About The Project Today we’re going to look at a couple neat curl tricks I found in a recent bash dropper I was analyzing that resulted in surprisingly low VirusTotal detentions! As previously blogged about([1][2][3]), Arch Cloud Labs runs a handful of honeypots to collect attacker data to hone my skills in DFIR topics . While this was just another Cryptominer targeting an exposed docker socket, the initial dropper script used a neat trick with curl that I think was worth a quick write up.| Arch Cloud Labs
About The Project Continuing from the last blog post that discussed malicious Linux Cryptocurrency miners, I have discovered new activity that blends two of my previous Cryptocurrency mining malware (aka Cryptojacking) blog posts. By taking a deeper look at infrastructure, and code artifacts some interesting parallels can be drawn between the same actor(s) that Trend Micro refers to as Skidmap and another Golang Cryptojacking malware variant that Palo Alto has just recently deemed “Watchdog...| Arch Cloud Labs
About the Project Since July of 2020, I have been running a “honeypot” of sorts made by anthok to capture all requests coming in on specific ports. By listening on ports commonly used by databases such as Elasticsearch or Redis, we’ve been able to observe a lot of bot behavior. Most of the requests resulted in trying to gain an initial foothold onto the environment to run a bash script to bring down their stage-1 malware.| Arch Cloud Labs