Analysis
The Attack
Cowrie is the honeypot used in this attack
Cowrie is medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker.
Commands Step-by-Steps
/Ip cloud print
Shows IoC (Indicator of compromise.) Also this command shows the parameters set for RouterOS, which I found out by MikroTik devices. You can read more about this command here: MikroTik wiki.
ifconfig
This is used at the boot time to set up the network interfaces. After that, it is usually used when needed during debugging or when you need system tuning. This command also is used to assign the IP address and netmask to an interface or to enable or disable a given interface.
uname -a
Determines the processor architecture, the system hostname and the version kernel that is running.
cat /proc/cpuinfo
Displays what type of processor your system is running including the number of CPUs present.
ps -ef | grep '[Mm]iner'
The ps command will print running processes, along with some information about them. The -ef flags will print every process using the standard syntax where -e selects all processes and -f triggers full-format listing.
It seems to me that when the bot tried to 'grep Mm[iner]', it was trying to see if I'm running some sort of crypto miner.
ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
(ls) lists directory content (-l) list files in the long format and (-a) includes directory entries that begin with a ( . ) So over all, this command is saying to list everything in the desired directory. In this case, it’s several directories related to some router services which I will explain in the next page. Here is an example of ls -la on my Kali linux environment:
echo Hi | cat -n
In order for me to further understand this command I had to bring into my kali-linux environment and test it out. This was the result:
You may be asking, why would a botnet want to print "hi" onto a console. Well I asked the same question to myself. Upon further research and looking back at the code, I realized 2 of the botnets first commands were (ifconfig) and (uname) which means it was looking for something, maybe wanting to see if its checklist checked out. After not finding the specific files it was looking for... I concluded that the botnet was able to determine that my server was a honeypot and as it identified my machine, it left a mark or "flag" to prevent the botnet from dropping malware for me to further research! (What a clever bot he is.)
Attack Overview
The motives for this botnet have not been fully established. There are a lot of reasons why a botnet would try to attack: It could be that it was trying to see if it can use my server as a miner, tried to make it another botnet, C2 (command and control), see what kind of data it can seize, etc. This botnet was persistent in this attack and understood when to stop when realizing it was a honeypot. The "honey quench bot," as I will now call it since I have not seen any name for it yet, continues to crawl and lurk through the internet in search for RouterOS devices with weak username and password configurations.
