MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc.
MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt
This event is generated when an outbound HTTP GET request generated by the GoScanSSH family of malware is observed. These requests are generated when the malware checks in with the command and control infrastructure (which occurs when the malware first runs, and periodically there after) and when it was able to successfully guess the login credentials to an SSH server somewhere on the internet. Impact: A system running the GoScanSSH malware will likely experience high CPU utilization, and the malware generates lots of network traffic which could trigger rate-limiting or fees (for metered network connections) from the customer's internet service provider. The malware does not modify the running system and does not exfiltrate any data, although the presence of the malware indicates that an attacker was able to log in to the machine and may have performed other actions. Details: The malware communicates with its command and control server using proxies that connect the internet to the Tor network (for more information on these proxies, visit https://www.tor2web.org.) The exact domain names used vary, with newer version of the malware using domains unique to that build of the malware binary, so one condition for this snort rule to match is for traffic to be sent to any of these Tor proxy hosts. When sending data to the command and control servers, the malware encodes certain information (CPU/Memory specs in the check-in messages, SSH login information in the successful login messages) and uses it as the URI that it requests from its webserver. These URIs end up looking very strange, so the other part of the snort rule looks for these characteristics. Ease of Attack: Medium
No information provided
No public information
No known false positives
Cisco Talos Intelligence Group
No rule groups
None
No information provided
None
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
