IoT_Malware_Abuse

IoT Intrusion Payload Infrastructure Abuse Report

[Top Page view in: Github Code or Github Page]

IoT Intrusion Payload Infrastructure Abuse Report for September 2020

This report is compiled from the data recorded in September 2020.

The global heatmap of the recorded data can be viewed below, following by the report’s detail.

(Memo: above map contains BGP collision between DE and RU, the RU result is incorrect)

1. The most abused ASN/Hosters/Countries (76)

No	Hoster name	ASN	Country	Amount of abuse
1	AS-COLOCROSSING	AS36352	US	14
2	MYLOC-AS	AS24961	DE	9
3	DIGITALOCEAN	AS14061	US	8
4	AS-CHOOPA	AS20473	US	7
5	SERVERION-AS	AS213035	NL	7
6	OVH	AS16276	FR	3
7	MICROSOFT	AS8075	US	2
8	VERDINA	AS201133	BZ	2
9	GIGANET-HU	AS42864	HU	2
10	(others)

2. The most abused broadband by P2P payloads (575)

P2P infection sources in GeoIP map:

No	Country	P2P-IP Total
1	Taiwan	96
2	USA	74
3	Korea	61
4	Mexico	38
5	Brazil	36
6	Vietnam	30
7	Israel	25
8	Turkey	22
9	Italy	19
10	Spain	18
11	Iran	17
12	China	14
13	Romania	8
14	Malaysia	8
15	Indonesia	7
16	UK	7
17	Hungary	6
18	Russia	6
19	Portugal	6
20	Canada	5

3. The record of loader names per infection source IP

No	Payload IP	loader script name
1	104.168.102.145	GhOul.sh
2	107.155.154.179	yoyobins.sh
3	107.172.137.176	update.sh
4	107.172.188.107	yoyobins.sh
5	107.172.193.112	devilbins.sh
6	107.172.22.250	Vividbins.sh
7	107.173.141.130	Beastmode.sh
8	107.173.141.130	Mercury.sh
9	107.173.141.130	SnOoPy.sh
10	107.174.144.155	666.sh
11	107.174.144.155	8UsA.sh
12	107.174.144.155	Mercury.sh
13	107.174.144.155	SnOoPy.sh
14	107.174.144.155	Vividbins.sh
15	107.174.144.155	axisbins.sh
16	107.174.144.155	bins.sh
17	108.61.250.65	Pemex.sh
18	138.201.213.91	AydSbins.sh
19	138.91.32.176	Pemex.sh
20	144.202.65.86	bins.sh
21	145.239.136.185	Pandora.sh
22	155.138.162.103	Pemex.sh
23	155.138.252.196	8UsA.sh
24	155.138.252.196	SnOoPy.sh
25	157.245.242.39	Mercury.sh
26	158.69.32.40	GoOgle.sh
27	159.203.77.131	bins.sh
28	159.65.229.60	bins.sh
29	161.35.167.148	GhOul.sh
30	161.35.167.148	bins.sh
31	167.172.143.237	GhOul.sh
32	172.245.205.137	lol.sh
33	172.245.7.189	8UsA.sh
34	185.10.68.175	AydSbins.sh
35	185.132.53.239	EkSgbins.sh
36	185.239.242.195	bot.sh
37	185.239.242.247	bins.sh
38	185.239.242.247	nig.sh
39	185.239.242.249	drainbins.sh
40	188.101.105.117	yoyobins.sh
41	188.166.230.199	Vividbins.sh
42	191.232.166.194	Pemex.sh
43	191.252.205.120	Pemex.sh
44	191.252.205.120	bins.sh
45	192.210.239.115	pXdN91.sh
46	192.3.12.113	RAZA.sh
47	192.3.122.100	8UsA.sh
48	192.3.122.100	Mercury.sh
49	192.3.122.100	update.sh
50	193.239.147.66	Pandora.sh
51	193.239.147.93	Vividbins.sh
52	194.15.36.137	Pemex.sh
53	194.87.138.118	axisbins.sh
54	194.87.138.169	Sakura.sh
55	194.87.138.230	yoyobins.sh
56	194.87.138.3	axisbins.sh
57	194.87.139.252	Beastmode.sh
58	195.58.38.247	Pemex.sh
59	195.58.39.117	bins.sh
60	198.23.137.142	SnOoPy.sh
61	2.57.122.186	foff.sh
62	200.9.155.106	Pemex.sh
63	205.134.182.106	Mercury.sh
64	205.134.182.106	Pemex.sh
65	205.134.182.106	SnOoPy.sh
66	206.126.81.103	iotbins.sh
67	207.246.125.217	Mercury.sh
68	209.97.129.45	0Jayxbins.sh
69	23.94.182.222	bins.sh
70	31.214.240.201	yoyobins.sh
71	40.84.141.196	Pemex.sh
72	45.13.58.4	MPT.sh
73	45.14.224.68	8UsA.sh
74	45.14.224.84	8UsA.sh
75	45.143.222.162	rtln.sh
76	45.145.185.207	yoyobins.sh
77	45.153.203.136	yoyobins.sh
78	45.156.184.229	bins.sh
79	45.76.219.1	Pemex.sh
80	45.76.88.172	Mercury.sh
81	45.80.153.243	GhOul.sh
82	45.80.153.243	SnOoPy.sh
83	45.95.168.138	8UsA.sh
84	45.95.168.138	Hilix.sh
85	45.95.168.138	Sakura.sh
86	45.95.168.138	Viivdbins.sh
87	45.95.168.87	bins.sh
88	5.2.73.187	bins.sh
89	54.38.188.188	axisbins.sh
90	62.171.138.253	GhOul.sh
91	64.227.91.126	Pemex.sh
92	64.227.91.126	update.sh
93	66.23.230.112	yoyobins.sh
94	78.108.216.40	yoyobins.sh
95	83.97.20.90	update.sh
96	88.218.16.60	bins.sh
97	88.218.16.60	huh.sh
98	88.218.16.60	t.sh

No	Loader uniq filename
1	0Jayxbins.sh
2	666.sh
3	8UsA.sh
4	AydSbins.sh
5	Beastmode.sh
6	EkSgbins.sh
7	GhOul.sh
8	GoOgle.sh
9	Hilix.sh
10	MPT.sh
11	Mercury.sh
12	Pandora.sh
13	Pemex.sh
14	RAZA.sh
15	Sakura.sh
16	SnOoPy.sh
17	Viivdbins.sh
18	Vividbins.sh
19	axisbins.sh
20	bins.sh
21	bot.sh
22	devilbins.sh
23	drainbins.sh
24	foff.sh
25	huh.sh
26	iotbins.sh
27	lol.sh
28	nig.sh
29	pXdN91.sh
30	rtln.sh
31	t.sh
32	update.sh
33	yoyobins.sh

4. The ISP networks were the attacks are coming from (abused ISP)

No	Payload C2 IP	FQDN	ASN	Network prefix	ASN-ID	Country	ISP Name
1	104.168.102.145	104-168-102-145-host.colocrossing.com.	36352	104.168.102.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
2	107.155.154.179	whitehosting.co.	19531	107.155.128.0/18	NODESDIRECT	US	NODESDIRECT
3	107.172.137.176	107-172-137-176-host.colocrossing.com.	36352	107.172.137.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
4	107.172.188.107	107-172-188-107-host.colocrossing.com.	36352	107.172.188.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
5	107.172.193.112	107-172-193-112-host.colocrossing.com.	36352	107.172.193.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
6	107.172.22.250	107-172-22-250-host.colocrossing.com.	36352	107.172.20.0/22	AS-COLOCROSSING	US	AS-COLOCROSSING
7	107.173.141.130	107-173-141-130-host.colocrossing.com.	36352	107.173.141.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
8	107.174.144.155	107-174-144-155-host.colocrossing.com.	36352	107.174.144.0/21	AS-COLOCROSSING	US	AS-COLOCROSSING
9	108.61.250.65	108.61.250.65.vultr.com.	20473	108.61.250.0/24	AS-CHOOPA	US	AS-CHOOPA
10	138.201.213.91	static.91.213.201.138.clients.your-server.de.	24940	138.201.0.0/16	HETZNER-AS	DE	HETZNER-AS
11	138.91.32.176		8075	138.91.0.0/16	MICROSOFT-CORP-MSN-A	US	MICROSOFT-CORP-MSN-A
12	144.202.65.86	144.202.65.86.	20473	144.202.64.0/20	AS-CHOOPA	US	AS-CHOOPA
13	145.239.136.185	ip185.ip-145-239-136.eu.	16276	145.239.0.0/16	OVH	FR	OVH
14	155.138.162.103	155.138.162.103.vultr.com.	20473	155.138.160.0/20	AS-CHOOPA	US	AS-CHOOPA
15	155.138.252.196	155.138.252.196.vultr.com.	20473	155.138.240.0/20	AS-CHOOPA	US	AS-CHOOPA
16	157.245.242.39		14061	157.245.240.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
17	158.69.32.40		16276	158.69.0.0/16	OVH	FR	OVH
18	159.203.77.131		14061	159.203.64.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
19	159.65.229.60		14061	159.65.224.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
20	161.35.167.148		14061	161.35.160.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
21	167.172.143.237		14061	167.172.128.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
22	172.245.205.137	172-245-205-137-host.colocrossing.com.	36352	172.245.205.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
23	172.245.7.189	172-245-7-189-host.colocrossing.com.	36352	172.245.0.0/20	AS-COLOCROSSING	US	AS-COLOCROSSING
24	185.10.68.175	175.68.10.185.ro.ovo.sc.	200651	185.10.68.0/24	FLOKINET	SC	FLOKINET
25	185.132.53.239		24961	185.132.53.0/24	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
26	185.239.242.195		213035	185.239.242.0/24	SERVERION-AS	NL	Serverion B.V.
27	185.239.242.247		213035	185.239.242.0/24	SERVERION-AS	NL	Serverion B.V.
28	185.239.242.249		213035	185.239.242.0/24	SERVERION-AS	NL	Serverion B.V.
29	188.101.105.117	dslb-188-101-105-117.188.101.pools.vodafone-ip.de.	3209	188.96.0.0/12	VODANET	DE	International IP-Backbone of Vodafone
30	188.166.230.199		14061	188.166.224.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
31	191.232.166.194		8075	191.232.0.0/13	MICROSOFT-CORP-MSN-A	US	MICROSOFT-CORP-MSN-A
32	191.252.205.120	vps27155.publiccloud.com.br.	27715	191.252.192.0/20		BR	Locaweb Servicos de Internet S/A
33	192.168.86.248
34	192.210.239.115	192-210-239-115-host.colocrossing.com.	36352	192.210.236.0/22	AS-COLOCROSSING	US	AS-COLOCROSSING
35	192.3.12.113	192-3-12-113-host.colocrossing.com.	36352	192.3.0.0/20	AS-COLOCROSSING	US	AS-COLOCROSSING
36	192.3.122.100	192-3-122-100-host.colocrossing.com.	36352	192.3.122.0/23	AS-COLOCROSSING	US	AS-COLOCROSSING
37	193.239.147.66		213035	193.239.147.0/24	SERVERION-AS	NL	Serverion B.V.
38	193.239.147.93		213035	193.239.147.0/24	SERVERION-AS	NL	Serverion B.V.
39	194.15.36.137		24961	194.15.36.0/24	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
40	194.87.138.118		24961	194.87.138.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
41	194.87.138.169		24961	194.87.138.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
42	194.87.138.230		24961	194.87.138.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
43	194.87.138.3	s1-vps.vibehosting.ovh.	24961	194.87.138.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
44	194.87.139.252		24961	194.87.138.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
45	195.58.38.247		24961	195.58.38.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
46	195.58.39.117		24961	195.58.38.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
47	198.23.137.142	198-23-137-142-host.colocrossing.com.	36352	198.23.137.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
48	2.57.122.186		48090	2.57.122.0/24	PPTECHNOLOGY	GB	PPTECHNOLOGY
49	200.9.155.106		270353	200.9.154.0/23		BR	Tyna Host - Datacenter no Brasil
50	205.134.182.106		6405	205.134.160.0/19	AIN	US	AIN
51	206.126.81.103	ip-103.81.126.206.dsl-cust.ca.inter.net.	36493	206.126.80.0/20	295CA-TOR-ASN	CA	295CA-TOR-ASN
52	207.246.125.217	207.246.125.217.vultr.com.	20473	207.246.120.0/21	AS-CHOOPA	US	AS-CHOOPA
53	209.97.129.45		14061	209.97.128.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
54	23.94.182.222	smtp.cybersecnet.co.za.	36352	23.94.182.0/23	AS-COLOCROSSING	US	AS-COLOCROSSING
55	31.214.240.201	smtp.frostybonus.com.	197071	31.214.240.0/24	ACTIVE-SERVERS	DE	active-servers.com
56	40.84.141.196		8075	40.80.0.0/12	MICROSOFT-CORP-MSN-A	US	MICROSOFT-CORP-MSN-A
57	45.13.58.4		40676	45.13.58.0/24	AS40676	US	AS40676
58	45.14.224.68	hosted-by.spectraip.net.	62068	45.14.224.0/24	SPECTRAIP	NL	SpectraIP B.V.
59	45.14.224.84	sweetirland.com.	62068	45.14.224.0/24	SPECTRAIP	NL	SpectraIP B.V.
60	45.143.222.162		213371	45.143.222.0/24	SQUITTER-NETWORKS	NL	SQUITTER-NETWORKS
61	45.145.185.207		213035	45.145.185.0/24	SERVERION-AS	NL	Serverion B.V.
62	45.153.203.136		213035	45.153.203.0/24	SERVERION-AS	NL	Serverion B.V.
63	45.156.184.229	hosted-by.parsvds.com.	208161	45.156.184.0/24	PARSVDS	IR	PARSVDS
64	45.76.219.1	45.76.219.1.vultr.com.	20473	45.76.192.0/19	AS-CHOOPA	US	AS-CHOOPA
65	45.76.88.172	45.76.88.172.vultr.com.	20473	45.76.80.0/20	AS-CHOOPA	US	AS-CHOOPA
66	45.80.153.243		47583	45.80.152.0/22	AS-HOSTINGER	CY	AS-HOSTINGER
67	45.95.168.138	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
68	45.95.168.87	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
69	5.2.73.187		60404	5.2.64.0/20	LITESERVER	NL	LITESERVER
60	54.38.188.188	188.ip-54-38-188.eu.	16276	54.38.0.0/16	OVH	FR	OVH
71	62.171.138.253	vmi461125.contaboserver.net.	51167	62.171.138.0/23	CONTABO	DE	CONTABO
72	64.227.91.126		14061	64.227.80.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
73	66.23.230.112	Kalombia.Root.io.	19318	66.23.224.0/20	IS-AS-1	US	IS-AS-1
74	78.108.216.40	complifice.com.	30823	78.108.216.0/24	COMBAHTON	DE	combahton GmbH
75	83.97.20.90	90.20.97.83.ro.ovo.sc.	9009	83.97.20.0/24	M247	GB	M247
76	88.218.16.60		50673	88.218.16.0/24	SERVERIUS-AS	NL	SERVERIUS-AS

(please re-check the network details above due to a possible geodb or network database inaccuracy)

Mon Dec 21 21:13:34 JST 2020 @unixfreaxjp

MalwareMustDie,NPO (malwaremustdie.org)