Sensor Intel Series

A Single IP is Scanning Intensely, and Yields a List of Malware Loaders

Overall scanning for CVEs we track is down, but one specific scanner caught our attention. We dig into what it’s doing.
September 19, 2024
5 min. read
Previous article in this series
Next article in this series

The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.

Additional insights and contributions provided by the F5 Threat Campaigns team.

Introduction

Welcome to the August 2024 installment of the Sensor Intelligence Series, our monthly summary of vulnerability intelligence based on distributed passive sensor data.

Last month, we observed the scanning for CVE-2017-9841 fell sharply, and this month is no different, with scanning for that vulnerability falling another 79% from July’s rate. Overall, it’s down 97.4% from its high-water mark in June of 2024.

CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 consumer routers, which has been consistently towards the top of our ranking, is now the most scanned for CVEs that we track, but it too is down from last month, falling off by 18.8% compared to July.

Researching an Aberration

We frequently look for anomalies not related to specific CVE scanning activity in our logs, and this month, we found one that's worth mentioning.

We first noted that the overall level of scanning was up significantly from the month prior, having risen 90.9% in terms of total events observed.

Digging into this a bit, we were surprised to find that the top source and destination country combination was scanners located in Lithuania scanning US sensors. This is unusual, and became even more unusual when we found that the vast majority (99.9%) of that traffic was from just one IP address.

That IP address is 141.98.11.114, with a reverse DNS lookup of “srv-141-98-11-114.serveroffer.net”. Serveroffer.net appears to be a hosting infrastructure provider based out of the city of Kaunas, in Lithuania.

We looked back a bit further, across the whole of 2024 in fact, and we found that this IP has been scanning quite a lot but not very consistently.
 

Day n
07-21 7148
07-22 16083
07-25 16064
07-26 4016
07-31 12048
08-10 165916
08-11 82957
08-12 82956
08-16 68279
08-17 14679
08-18 165916
Table 1: Scanning activity of 141.98.11.114, broken out by month and day. Note that the scanning behavior is not constant and seems to happen a few days at a time.

We were initially expecting to find this IP scanning for a specific set of vulnerabilities, or at least a class of vulnerability, but this scanner seems to be trying to pull a lot of odd URLs.

There are 83,193 distinct URLs being scanned for by this IP, the majority of which appear to have a file extension present, for example “GET /kolomz.exe”. We’ve published this list to our github as “141.98.11.114_unique_urls.txt”. This immediately made us wonder if this scanner was attempting to find malware hosting sites, as many malware loaders we observe in our data follow a similar naming scheme. Its User-Agent header of "BotPoke" also was an interesting breadcrumb to follow.
 

File Extension n
.exe 525305
(no extention present) 20673
.sh 14768
.bat 13496
.apk 10710
.hta 6706
.vbs 4613
.mips 2912
.arm7 2784
.arm5 2752
all_others 31343
Table 2: Analysis of file extensions present in scanned urls by 141.98.11.114

We found a few references online, some dating as far back as 2010, to a scanner exhibiting similar behavior, with the same User-Agent string, so this doesn't seem to be anything out of the ordinary, except for the intensity of the scanning activity and the use of a single IP address.

We expanded our search for unique URLs by looking for any URL associated with the User-Agent “BotPoke”, and we’ve published a full list of the unique URLs found, all 105,797 of them, to our github repo as “full_list_PokeBot_URLs.txt”.

Both the published lists may be useful for threat hunting in web environments, as they contain names of common malware loaders, but please be aware that these files likely contain all sorts of filetypes, ranging from malware loaders, to cracked games, and much else besides. Please use these lists with caution, and we make no guarantees of correctness.

August Vulnerabilities by the Numbers

Figure 1 shows July attack traffic for the top ten CVEs that we track. CVE-2017-9841 has fallen off to 4th place, and CVE-2023-1389 has retaken the top spot. Also notable is the disappearance of CVE-2021-28481 from the top 10, and the appearance of CVE-2020-0618.

The regular movement on this graph is not surprising – scanning for different vulnerabilities varies significantly month to month.

Top 10 CVEs for Ports 80/443, August 2024
Figure 1. Top ten vulnerabilities by traffic volume in August 2024. CVE-2023-1389 has returned to the top spot, and CVE-2017-9841 is has fallen to fourth place.

Figure 2 is a bump plot showing the change in traffic volume and position over the last twelve months. We can see quite clearly the continuing falloff in scanning for CVE-2017-9841. It’s also interesting to note that CVE-2020-11625, which was our top scanned for vulnerability in January and February of this year, has now disappeared entirely, and indeed did so June.

Figure 2. Evolution of vulnerability targeting in the last twelve months. Note the continued falloff in scanning for CVE-2017-9841.

Figure 2. Evolution of vulnerability targeting in the last twelve months. Note the continued falloff in scanning for CVE-2017-9841.

Figure 3 shows traffic for the top 19 CVEs by all-time traffic, followed by a monthly average of the remaining CVEs. Again, one can easily see the precipitous rise and fall of scanning for CVE-2017-8941, as well as the steady rise of scanning for CVE-2023-1389, which, although it continues to take the first place in our top 10, is itself falling off as well. In the lower right corner, you can see the average of all the other 110 CVEs we currently track, and note that these to have fallen quite dramatically.

We may be observing a long-tail phenomenon finally getting to the end here, and it’s going to be interesting to see how the addition of more recent CVEs may change this overall average, as we incorporate more signatures for many more CVEs in the coming month or two.

Figure 3. Traffic volume by vulnerability. This view accentuates the recent changes in both CVE-2023-1389 and CVE-2017-9841.

Figure 3. Traffic volume by vulnerability. This view accentuates the recent changes in both CVE-2023-1389 and CVE-2017-9841.

Conclusions

Just looking at scanning targeting CVEs, while certainly interesting, doesn’t show the whole picture, as we saw when analyzing the single IP scanner looking for malware distribution sites. There are a lot of interesting phenomena present in this data, and we hope over the coming months to not only expand the scope of the CVEs we’re tracking, but also continue to do deep dives into anomalous events as we did this month.

Previous article in this series
Next article in this series

Recommendations

Technical
Preventative
  • Scan your environment for vulnerabilities aggressively.
  • Patch high-priority vulnerabilities (defined however suits you) as soon as feasible.
  • Engage a DDoS mitigation service to prevent the impact of DDoS on your organization.
Technical
Detective
  • Use a WAF or similar tool to detect and stop web exploits.
  • Monitor anomalous outbound traffic to detect devices in your environment that are participating in DDoS attacks.
Authors & Contributors
Malcolm Heath (Author)
Principal Threat Researcher

Read More from F5 Labs

2024 DDoS Attack Trends
2024 DDoS Attack Trends
07/16/2024 report 30 min. read
Scanning For Credentials, and BotPoke Changes IPs Again
Scanning For Credentials, and BotPoke Changes IPs Again
12/09/2024 article 4 min. read
Black Friday Versus The Bots
Black Friday Versus The Bots
11/21/2024 article 11 min. read