Not quite butter, but margarine
After a busy week, I sat down on Friday evening and logged into my honeypot server for the first time in days. I was curious to see what interesting things may have transpired since I last checked in. Running through my standard queries, I began by looking at the various credentials used to login to my honeypot. Checking the most common values revealed nothing especially exciting.
My tired Friday evening brain saw “!QAZ2wsx” and despite it looking familiar, I thought, “Hey, this could be something interesting!” Reader, it is not. If you use a QWERTY keyboard, take a look at where those keys fall.
So like I said, nothing really exciting, all fairly expected…
…until this. Username ‘butter’, with password ‘xuelp123’. Among the ‘root’, ‘admin’, and distro or tool names, this was decidedly out of place.
After taking a quick look at my keyboard to ensure I wasn’t missing an obvious-in-hindsight pattern, I checked to see how many attempts had been made with this username and password combination. The hits span nearly the duration of my honeypot uptime, and come from 11 IP addresses at the time of this writing.
The IP addresses were all over the place, as expected. As observed in a previous post, Digital Ocean seems to show up fairly often here, though the sample is very small. Several were found in various blocklists according to Hurricane Electric’s RBL tab, but beyond that, I didn’t dig much into these.
I searched for ‘butter xuelp123’ and found several dumps of other honeypot logs, which suggested these were commonly seen, but that still didn’t explain the origin of these unusual creds. Fortunately, a blog post from 2018 by security firm Guardicore helped fill in the gaps.
They report tracking an SSH brute force and Trojan campaign, dubbed ‘butter’, beginning in mid-2015. They go on to explain the initial stages of the attack:
After implementing the backdoor, Guardicore explains that the actor goes on to download one of several malicious payloads, including 80 (a RAT with DDOS capability) and samba (a RAT with many capabilities, including downloading and running a Monero miner).
Presumably, this actor would log servers where they’d successfully broken in and added a user, so these attempts against my honeypot seemed a bit strange. In reality, they’re not strange at all–it’s unlikely these attempts came from the original ‘butter’ crew, but rather from actors trying to piggyback off of this older attack.
I observed thousands of other login attempts from these IP addresses using commonly observed credentials (‘root’, ‘admin’, etc.), which suggests further that this is not the original ‘butter’ actor. Guardicore states that this actor tends to ‘lay low’, and sending hundreds or thousands of requests in an SSH brute force when they’ve already added their user to a machine is hardly laying low.
That said, there are probably enough servers out there compromised with ‘butter’ that are still unpatched and still have this user and password active, making ‘butter xuelp123’ an easy addition to SSH brute force lists. It’s exciting to track actors that are using deeply technical or rare techniques, but the reality is often much less glamorous. Regular user audits aren’t particularly exciting, but could help catch attacks like the original ‘butter’ activity and others that use similar techniques.