Public Key & Crypto Currency Wallet Broadscanning

First Impression

While browsing today’s reports of my Honey net, I noticed not one, but two abnormally large scans had occurred.

430 events is rather high for a simple HTTP scan, especially one which yields nothing in return to each request. The two count discrepancy is also curious. A quick query for the distinct field “REDIRECT_URL” shows two entries which each have a count just one higher than the rest.

wallet.old.bkp, and cgminer.tgz are both items most likely expected to be related to Crypto Currency. CGminer is a Crypto Currency Miner, and wallet.old.bkp appears to reference a Crypto Currency Wallet. CGMiner is often observed as a common payload in broad scanning attacks.

The Requests

A quick query for the rest of the requests gives us further insight into the intent.

List of Requests

/checknfurl123
/.365coin/365coin.conf
/365coin.7z2
/365coin.bkp2
/365coin.bz22
/365coin.conf2
/365coin.dump2
/365coin.gz2
/365coin.lzma2
/365coin.rar2
/365coin.tar2
/365coin.tar.bz2
/365coin.tar.bz22
/365coin.tar.gz2
/365coin.tar.lzma2
/365coin.tar.xz2
/365coin.tbz2
/365coin.tbz22
/365coin.tgz2
/365coin.txz2
/365coin.xz2
/365coin.zip2
/backups/wallet.dat2
/backup.wallet.7z2
/backup.wallet.bkp2
/backup.wallet.bz22
/backup/wallet.dat2
/backup.wallet.dump2
/backup.wallet.gz2
/backup.wallet.lzma2
/backup.wallet.rar2
/backup.wallet.tar2
/backup.wallet.tar.bz2
/backup.wallet.tar.bz22
/backup.wallet.tar.gz2
/backup.wallet.tar.lzma2
/backup.wallet.tar.xz2
/backup.wallet.tbz2
/backup.wallet.tbz22
/backup.wallet.tgz2
/backup.wallet.txz2
/backup.wallet.xz2
/backup.wallet.zip2
/bfgminer.7z2
/.bfgminer/bfgminer.conf2
/bfgminer.bkp2
/bfgminer.bz22
/bfgminer.conf2
/bfgminer.dump2
/bfgminer.gz2
/bfgminer.lzma2
/bfgminer.rar2
/bfgminer.tar2
/bfgminer.tar.bz2
/bfgminer.tar.bz22
/bfgminer.tar.gz2
/bfgminer.tar.lzma2
/bfgminer.tar.xz2
/bfgminer.tbz2
/bfgminer.tbz22
/bfgminer.tgz2
/bfgminer.txz2
/bfgminer.xz2
/bfgminer.zip2
/bitcoin01.dat2
/bitcoin.7z2
/.bitcoin/bitcoin.conf2
/bitcoin.bkp2
/bitcoin.bz22
/bitcoin.conf2
/bitcoind.7z2
/bitcoin.dat2
/bitcoind.bkp2
/bitcoind.bz22
/bitcoind.dump2
/bitcoind.gz2
/bitcoind.lzma2
/bitcoind.rar2
/bitcoind.tar2
/bitcoind.tar.bz2
/bitcoind.tar.bz22
/bitcoind.tar.gz2
/bitcoind.tar.lzma2
/bitcoind.tar.xz2
/bitcoind.tbz2
/bitcoind.tbz22
/bitcoind.tgz2
/bitcoind.txz2
/bitcoin.dump2
/bitcoind.xz2
/bitcoind.zip2
/bitcoin.gz2
/bitcoin.lzma2
/bitcoin.rar2
/bitcoin.tar2
/bitcoin.tar.bz2
/bitcoin.tar.bz22
/bitcoin.tar.gz2
/bitcoin.tar.lzma2
/bitcoin.tar.xz2
/bitcoin.tbz2
/bitcoin.tbz22
/bitcoin.tgz2
/bitcoin.txz2
/.bitcoin/wallet.dat2
/bitcoin.xz2
/bitcoin.zip2
/blockchain.7z2
/blockchain.bkp2
/blockchain.bz22
/blockchain.dump2
/blockchain.gz2
/blockchain.lzma2
/blockchain.rar2
/blockchain.tar2
/blockchain.tar.bz2
/blockchain.tar.bz22
/blockchain.tar.gz2
/blockchain.tar.lzma2
/blockchain.tar.xz2
/blockchain.tbz2
/blockchain.tbz22
/blockchain.tgz2
/blockchain.txz2
/blockchain.xz2
/blockchain.zip2
/btc.7z2
/btc.bkp2
/btc.bz22
/btc.dat2
/btc.dump2
/btc.gz2
/btc.lzma2
/btc.rar2
/btc.tar2
/btc.tar.bz2
/btc.tar.bz22
/btc.tar.gz2
/btc.tar.lzma2
/btc.tar.xz2
/btc.tbz2
/btc.tbz22
/btc.tgz2
/btc.txz2
/btc.xz2
/btc.zip2
/cgminer.7z2
/cgminer.bkp2
/cgminer.bz22
/.cgminer/cgminer.conf2
/cgminer.conf2
/cgminer.dump2
/cgminer.gz2
/cgminer.lzma2
/cgminer.rar2
/cgminer.tar2
/cgminer.tar.bz2
/cgminer.tar.bz22
/cgminer.tar.gz2
/cgminer.tar.lzma2
/cgminer.tar.xz2
/cgminer.tbz2
/cgminer.tbz22
/cgminer.txz2
/cgminer.xz2
/cgminer.zip2
/coin.7z2
/coin.bkp2
/coin.bz22
/coin.dat2
/coin.dump2
/coin.gz2
/coin.lzma2
/coin.rar2
/coins.7z2
/coins.bkp2
/coins.bz22
/coins.dat2
/coins.dump2
/coins.gz2
/coins.lzma2
/coins.rar2
/coins.tar2
/coins.tar.bz2
/coins.tar.bz22
/coins.tar.gz2
/coins.tar.lzma2
/coins.tar.xz2
/coins.tbz2
/coins.tbz22
/coins.tgz2
/coins.txz2
/coins.xz2
/coins.zip2
/coin.tar2
/coin.tar.bz2
/coin.tar.bz22
/coin.tar.gz2
/coin.tar.lzma2
/coin.tar.xz2
/coin.tbz2
/coin.tbz22
/coin.tgz2
/coin.txz2
/coin.xz2
/coin.zip2
/feathercoin.conf2
/.feathercoin/wallet.dat2
/litecoin.7z2
/.litecoin/bitcoin.conf2
/litecoin.bkp2
/litecoin.bz22
/litecoin.conf2
/litecoin.dat2
/litecoin.dump2
/litecoin.gz2
/.litecoin/litecoin.conf2
/litecoin.lzma2
/litecoin.rar2
/litecoin.tar2
/litecoin.tar.bz2
/litecoin.tar.bz22
/litecoin.tar.gz2
/litecoin.tar.lzma2
/litecoin.tar.xz2
/litecoin.tbz2
/litecoin.tbz22
/litecoin.tgz2
/litecoin.txz2
/.litecoin/wallet.dat2
/litecoin.xz2
/litecoin.zip2
/money.7z2
/money.bkp2
/money.bz22
/money.dump2
/money.gz2
/money.lzma2
/money.rar2
/money.tar2
/money.tar.bz2
/money.tar.bz22
/money.tar.gz2
/money.tar.lzma2
/money.tar.xz2
/money.tbz2
/money.tbz22
/money.tgz2
/money.txz2
/money.xz2
/money.zip2
/namecoin.7z2
/.namecoin/bitcoin.conf2
/namecoin.bkp2
/namecoin.bz22
/namecoin.conf2
/namecoin.dat2
/namecoin.dump2
/namecoin.gz2
/namecoin.lzma2
/.namecoin/namecoin.conf2
/namecoin.rar2
/namecoin.tar2
/namecoin.tar.bz2
/namecoin.tar.bz22
/namecoin.tar.gz2
/namecoin.tar.lzma2
/namecoin.tar.xz2
/namecoin.tbz2
/namecoin.tbz22
/namecoin.tgz2
/namecoin.txz2
/.namecoin/wallet.dat2
/namecoin.xz2
/namecoin.zip2
/novacoin.7z2
/.novacoin/bitcoin.conf2
/novacoin.bkp2
/novacoin.bz22
/novacoin.conf2
/novacoin.dump2
/novacoin.gz2
/novacoin.lzma2
/.novacoin/novacoin.conf2
/novacoin.rar2
/novacoin.tar2
/novacoin.tar.bz2
/novacoin.tar.bz22
/novacoin.tar.gz2
/novacoin.tar.lzma2
/novacoin.tar.xz2
/novacoin.tbz2
/novacoin.tbz22
/novacoin.tgz2
/novacoin.txz2
/.novacoin/wallet.dat2
/novacoin.xz2
/novacoin.zip2
/ppcoin.7z2
/.ppcoin/bitcoin.conf2
/ppcoin.bkp2
/ppcoin.bz22
/ppcoin.conf2
/ppcoin.dump2
/ppcoin.gz2
/ppcoin.lzma2
/.ppcoin/ppcoin.conf2
/ppcoin.rar2
/ppcoin.tar2
/ppcoin.tar.bz2
/ppcoin.tar.bz22
/ppcoin.tar.gz2
/ppcoin.tar.lzma2
/ppcoin.tar.xz2
/ppcoin.tbz2
/ppcoin.tbz22
/ppcoin.tgz2
/ppcoin.txz2
/.ppcoin/wallet.dat2
/ppcoin.xz2
/ppcoin.zip2
/primecoin.7z2
/.primecoin/bitcoin.conf2
/primecoin.bkp2
/primecoin.bz22
/primecoin.conf2
/primecoin.dump2
/primecoin.gz2
/primecoin.lzma2
/.primecoin/primecoin.conf2
/primecoin.rar2
/primecoin.tar2
/primecoin.tar.bz2
/primecoin.tar.bz22
/primecoin.tar.gz2
/primecoin.tar.lzma2
/primecoin.tar.xz2
/primecoin.tbz2
/primecoin.tbz22
/primecoin.tgz2
/primecoin.txz2
/.primecoin/wallet.dat2
/primecoin.xz2
/primecoin.zip2
/terracoin.conf2
/.terracoin/wallet.dat2
/w.7z2
/wallet.7z2
/wallet.bkp2
/wallet.bz22
/_wallet.dat2
/wallet_dat2
/wallet.dat2
/wallet.dat_2
/wallet.dump2
/wallet.gz2
/wallet.lzma2
/wallet.old.7z2
/wallet.old.bz22
/wallet.old.dump2
/wallet.old.gz2
/wallet.old.lzma2
/wallet.old.rar2
/wallet.old.tar2
/wallet.old.tar.bz2
/wallet.old.tar.bz22
/wallet.old.tar.gz2
/wallet.old.tar.lzma2
/wallet.old.tar.xz2
/wallet.old.tbz2
/wallet.old.tbz22
/wallet.old.tgz2
/wallet.old.txz2
/wallet.old.xz2
/wallet.old.zip2
/wallet.rar2
/wallets.7z2
/wallets.bkp2
/wallets.bz22
/wallets.dump2
/wallets.gz2
/wallets.lzma2
/wallets.rar2
/wallets.tar2
/wallets.tar.bz2
/wallets.tar.bz22
/wallets.tar.gz2
/wallets.tar.lzma2
/wallets.tar.xz2
/wallets.tbz2
/wallets.tbz22
/wallets.tgz2
/wallets.txz2
/wallets/wallet.dat2
/wallets.xz2
/wallets.zip2
/wallet.tar2
/wallet.tar.bz2
/wallet.tar.bz22
/wallet.tar.gz2
/wallet.tar.lzma2
/wallet.tar.xz2
/wallet.tbz2
/wallet.tbz22
/wallet.tgz2
/wallet.txz2
/wallet/wallet.dat2
/wallet.xz2
/wallet.zip2
/w.bkp2
/w.bz22
/w.dat2
/w.dump2
/w.gz2
/w.lzma2
/w.rar2
/w.tar2
/w.tar.bz2
/w.tar.bz22
/w.tar.gz2
/w.tar.lzma2
/w.tar.xz2
/w.tbz2
/w.tbz22
/w.tgz2
/w.txz2
/w.xz2
/w.zip2
/cgminer.tgz3
/wallet.old.bkp3

Relational Events

At this point, it looks like this scan is attempting to find indicators of crypto currency use. The /checknfurl123 request also raises more questions. A quick look in my dashboard shows several events which share the /checknfurl123 request, dating back to June 3rd, 2014.

An accompanying query seems to confirm that the events which occurred prior to the 16th of June all shared a matching request list.

 The query for the requests from the events reveals a scan for various files, such as public and private keys, shell history files, and various others.

List of Requests

/checknfurl123
/id_rsa
/id_dsa
/rsa
/dsa
/key
/key.priv
/id_rsa.old
/id_dsa.old
/identity
/authorized_keys
/authorized_keys2
/known_hosts
/id_rsa.pub
/id_dsa.pub
/.ssh/id_rsa
/.ssh/id_dsa
/.ssh/rsa
/.ssh/dsa
/.ssh/key
/.ssh/priv
/.ssh/id_rsa.old
/.ssh/id_dsa.old
/.ssh/identity
/.ssh/authorized_keys
/.ssh/authorized_keys2
/.ssh/known_hosts
/.ssh/config
/.ssh/id_rsa.pub
/.ssh/id_dsa.pub
/.ssh/id_rsa_2
/.ssh/id_rsa.2
/.ssh/id_dsa_2
/.ssh/id_dsa.2
/.ssh/id_ecdsa
/.ssh/id_ecdsa.2
/.ssh/id_ecdsa_2
/.ssh/id_ecdsa_old
/.ssh/id_ecdsa.old
/id_ecdsa
/id_ecdsa.2
/id_ecdsa_2
/id_ecdsa_old
/id_ecdsa.old
/config
/.bash_history
/.history
/.sh_history

Behavior and Traits

Viewing the request in the dashboard gives us further insight into the rest of the request parameters. A quick Google Search for checknfurl123 reveals several people who have also noticed this checknfurl123 trend lately. Here are two examples for the /checknfurl123 URL, from the June 16th Crypto Currency campaign, and from the June 3rd Key Discovery Campaign.

Each request is nearly an identical HTTP/1.1 HEAD method against port 80 for each subsequent URL in the list. The duplicate requests from June 3rd and 4th are explained by the HTTP Host header being enumerated, once as “localhost”, and then as the proper Honey Pots address. We then ceased to see activity for a week, but the first return on June 11th exhibits the first change in behavior, where we no longer see HTTP Host headers of “localhost”. When we next see the scanners return on June 16th, the second behavioral change is observed as the word list is switched from the Keys list, to the Crypto Currency list.

My Opinion

With the prevalence of Crypto Currency Mining payloads accompanying many broad scanning attacks, this campaign is most likely targeting the work of other threat actors on already compromised machines. This could also be a crude form of attempting to identify vulnerable machines which have already been compromised, as the HEAD request would not return the contents of the file if it exists. The HEAD request method could also be a fingerprint of the scanning utility, such as Pnscan. Pnscan has been observed in use with several bot nets, where a HEAD request will be made, and based on the response a secondary script may be executed. The request for “/checknfurl123” most likely provides a baseline response, so a script would be able to determine the difference between a missing or fake file, and either proceed with file egression or continue on to the next attempt.

In Conclusion 

For (hopefully) most users, this particular scan may not pose much risk other than hundreds of extra security events to contend with. If you have any files hosted and accessible by any of the URLs listed in this blog, I suggest removing them immediately, and hosting them via a secure solution if necessary. If you have any of these files and you were previously unaware of them, it may be worth a dig to determine if your site has been otherwise compromised.