozi  Mozi.a SHA256 9e0a15a4318e3e788bad61398b8a40d4916d63ab27b47f3bdbe329c462193600
SHA1 b5f914ad11626070f6cf466069c8d5d9ee25f5bb
MD5 3313e9cc72e7cf75851dc62b84ca932c
Mozi Mozi.a SHA256 459e454e45f08c917dec9342b7c6a586dbe9edfa4bb942dcd4766ecb446fbd1a
SHA1 a3bed9ce0585954fc02e6f20ed68ef6800fce9cd
MD5 d3d6614282509be0a15a5bc01ab8b5ae
Mozi Mozi.m SHA256 d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
SHA1 2327be693bc11a618c380d7d3abc2382d870d48b
MD5 4dde761681684d7edad4e5e1ffdb940b
Mozi Mozi.a SHA256 e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0
SHA1 034c8c51a58be11ca620ce3eb0d43d5a59275d2f
MD5 9a111588a7db15b796421bd13a949cd4
Mozi Mozi.a SHA256 4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
SHA1 5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
MD5 59ce0baba11893f90527fc951ac69912
Mozi Mozi.a SHA256 f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
SHA1 61c74136534b826059c63221a2373dc0613a47b7
MD5 3849f30b51a5c49e8d1546960cc206c7
Mozi Mozi.m SHA256 b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
SHA1 ac6962542a4b23ac13bddff22f8df9aeb702ef12
MD5 a73ddd6ec22462db955439f665cad4e6
Mozi Mozi.m SHA256 64cd497a29a6801daa66b3ca23b63a1355b0b84fdf5a23a12810b88685b22f63
SHA1 5ab29bf2b71fe11114bb8f37bc515dfc78deee3b
MD5 b9e122860983d035a21f6984a92bfb22
Mozi Mozi.a SHA256 2916f8d5b9b94093d72a6b9cdf0a4c8f5f38d70d5cea4444869ab33cd7e1f243
SHA1 7f67a0a45159e21735a9783b89d8fdae043dfa22
MD5 b67b7920ad6846302b180f59a9366b16
Mozi Mozi.m SHA256 c672798dca67f796972b42ad0c89e25d589d2e70eb41892d26adbb6a79f63887
SHA1 0a427f86b4360fb603c6e3c5878c9be7ced59adc
MD5 dbc520ea1518748fec9fcfcf29755c30
Mozi Mozi.m SHA256 ca35f2e3b3f297c371f0a58398cb43e24c1d1419f08baff9b9223b9032ccf4c1
SHA1 c80261677450113004b4fb7dbc44ec5e7691396e
MD5 f57fb0feafebe84525278fe2d083cdcb
Mozi Mozi.m SHA256 2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
SHA1 1ed14334b5b71783cd6ec14b8a704fe48e600cf0
MD5 fbe51695e97a45dc61967dc3241a37dc
Mozi Mozi.m SHA256 7c5bc9d39cf1d584261ddd705ea592efcef7809fdb5cb52d20274347641809c3
SHA1 4980400032a7f42d6d7007e7751a1b86ad28bed1
MD5 2f3f95ca52f7b2a132d9dfb2c392cdac
Kinsing   SHA256 c3e3613d39c43cb2e6c253693b683e9ef3c24b4da764645c24112eec7e6fe213
kinsing SHA1 4a7f3c4ee24d54bb53214a0cfb6e32a9532df2fa
  MD5 a7cdf3bf4cb671a137b67bb07c6b5c54
Kinsing   SHA256 5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d
kinsing SHA1 e545ceffc8948e3ca9900212807cf3a862d33581
  MD5 2c44b4e4706b8bd95d1866d7867efa0e
Kinsing Rootkit libsystem.so SHA256 c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a
SHA1 38c56b5e1489092b80c9908f04379e5a16876f01
MD5 ccef46c7edf9131ccffc47bd69eb743b
Kinsing Spreader spre.sh SHA256 b453c63abe6c8e6ca60cb4e49cd2cf6730aa1626975534f2d410c50dfe683953
SHA1 808021f9975ca0a8dbb4aa9df8e8b14aeef83e8d
MD5 0c05bceb3af68a245c18e8d23d9ba5cd
XMRig Miner x SHA256 6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f
SHA1 6296e8ed40e430480791bf7b4fcdafde5f834837
MD5 c82bb3c68f7a033b407aa3f53827b7fd
XMRig Miner x2 SHA256 b9e79bb09995a9dd2f5a22dc2e59738696e2be2204ec92a2881fb3fa70e0160f
SHA1 36ef9de431202e643f3410b5906bb23607e7df90
MD5 e40a01bfe85f6c6820a7da523e747e23
Reverse Shell file SHA256 3a04a0bcdb42211d1d8955122db6055d08a6f4f747658322d60d423f97afea0c
SHA1 df3523f160f81ac9a047249ff19b1e36fbe3aa64
MD5 10afb5d1424ad9117f3cf6fb931cd5c5

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-enterprise-applications-honeypot-unveiling-findings-from-six-worldwide-locations/