Introduction
Censys has recently made improvements to their “open-dir” label and released their “suspicious-open-dir”. Previously, we only had the “open-dir” label, which allows researchers and other users to discover all indexed open directories.
Open directories are essentially file servers that allow access to anyone without authentication. They often host a variety of files including executables, documents, and images.
An example of an open directory hosting ebooks
These are popular among threat actors as they can be used to easily distribute malware. And, from an OPSEC standpoint, they will not tie back to their actual C2 server.
Multiple exploits and malicious tools are hosted on an open directory
Challenges in Using the “Open-Dir” Label for Identifying Malicious Content
Purpose and Limitations
Previously, when hunting for open directories, we only had the label “open-dir”. This shows us all servers with an open directory regardless of its contents. This allowed researchers to find interesting information that might otherwise go unnoticed.
However, the main challenge of this label is that it lacks context and Censys has indexed close to 400k open directories. This is a huge number of directories to search for any suspicious activity, and makes finding genuine malicious ones challenging.
Although researchers often combine multiple queries, this approach does not completely remove all the false positives.
In the past, I usually combined these queries to try to make my search for malicious open directories more targeted:
| labels:”open-dir” and labels:”c2″ |
| labels:”open-dir” and labels:”phishing” |
| labels:”open-dir” and services.http.response.body:”<keyword>“ |
Some of my favorite keywords are “payload” and “exploit”. While these queries do not guarantee a 100% hit rate, it does help to cut down the amount of false positives.
Censys has addressed the challenge by introducing the new “Suspicious-Open-Dir” label, which makes hunting for malicious open directories significantly easier.
Introduction of the “Suspicious-Open-Dir” Label
Purpose and Functionality
The “suspicious-open-dir” label filters down open directories to those deemed suspicious by Censys, although these might not necessarily be malicious. By using this new label, we are now left with approximately 1% of the original 393k results. This makes the task of searching for malicious content significantly easier. Do note that servers labeled with “suspicious-open-dir” will automatically have the “open-dir” label.
393k indexed “open-dir” compared to only 4647 indexed “suspicious-open-dir”
We do still encounter a couple of false positives even when using the “Suspicious-Open-Dir” label such as empty directories.
An empty directory labeled as suspicious
Possible Criteria for “Suspicious-Open-Dir” Labeling
Let’s try discovering the logic behind this new label and how it differs from the “open-dir” label.
First, let’s use the query :
|
labels:”open-dir” and labels:”c2″
|
I’m combining these labels because if you see an open directory hosted on the same server as a C2, there is a high possibility that it is used for something malicious.
The results returned are much smaller, with 81 C2 with open-dir servers and only 26 under the suspicious-open-dir label. This makes it easier for us to compare the differences between both labels.
Looking at the file names of those servers with the “C2” and “open-dir” labels shows nothing suspicious. However, there is always the possibility that the file names have been purposefully renamed to avoid detection and that they are indeed malware or hacker tools.
Screenshots of directories with the “open-dir” label
Looking at those with the “C2” and “suspicious-open-dir” labels, we do see a few highly suspicious (and some downright malicious) files being hosted.
Screenshots of directories with the “suspicious-open-dir” label
On top of that, I also found that a lot of servers that are labeled suspicious are hosting proxying and tunneling tools such as V2Ray, Shadowsocks, and Fast Reverse Proxy. It might seem that those file names may have also been a reason for a directory to be flagged as suspicious.
There may be other factors taken into account when deciding to label an open directory as suspicious. However, from this simple query, it looks like this label is applied to directories that contain file names that are known to be used for malicious purposes.
Case Examples
Example 1: A Directory Targeting Adobe ColdFusion Vulnerabilities and RDweb Servers
Using the “suspicious-open-dir” label, we come across a directory that contains the Brute Ratel C2 software and multiple exploits, notably one that targets Adobe ColdFusion.
“suspicious-open-dir” with exploits targeting Adobe ColdFusion Vulnerabilities
We found a Python script that targets the Adobe ColdFusion vulnerabilities. Once successfully exploited, the attacker will be able to read files or execute commands on the compromised server.
Python script that conducts mass exploitation on servers with Adobe ColdFusion vulnerabilities
On top of this, we also found an “output.txt” with logs of attempted connections to multiple IP addresses over 8500, commonly used by Adobe ColdFusion. This looks like a possible brute-force attempt by this particular threat actor. Thankfully, it looks like all the connections failed.
Multiple attempted connections to IPs with Adobe ColdFusion
Separately, we find multiple log files which contain IP addresses of servers that have Microsoft RDWeb enabled. Also, we do see a password list that might have been used for the brute-force attempt on the RDWeb-enabled servers.
Password list alongside a log of multiple login attempts to RDWeb-enabled servers
Example 2: A Directory Involved in a Possible Phishing Campaign
This is an interesting open directory and was originally covered by Gi7w0rm on Twitter. Here, we find 2 webpages that seem to emulate a Google Sign-in page as well as the “Touch N Go” website.
“suspicious-open-dir” containing phishing web pages
An .html file emulating the Google sign-in page
An .html file emulating the “Touch N Go” website
Although the “Touch N Go” website is full of broken links, when we click on the “Learn More” or “Get Started” website we receive a prompt that states that the button is clicked.
While looking at the other files, we came across a folder titled “Awareness” and a text file containing a couple of credentials that might be from the victims of the phishing website. It seems that the earlier set of credentials might be used by the attacker to validate that their password-stealing capabilities were functional before deploying the phishing website.
Looking at these details, it suggests that this could have been a phishing exercise for user awareness. However, if that is the case, it is extremely poor Operational Security to store your phished users’ credentials in an open directory where everyone can access them.
Two different sets of logged credentials two days apart
Example 3: A Directory with Python Scripts for Illicit Monero Mining and a Unique C2 Server UI
In this open directory, we see a lot of malicious-sounding Python scripts which are part of the “Build Your Own Botnet” Framework. There are also XMRig binaries for MacOS, Linux and Windows. XMRig is an open-source miner specifically designed for mining Monero (XMR). It is sometimes abused by malicious actors to conduct illegal mining operations on compromised systems.
“suspicious-open-dir” with a C2 Framework and Cryptominer
Python keylogger part of the Build Your Own Botnet framework
Besides the malicious open directory, we also see a “Device Dashboard” on Port 5000 that happens to look like a web UI for a C2 server.
What looks to be a web UI for the management of compromised hosts
This looks like the web UI for the “Build Your Own Botnet” Framework.
Interface to check which victims are communicating with the C2
Interface to upload and download files between the C2 server and its victims
Interface to create payloads for multiple operating systems
Looking at the files in this open directory, it does seem like this particular threat actor is looking to create his botnet to possibly farm cryptocurrency.
Conclusion
The introduction of the “suspicious-open-dir” label has significantly filtered the amount of open directories that researchers have to go through. The reduction from 393k results to roughly 4.5k results has made it much easier to focus on directories that are more likely to be malicious.
As things progress, I am looking forward to future enhancements to the algorithm used for this label, and having it reach a stage where it might even identify “malicious-open-dir” with close to 100% accuracy. Other metrics such as known malicious IPs, bulletproof hosting ASNs, and even TLS certs that match other known malicious infrastructure could be used to enhance or perhaps provide a probability scale of maliciousness.
Censys Documentation
A Beginner’s Guide to Hunting Malicious Open Directories
Simplify Threat Investigations: Identify Suspicious Open Directories with Censys Search
I highly encourage everyone to give this label a try and share all the cool interesting things that you find with the rest of the Censys community.
Find more from guest author Jeremy Fernandez on Medium and LinkedIn!
