To many people, butter is a basic food that is used widely in cooking and eating. It’s also the username an attack group has been using after breaking into Linux servers.
Which is why GuardiCore Labs has dubbed an attack campaign that has been going on for several years “Butter.” And like its namesake, simplicity is the key to its success.
“The Butter attackers break into servers by brute forcing SSH [secure shell] credentials,” the security vendor said in an analysis released Thursday. “This technique, while basic, is still incredibly effective worldwide. Weak and unsecured machines still exist by the tens of thousands across all industries ranging from tiny IoT devices to large servers.”
The group or person behind this campaign are apparently happy with the way it has been going: A new payload was released over the summer.
Since 2015 GuardiCore said sensors on customer products have detected thousands of attacks with the butter signature in different intensities. Unusually, over the last two years they have originated from four IP addresses in Hong Kong or Singapore.
There have been two common payloads, which GuardiCore dubbs “80″ and “samba.” 80, the older and more prevalent, is a x64 variant of the well-known DDoS payload XOR.DDOS with the filename 80. The report says this is a modern remote access tool with DDoS functionality that runs itself persistently using cron, kills competitor malware, and installs a Linux kernel rootkit to hide its tracks.
Samba, named after one of the file names it disguises itself in, was first detected in July of this year. In addition to carrying a RAT it can also download files, execute shell commands, can join in DDoS attacks and it includes built-in functionality to download and run a Monero cyrptominer. Since it first showed up GuardiCore has seen seven versions of this malware.
By ‘laying low’ and avoid making attribution mistakes, the group or person behind this campaign have managed to stay stealthy with a relatively simple infrastructure, says the analysis.
To protect against this attack infosec teams should focus on locking down systems, says GuardiCore, paying attention to machine credentials policies to block weak passwords. Routinely review who and what can access the servers. Monitoring outbound connections could easily uncover compromised devices communicating with cryptocurrency mining pools, it adds.
Check for compromised Linux servers by searching for a user named butter. To check if a specific user exists in a system run the command id -u butter. If the user exists, you will get an output giving the user’s ID, which should be 0.
“We continuously find that the most basic attack methods that worked 10 years ago still work and will probably continue to be effective in the future,” warns the report. “Brute forcing credentials and simple persistence methods such as adding users to the system are not going away anytime soon. The signature user butter was first mentioned in a thesis from 2015 and until today continues to show up in many “top lists” of SSH honeypots.”
