paralax

import          java.io.IOException;
import          java.net.MalformedURLException;
import          java.net.URL;
import          java.net.URLConnection;
import          java.util.ArrayList;
import          java.util.List;
import          java.util.Map;
import          java.security.MessageDigest;

/*

paralax

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- "https://malware.news/t/20-common-tools-techniques-used-by-macos-threat-actors-malware/46801" -->
<!-- "https://objective-see.org/blog/blog_0x71.html" -->
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.mylaptop.watchhostconfig</string>
    <key>ProgramArguments</key>
    <array>

paralax

rule JavaDeswerializePayload
{
	meta:
		author = "@jnazario"
		date = "2022-01-27"
		version = 1
	
	strings:
		$s1 = "java.lang.Runtime.getRuntime().exec" ascii fullword
		$s2 = "javaSerializedData" ascii fullword

paralax

-- MySQL dump 10.13  Distrib 8.0.26, for Linux (x86_64)
--
-- Host: localhost    Database: staff
-- ------------------------------------------------------
-- Server version	8.0.26

--
-- Table structure for table `person`
--

paralax

Found a request in my HTTP honeypot I couldn't explain. Investigation revealed it's been scanning widely and attempting to exploit a FreePBX command injection vulnerability and install a webshell.

77.247.108.81 - - [21/Sep/2021:18:54:34 -0400] "GET /gbr.php HTTP/1.1" 400 226 "-" "gbrmss/7.29.0" "ct:text/html"

Using this IP I spotted this link which showed me the form data: https://threatwar.com/attackers/695a2a8e-3cb6-4d74-8af8-d5058079a909

Based on the request there this appears to be an RCE injected via the "language" header. Exploit here: https://www.exploit-db.com/exploits/40434

From there I investigated the initial dropper:

paralax

open System.Text

/// https://fsharpforfunandprofit.com/posts/serializating-your-domain-model/ 
#I "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/"
#r "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/Newtonsoft.Json.dll"

module Json =

   open Newtonsoft.Json
    

paralax

import networkx as nx
import matplotlib.pyplot as plt

g = nx.DiGraph(((1,2), (2,3), (3,4), (2,4)))

def wolfram(g):
    ns = [ (x, n) for x,n in g.out_degree() if n == 2 ]
    print(list(ns))
    nns = []
    for x, _ in ns:

paralax

using System.IO;
using System.Net;
using System.Text;

var api_id = Environment.GetEnvironmentVariable("CENSYS_API_ID");
var api_secret = Environment.GetEnvironmentVariable("CENSYS_API_SECRET");

var credentials = System.Convert.ToBase64String(Encoding.ASCII.GetBytes(api_id + ":" + api_secret));

var wc = new WebClient();

paralax

#!/usr/bin/env python3

# https://github.com/slackapi/python-slack-events-api/blob/master/example/example.py
import os
import re

import greynoise
import requests
from slackeventsapi import SlackEventAdapter
from slackclient import SlackClient

paralax

# env vars for your Censys API creds
$apiid = $env:CENSYS_API_ID
$apisecret = $env:CENSYS_API_SECRET
$pair = "$apiid" + ":" + "$apisecret"

# Base64 encode them for auth
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

# set up our headers