IoT_Malware_Abuse

IoT Intrusion Payload Infrastructure Abuse Report

[Top Page view in: Github Code or Github Page]

IoT Intrusion Payload Infrastructure Abuse Report for November 2020

This report is compiled from the data recorded in November 2020.

The global heatmap of the recorded data can be viewed below, following by the report’s detail.

(Memo: above map contains BGP collision between DE and RU, the RU result is incorrect)

1. The most abused ASN/Hosters/Countries (66)

No	Hoster name	ASN	Country	Amount of abuse
1	AS-COLOCROSSING	AS36352	US	14
2	SERVERION-AS	AS213035	NL	10
3	DIGITALOCEAN	AS14061	US	8
4	MYLOC-AS	AS24961	DE	3
5	GIGANET-HU	AS42864	HU	4
6	OVH	AS16276	FR	2
7	EONIX-COMM	AS62904	US	2
9	DEDIPATH-LLC	AS35913	US	2
9	AS-CHOOPA	AS20473	US	1
10	COGENT-174	AS174	US	1
11	VERDINA	AS201133	BZ	1
12	GALAXYGATE	AS397031	US	1
13	TEMPEST-HOSTING	AS36231	US	1
14	RELIABLESITE	AS23470	US	1
15	NAMECHEAP-NET	AS22612	US	1
16	SPECTRAIP	AS62068	US	1
17	HOSTSLICK-GER	AS208046	DE	1
18	LINODE-AP	AS63949	US	1

2. The most abused broadband by P2P payloads (420)

P2P infection sources in GeoIP map:

No	Country	P2P-IP Total
1	Taiwan	74
2	USA	66
3	Korea	40
4	Mexico	31
5	Israel	28
6	Vietnam	16
7	Spain	14
8	Brazil	12
9	Turkey	12
10	Italy	12
11	Romania	11
12	Indonesia	10
13	China	7
14	Russia	7
15	Malaysia	6
16	Iran	5
17	Thailand	5
18	UK	5
19	Hungary	4
20	Greece	4

3. The record of loader names per infection source IP

No	Payload IP	loader script name
1	104.140.245.55	Pemex.sh
2	107.172.195.147	Gbotbins.sh
3	107.172.195.147	ISIS.sh
4	107.172.195.147	Snoopy.sh
5	107.172.86.227	Beastmode.sh
6	107.173.176.172	roots.sh
7	107.174.144.133	8UsA.sh
8	107.174.35.226	lolbins.sh
9	107.175.136.157	Mercury.sh
10	107.175.94.18	bins.sh
11	107.191.37.175	bins.sh
12	134.209.112.106	bins.sh
13	134.209.75.217	bins.sh
14	138.68.22.51	bins.sh
15	142.252.253.149	8UsA.sh
16	142.93.199.14	bins.sh
17	144.172.75.90	Pemex.sh
18	157.230.227.27	8UsA.sh
19	161.35.104.249	vvsbins.sh
20	164.68.118.195	8UsA.sh
21	170.130.205.119	EkSgbins.sh
22	172.245.211.58	ISIS.sh
23	172.245.211.58	bins.sh
24	172.245.8.113	Pandora.sh
25	172.93.100.95	GhOul.sh
26	185.144.101.203	Emberbins.sh
27	185.239.242.191	8UsA.sh
28	185.239.242.198	skid.sh
29	185.239.242.23	bins.sh
30	185.30.233.178	GhOul.sh
31	193.239.147.2	Pemex.sh
32	194.87.139.13	666.sh
33	195.58.39.232	bins.sh
34	198.46.131.183	8UsA.sh
35	199.192.24.12	Solobins.sh
36	209.126.79.43	bins.sh
37	217.160.172.236	GhOul.sh
38	217.160.172.236	bins.sh
39	23.94.190.124	8UsA.sh
40	23.94.4.111	EkSgbins.sh
41	23.95.215.12	Mercury.sh
42	23.95.221.197	Beastmode.sh
43	23.95.221.197	GhOul.sh
44	23.95.221.197	RiPli.sh
45	23.95.221.197	Sakura.sh
46	23.95.221.197	bins.sh
47	23.95.221.197	sora.sh
48	35.206.125.120	axisbins.sh
49	37.46.150.177	Eksgbins.sh
50	37.46.150.86	Angelbins.sh
51	37.46.150.86	Beastmode.sh
52	37.46.150.86	sensi.sh
53	37.46.150.86	sora.sh
54	45.14.224.170	h3lln3t.sh
55	45.145.185.211	skid.sh
56	45.153.203.152	aodbins.sh
57	45.153.203.164	8UsA.sh
58	45.153.203.215	sensi.sh
59	45.155.42.3	bins.sh
60	45.84.196.132	bins.sh
61	45.95.168.113	8UsA.sh
62	45.95.168.121	bins.sh
63	45.95.168.87	bins.sh
64	45.95.169.200	Gbotbins.sh
65	46.249.32.194	ByeBye.sh
66	5.253.84.181	Beastmode.sh
67	50.116.25.227	EkSgbins.sh
68	51.77.112.172	8UsA.sh
69	51.89.203.111	Pandora.sh
70	67.205.159.43	vividbins.sh
71	68.183.32.138	eksgbins.sh
72	70.66.139.68	update.sh
73	79.124.78.196	bins.sh
74	83.97.20.90	update.sh
75	86.104.194.81	8UsA.sh
76	89.42.133.67	axisbins.sh
77	93.114.133.248	Pemex.sh
78	94.242.55.10	Mercury.sh

No	Loader uniq filename
1	666.sh
2	8UsA.sh
3	Angelbins.sh
4	Beastmode.sh
5	ByeBye.sh
6	EkSgbins.sh
7	Eksgbins.sh
8	Emberbins.sh
9	Gbotbins.sh
10	GhOul.sh
11	ISIS.sh
12	Mercury.sh
13	Pandora.sh
14	Pemex.sh
15	RiPli.sh
16	Sakura.sh
17	Snoopy.sh
18	Solobins.sh
19	aodbins.sh
20	axisbins.sh
21	bins.sh
22	eksgbins.sh
23	h3lln3t.sh
24	lolbins.sh
25	roots.sh
26	sensi.sh
27	skid.sh
28	sora.sh
29	update.sh
30	vividbins.sh
31	vvsbins.sh

4. The ISP networks were the attacks are coming from (abused ISP)

No	Payload C2 IP	FQDN	ASN	Network prefix	ASN-ID	Country	ISP Name
1	104.140.245.55		62904	104.140.244.0/22	EONIX-COMMUNICATIONS	US	EONIX-COMMUNICATIONS
2	107.172.195.147	107-172-195-147-host.colocrossing.com.	36352	107.172.195.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
3	107.172.86.227	107-172-86-227-host.colocrossing.com.	36352	107.172.86.0/23	AS-COLOCROSSING	US	AS-COLOCROSSING
4	107.173.176.172	szcxkj.com.	36352	107.173.176.0/22	AS-COLOCROSSING	US	AS-COLOCROSSING
5	107.174.144.133	107-174-144-133-host.colocrossing.com.	36352	107.174.144.0/21	AS-COLOCROSSING	US	AS-COLOCROSSING
6	107.174.35.226	107-174-35-226-host.colocrossing.com.	36352	107.174.32.0/21	AS-COLOCROSSING	US	AS-COLOCROSSING
7	107.175.136.157	107-175-136-157-host.colocrossing.com.	36352	107.175.136.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
8	107.175.94.18	107-175-94-18-host.colocrossing.com.	36352	107.175.92.0/22	AS-COLOCROSSING	US	AS-COLOCROSSING
9	107.191.37.175	107.191.37.175.vultr.com.	20473	107.191.32.0/21	AS-CHOOPA	US	AS-CHOOPA
10	134.209.112.106		14061	134.209.112.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
11	134.209.75.217		14061	134.209.64.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
12	138.68.22.51		14061	138.68.16.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
13	142.252.253.149		36231	142.252.253.0/24	TEMPEST-HOSTING	US	TEMPEST-HOSTING
14	142.93.199.14		14061	142.93.192.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
15	144.172.75.90		397031	144.172.75.0/24	GALAXYGATE	US	GALAXYGATE
16	157.230.227.27		14061	157.230.224.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
17	161.35.104.249		14061	161.35.96.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
18	164.68.118.195	vmi491479.contaboserver.net.	51167	164.68.118.0/23	CONTABO	DE	CONTABO
19	170.130.205.119		62904	170.130.204.0/22	EONIX-COMMUNICATIONS	US	EONIX-COMMUNICATIONS
20	172.245.211.58	172-245-211-58-host.colocrossing.com.	36352	172.245.211.0/24	AS-COLOCROSSING	US	AS-COLOCROSSING
21	172.245.8.113	172-245-8-113-host.colocrossing.com.	36352	172.245.0.0/20	AS-COLOCROSSING	US	AS-COLOCROSSING
22	172.93.100.95		23470	172.93.100.0/24	RELIABLESITE	US	RELIABLESITE
23	185.144.101.203	lucifer.getdroid.co.uk.	35913	185.144.101.0/24	DEDIPATH-LLC	US	DEDIPATH-LLC
24	185.239.242.191		213035	185.239.242.0/24	SERVERION-AS	NL	Serverion B.V.
25	185.239.242.198		213035	185.239.242.0/24	SERVERION-AS	NL	Serverion B.V.
26	185.239.242.23		213035	185.239.242.0/24	SERVERION-AS	NL	Serverion B.V.
27	185.30.233.178	black.host-178.233.30.185.in-addr.arpa.	174	185.30.233.0/24	COGENT-174	US	COGENT-174
28	193.239.147.2		213035	193.239.147.0/24	SERVERION-AS	NL	Serverion B.V.
29	194.87.139.13	mail0.registar.email.	24961	194.87.138.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
30	195.58.39.232		24961	195.58.38.0/23	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
31	198.46.131.183	198-46-131-183-host.colocrossing.com.	36352	198.46.128.0/21	AS-COLOCROSSING	US	AS-COLOCROSSING
32	199.192.24.12		22612	199.192.24.0/24	NAMECHEAP-NET	US	NAMECHEAP-NET
33	209.126.79.43	colo.hostirian.com.	6428	209.126.64.0/20	CDM	US	CDM
34	217.160.172.236		8560	217.160.0.0/16	IONOS-AS	DE	Joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&
35	23.94.190.124	23-94-190-124-host.colocrossing.com.	36352	23.94.184.0/21	AS-COLOCROSSING	US	AS-COLOCROSSING
36	23.94.4.111	23-94-4-111-host.colocrossing.com.	36352	23.94.4.0/22	AS-COLOCROSSING	US	AS-COLOCROSSING
37	23.95.215.12	xiergao.com.	36352	23.95.214.0/23	AS-COLOCROSSING	US	AS-COLOCROSSING
38	23.95.221.197	23-95-221-197-host.colocrossing.com.	36352	23.95.220.0/23	AS-COLOCROSSING	US	AS-COLOCROSSING
39	35.206.125.120	120.125.206.35.bc.googleusercontent.com.	19527	35.206.64.0/18	GOOGLE-2	US	GOOGLE-2
40	37.46.150.177		213035	37.46.150.0/24	SERVERION-AS	NL	Serverion B.V.
41	37.46.150.86		213035	37.46.150.0/24	SERVERION-AS	NL	Serverion B.V.
42	45.14.224.170	hosted-by.spectraip.net.	62068	45.14.224.0/24	SPECTRAIP	NL	SpectraIP B.V.
43	45.145.185.211		213035	45.145.185.0/24	SERVERION-AS	NL	Serverion B.V.
44	45.153.203.152		213035	45.153.203.0/24	SERVERION-AS	NL	Serverion B.V.
45	45.153.203.164		213035	45.153.203.0/24	SERVERION-AS	NL	Serverion B.V.
46	45.153.203.215		213035	45.153.203.0/24	SERVERION-AS	NL	Serverion B.V.
47	45.155.42.3		35913	45.155.42.0/23	DEDIPATH-LLC	US	DEDIPATH-LLC
48	45.84.196.132		24961	45.84.196.0/24	MYLOC-AS	DE	IP Backbone of myLoc managed IT AG
49	45.95.168.113	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
50	45.95.168.121	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
51	45.95.168.87	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
52	45.95.169.200	maxko-hosting.com.	42864	45.95.168.0/22	GIGANET-HU	HU	GigaNet Internet Service Provider Co
53	46.249.32.194	reverse.hostingbb.com.	50673	46.249.32.0/19	SERVERIUS-AS	NL	SERVERIUS-AS
54	5.253.84.181	learncert.tech.	208046	5.253.84.0/24	HOSTSLICK-GERMANY	DE	Dedicated Server Provider
55	50.116.25.227	li455-227.members.linode.com.	63949	50.116.16.0/20	LINODE-AP	US	Linode, LLC
56	51.77.112.172	ip172.ip-51-77-112.eu.	16276	51.77.0.0/16	OVH	FR	OVH
57	51.89.203.111	ip111.ip-51-89-203.eu.	16276	51.89.0.0/16	OVH	FR	OVH
58	67.205.159.43		14061	67.205.144.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
59	68.183.32.138		14061	68.183.32.0/20	DIGITALOCEAN-ASN	US	DIGITALOCEAN-ASN
60	70.66.139.68	S010680d04a52014d.gv.shawcable.net.	6327	70.66.136.0/22	SHAW	CA	SHAW
61	79.124.78.196	rivals.avenut.com.	201133	79.124.78.0/24	VERDINA	BZ	VERDINA
62	83.97.20.90	90.20.97.83.ro.ovo.sc.	9009	83.97.20.0/24	M247	GB	M247
63	86.104.194.81		48874	86.104.194.0/24	HOSTMAZE	RO	HOSTMAZE
64	89.42.133.67	excited.infortanic.es.	41732	89.42.133.0/24	HOSTINGFUZE	RO	HOSTINGFUZE
65	93.114.133.248		202448	93.114.133.0/24	MVPS	CY	https://www.mvps.net
66	94.242.55.10		43317	94.242.48.0/20	FISHNET-AS	RU	FISHNET-AS

(please re-check the network details above due to a possible geodb or network database inaccuracy)

Mon Dec 21 22:46:30 JST 2020 @unixfreaxjp

MalwareMustDie,NPO (malwaremustdie.org)