← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
VestaCP compromised in a new supply-chain attack
WHITE AlienVault 2018-10-18 Modified: 2018-10-18
37
IOCs
MEDIUM VOLUME
In recent months, there have been numerous users of VestaCP, a hosting control panel solution, receiving warnings from their service provider that their servers were using an abnormal amount of bandwidth. We know today that these servers were in fact used to launch a DDoS attacks. The analysis of a compromised server has shown that malware we call Linux/ChachaDDoS is installed on the system. At the same time this week, we found out that the VestaCP website was compromised, resulting in a supply-chain attack on new installations of VestaCP since at least May 2018. Linux/ChachaDDoS has some similarity with Xor.DDoS but unlike this older family, it has multiple stages and uses Lua for its second and third stage components.
VestaCPLinuxChachaDDoSXor.DDoSmalwareESET
Indicators of Compromise (37)
All domain FileHash-SHA256 URL FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
domain 10afdmasaxsssaqrk.com 2018-10-18
domain 7mfsdfasdmkgmrk.com 2018-10-18
domain 8masaxsssaqrk.com 2018-10-18
domain 9fdmasaxsssaqrk.com 2018-10-18
domain efbthmoiuykmkjkjgt.com 2018-10-18
domain zxcvbmnnfjjfwq.com 2018-10-18
FileHash-SHA256 fa408855304ca199f680b494b69ef473dd9c5a5e0e78baa444048b82a8bd97a9 2018-10-18
URL http://10afdmasaxsssaqrk.com:8852/YTRFDA 2018-10-18
URL http://193.201.224.202:8852/ASDFRE 2018-10-18
URL http://193.201.224.202:8852/ASDFREM 2018-10-18
URL http://193.201.224.233:8852/DAAADF 2018-10-18
URL http://193.201.224.238:8852/DAAADF 2018-10-18
URL http://193.201.224.238:8852/DAAADF/DAAADF.dat 2018-10-18
URL http://193.201.224.238:8852/RTEGFN01 2018-10-18
URL http://193.201.224.238:8852/RTEGFN01/RTEGFN01.dat 2018-10-18
URL http://7mfsdfasdmkgmrk.com:8852/JHKDSAG 2018-10-18
URL http://8masaxsssaqrk.com:8852/JHKDSAG 2018-10-18
URL http://9fdmasaxsssaqrk.com:8852/YTRFDA 2018-10-18
URL http://efbthmoiuykmkjkjgt.com:8852/RTEGFN01 2018-10-18
URL http://zxcvbmnnfjjfwq.com:8852/RTEGFN01 2018-10-18
FileHash-SHA1 0328fa49058e7c5a63b836026925385aac76b221 2018-10-18
FileHash-SHA1 0413f832d8161187172aef7a769586515f969479 2018-10-18
FileHash-SHA1 0ab55b573703e20ac99492e5954c1db91b83aa55 2018-10-18
FileHash-SHA1 1b6a8ab3337fc811e790593aa059bc41710f3651 2018-10-18
FileHash-SHA1 334ad99a11a0c9dd29171a81821be7e3f3848305 2018-10-18
FileHash-SHA1 3caf7036aa2de31e296beae40f47e082a96254cc 2018-10-18
FileHash-SHA1 4ca3b06c76f369565689e1d6bd2ffb3cc952925d 2018-10-18
FileHash-SHA1 4e46630b98f0a920cf983a3d3833f2ed44fa4751 2018-10-18
FileHash-SHA1 56ac7c2c89350924e55ea89a1d9119a42902596e 2018-10-18
FileHash-SHA1 6a536b3d58f16bbf4333da7af492289a30709e77 2018-10-18
FileHash-SHA1 72651454d59c2d9e0afdd927ab6eb5aea18879ce 2018-10-18
FileHash-SHA1 a42e131efc5697a7db70fc5f166bae8dfb3afde2 2018-10-18
FileHash-SHA1 abea9166dad7febce8995215f09794f6b71da83b 2018-10-18
FileHash-SHA1 bb999f0096ba495889171ad2d5388f36a18125f4 2018-10-18
FileHash-SHA1 bd5d0093bba318a77fd4e24b34ced85348e43960 2018-10-18
FileHash-SHA1 d3af11dbfc5f03fd9c10ac73ec4a1cfb791e8225 2018-10-18
FileHash-SHA1 d7109d4dfb862eb9f924d88a3af9727e4d21fd66 2018-10-18
References (1)
↗ https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/