IoT_Malware_Abuse

IoT Intrusion Payload Infrastructure Abuse Report

[Top Page view in: Github Code or Github Page]

IoT Intrusion Payload Infrastructure Abuse Report for June 2020

This report is compiled from the data recorded in June 2020.

The global heatmap of the recorded data can be viewed below, following by the report’s detail.

1. The most abused ASN/Hosters/Countries

No	ASN	Hoster name	Amount of abuse
1	AS14061	DIGITALOCEAN	11
2	AS42864	GIGANET-HU	5
3	AS206898	BLADESERVERS	5
4	AS24961	MYLOC-AS	3
5	AS16276	OVH	2
6	AS20473	AS-CHOOPA	2
7	AS62904	EONIX-COMM	2
8	AS39798	MIVOCLOUD	2
9	AS199264	XEMU	2
10	AS36352	AS-COLOCROSSING	2
11	AS54290	HOSTWINDS	2
12	(Other ASN/ISP)	14

No	Country	Amount of abuse
1	USA	17
2	Netherlands	7
3	Germany	3
4	Canada	2
5	UK	2
6	(others)

2. The record of payload names per infection source IP

No	Payload IP	loader script name
1	104.140.242.72	EkSgbins.sh
2	104.244.79.242	EkSgbins.sh
3	108.61.190.85	EkSgbins.sh
4	13.59.24.85	axisbins.sh
5	131.153.50.151	EkSgbins.sh
6	137.220.52.158	KKKbins.sh
7	139.59.72.96	axisbins.sh
8	142.11.194.118	yoyobins.sh
9	142.93.252.25	axisbins.sh
10	147.135.173.224	yoyobins.sh
11	149.56.28.222	8UsA.sh
12	159.89.232.83	axisbins.sh
13	162.251.120.102	Hilix.sh
14	165.227.87.220	snype.sh
15	167.172.148.32	Axisbins.sh
16	167.172.151.135	Axisbins.sh
17	170.130.172.44	tbins.sh
18	172.245.110.143	Formula.sh
19	179.43.151.202	https.sh
20	185.113.141.189	axisbins.sh
21	185.172.110.210	huh.sh
22	185.172.110.214	sensi.sh
23	185.172.110.221	8UsA.sh
24	185.172.111.195	sensi.sh
25	185.223.29.137	Lavabins.sh
26	185.244.25.200	ssh.sh
27	192.168.0.10	bins.sh
28	192.168.0.17	bins.sh
29	192.3.255.169	binbins.sh
30	193.228.91.105	vsUerS.sh
31	194.37.80.241	EkSgbins.sh
32	194.87.138.153	bins.sh
33	194.87.138.153	nig.sh
34	195.123.242.84	ttbins.sh
35	198.211.108.17	yoyobins.sh
36	206.81.9.22	axisbins.sh
37	23.254.226.137	sora.sh
38	34.68.243.140	yoybins.sh
39	37.49.224.154	g0away.sh
40	37.49.224.171	g0away.sh
41	45.143.220.246	8UsA.sh
42	45.84.196.225	Xulbins.sh
43	45.84.196.233	lolxbins.sh
44	45.95.168.105	update.sh
45	45.95.168.110	sora.sh
46	45.95.168.196	yoyobins.sh
47	45.95.168.208	xyzbins.sh
48	45.95.169.6	EkSgbins.shbins
49	5.181.156.108	bins.sh
50	5.252.179.34	bot.sh
51	50.3.177.72	EkSgbins.sh
52	64.225.66.56	EkSgbins.sh
53	64.227.2.138	GhOul.sh
54	68.183.125.104	axisbins.sh
55	80.211.239.70	yoyobins.sh
56	94.102.63.52	ARES.sh

No	Loader uniq filename
1	8UsA.sh
2	ARES.sh
3	Axisbins.sh
4	EkSgbins.sh
5	EkSgbins.shbins
6	Formula.sh
7	GhOul.sh
8	Hilix.sh
9	KKKbins.sh
10	Lavabins.sh
11	Xulbins.sh
12	axisbins.sh
13	binbins.sh
14	bins.sh
15	bot.arm4
16	g0away.sh
17	https.sh
18	huh.sh
19	lolxbins.sh
20	nig.sh
21	sensi.sh
22	snype.sh
23	sora.sh
24	ssh.sh
25	tbins.sh
26	ttbins.sh
27	update.sh
28	vsUerS.sh
29	xyzbins.sh
30	yoybins.sh
31	yoyobins.sh

3. The ISP networks were the attacks are coming from (abused ISP)

No	Payload C2 IP	FQDN	ASN	Network prefix	ASN-ID	Country	ISP Name
1	104.140.242.72		62904	104.140.240.0/22	EONIX-COMMUNICATIONS	US	EONIX-COMMUNICATIONS
2	104.244.79.242	ns1.	53667	104.244.79.0/24	PONYNET	US	PONYNET
3	108.61.190.85	108.61.190.85.iomtt.com.	20473	108.61.190.0/24	AS-CHOOPA	US	AS-CHOOPA
4	13.59.24.85	ec2-13-59-24-85.us-east-2.compute.amazonaws.com.	16509	13.58.0.0/15	AMAZON-02	US	AMAZON-02
5	131.153.50.151		59210	131.153.48.0/22	PHOENIXNAP-AS-SG1	SG	PhoenixNAP
6	137.220.52.158	137.220.52.158.vultr.com.	20473	137.220.52.0/22	AS-CHOOPA	US	AS-CHOOPA
7	139.59.72.96		14061	139.59.64.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
8	142.11.194.118	client-142-11-194-118.hostwindsdns.com.	54290	142.11.192.0/18	HOSTWINDS	US	HOSTWINDS
9	142.93.252.25		14061	142.93.240.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
10	147.135.173.224	ip224.ip-147-135-173.eu.	16276	147.135.128.0/17	OVH	FR	OVH
11	149.56.28.222	ca1.minemaft.net.	16276	149.56.0.0/16	OVH	FR	OVH
12	159.89.232.83		14061	159.89.224.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
13	162.251.120.102		64236	162.251.120.0/22	UNREAL-SERVERS	US	UNREAL-SERVERS
14	165.227.87.220	dev1.digitalmaxwell.com.	14061	165.227.80.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
15	167.172.148.32		14061	167.172.144.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
16	167.172.151.135		14061	167.172.144.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
17	170.130.172.44	twiux32s.twilightone.website.	49532	170.130.172.0/22	SERVERHUB-NL	DE	SERVERHUB-NL
18	172.245.110.143	172-245-110-143-host.colocrossing.com.	36352	172.245.110.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
19	179.43.151.202		51852	179.43.128.0/18	PLI-AS	CH	PLI-AS
20	185.113.141.189		204094	185.113.141.0/24	I4W	PT	I4W
21	185.172.110.210		206898	185.172.110.0/23	BLADESERVERS	NL	BLADESERVERS
22	185.172.110.214		206898	185.172.110.0/23	BLADESERVERS	NL	BLADESERVERS
23	185.172.110.221		206898	185.172.110.0/23	BLADESERVERS	NL	BLADESERVERS
24	185.172.111.195		206898	185.172.110.0/23	BLADESERVERS	NL	BLADESERVERS
25	185.223.29.137	vps-zap565617-1.zap-srv.com.	30823	185.223.28.0/22	COMBAHTON	DE	combahton GmbH
26	185.244.25.200		208286	185.244.25.0/24	MAXTV	AL	MAXTV
27	192.3.255.169	192-3-255-169-host.colocrossing.com.	36352	192.3.255.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
28	193.228.91.105		44685	193.228.91.0/24	REBECCAHOST	US	REBECCAHOST
29	194.37.80.241		47447	194.37.80.0/24	TTM	DE	TTM
30	194.87.138.153		24961	194.87.138.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
31	195.123.242.84	qx.rock.pserver.ru.	204957	195.123.240.0/22	GREENFLOID-AS	UA	GREENFLOID-AS
32	198.211.108.17		14061	198.211.96.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
33	206.81.9.22		14061	206.81.0.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
34	23.254.226.137	hwsrv-736211.hostwindsdns.com.	54290	23.254.224.0/21	HOSTWINDS	US	HOSTWINDS
35	34.68.243.140	140.243.68.34.bc.googleusercontent.com.	15169	34.68.0.0/14	GOOGLE	US	GOOGLE
36	37.49.224.154		199264	37.49.224.0/24	XEMU	NL	XEMU
37	37.49.224.171		199264	37.49.224.0/24	XEMU	NL	XEMU
38	45.143.220.246		213371	45.143.220.0/24	SQUITTER-NETWORKS	NL	SQUITTER-NETWORKS
39	45.84.196.225	onebotlife.ml.	24961	45.84.196.0/24	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
40	45.84.196.233		24961	45.84.196.0/24	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
41	45.95.168.105	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
42	45.95.168.110	slot0.dadropbox.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
43	45.95.168.196	slot0.ormardex.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
44	45.95.168.208	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
45	45.95.169.6	slot0.thonivii.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
46	5.181.156.108	5-181-156-108.mivocloud.com.	39798	5.181.156.0/22	MIVOCLOUD	MD	MIVOCLOUD
47	5.252.179.34	5-252-179-34.mivocloud.com.	39798	5.252.179.0/24	MIVOCLOUD	MD	MIVOCLOUD
48	50.3.177.72		62904	50.3.176.0/22	EONIX-COMMUNICATIONS	US	EONIX-COMMUNICATIONS
49	64.225.66.56	mohamed.wpmudev.host.	14061	64.225.64.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
50	64.227.2.138		14061	64.227.0.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
51	68.183.125.104		14061	68.183.112.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
52	80.211.239.70	host70-239-211-80.serverdedicati.aruba.it.	31034	80.211.224.0/20	ARUBA-ASN	IT	ARUBA-ASN
53	94.102.63.52		202425	94.102.63.0/24	INT-NETWORK	SC	INT-NETWORK

(please re-check the network details above due to a possible geodb or network database difference)

Wed Aug 19 21:11:52 JST 2020 @unixfreaxjp

MalwareMustDie,NPO (malwaremustdie.org)