Open Directory Leak Reveals Iran-Linked 15-Node Relay Network

Threat actors sometimes make mistakes in operational security that put their whole work environment at risk This article explores relay infrastructure botnet. . Cybersecurity researchers at Hunt.io recently found an open directory on an Iranian staging server that showed a full 15-node relay network, a custom botnet framework, and tools for launching denial-of-service attacks.

A person or group with a financial or personal interest, not the government, runs this infrastructure. This gives us a rare look at how malicious network architecture is created and used. Finding the Relay Infrastructure and Botnet Arsenal Researchers found an open file manager on an Iranian server while doing a routine scan with the AttackCapture feature. There were 449 files in the directory, such as deployment scripts, configuration files, and bash command histories.

Investigators were able to pivot and map a bigger 15-node relay network by looking at a single shared TLS certificate that was linked to the server. Seven of these servers were hosted on Hetzner in Finland, and the other servers were registered to Iranian internet service providers. The network used Paqet, a tunneling tool made to get around regional internet filtering, and the 3x-ui proxy management panel, which makes it look like the operator was running a service to help people get around censorship.

Open AttackCapture's file manager (Source: hunt.io) The exposed bash history made it easy to see what the attacker did in three different phases. The operator set up the relay tunnels first. Next, they started making and testing custom denial-of-service tools against certain targets, such as a gaming server.

In the end, they made a framework for a persistent botnet. This deployment used a Python script called ohhhh.py to open hundreds of SSH sessions at the same time using a list of stolen credentials. After connecting, the script used the GCC compiler to create a malicious C-based bot client directly on the victim's computers.

It then renamed the final executable to avoid being detected. If necessary, another script called yse.py could stop the bad processes on the infected hosts. P Summary for 185.221.239[. ]162 (Source: hunt.io) Threat Actor Assessment and Signs of Compromise There are a lot of technical clues that point to an operator who is either based in Iran or knows the area very well.

Iranian internet service providers and ArvanCloud domain routing were used to build the infrastructure.

The recovered Python scripts also had inline code comments in Farsi, and the command logs showed keyboard input errors that made Arabic script characters. The hunt.io custom botnet client, called version 1.0, had hardcoded instructions for reconnecting that made sure infected bots would keep trying to reach the command server even if it went offline. Certificate associations that have the same fingerprint (Source: hunt.io) Researchers think this is an independent operator rather than a state-aligned advanced persistent threat because the target selection didn't have any geopolitical reasons and the custom tools were still in the early stages of development.

Type of Indicator Description of Value IP Address 185.221.239[. ]162 is the staging server for an open directory. The IP address is 65.109.187[.]102.

The IP address of the shared TLS certificate node is 65.109.184[.]58. Node with a shared TLS certificate Security teams should keep an eye on their networks for these specific signs of compromise so they can find and stop any related bad behavior.