Enhancing the OpenCanary: Samba writes and malware submissions

After finding that someone, somewhere was dumping malware .exe files into my OpenCanary, I had a long thing about what I should do with the honeypot given this happened. My initial thinking was that the odd person might look in the share and take files and, as such, there were various Canary Tokens in there. None fired.

My first thought was to turn the share back into a read-only one but there is no fun in that!

I turned to ChatGPT and dumped my ideas into it to see what it might suggest:

Write me a script on ubuntu that will run as a cronjob to move files out of a directory, write information about the file to a log and send a notification to an ms teams channel with the file information. If it is also possible, the script should submit the file to virustotal

ChatGPT took very little time to come back to me with a method; I then realised that I should not limit myself to cron but rather watch the folder.

Can you change the logic to run when a file is placed in that directory?

Of course the AI chatbot was very helpful and gave me the basis for the scripts I built out and implemented on the box.

I decided to take an approach that would copy the files and submit them to VirusTotal immediately and periodically clean out the folder using a cronjob. The script to watch the folder was as follows:

#!/bin/sh

# Set the directory to be monitored
watch_dir="/home/ubuntu/samba"

# Set the destination directory
dest_dir="/home/ubuntu/malware"

# Set the log file
log_file="/home/ubuntu/logs/folder-watcher.log"

# Set the MS Teams webhook URL
teams_webhook_url="https://mal639.webhook.office.com/webhookb2/secret_webhook_key>

# Set the VirusTotal API key
APIKEY="get a free key at virustotal.com"

# Wait for a file or directory to be added/modified to the watched directory
inotifywait -r -e create -e modify --format "%w%f" $watch_dir | while read file; do
    echo "File/directory $file has been added/modified"
    echo "$(date) - $file copied to $dest_dir" >> $log_file
    # Wait 5 seconds for the file to finish being copied into the share
    sleep 5
    cp -R "$file" $dest_dir
    curl -H "Content-Type: application/json" -d "{\\"text\\":\\"$(date) - $file copied to $dest_dir\\"}" $teams_webhook_url
    # Use vt-scan.sh to submit the file to VT
    /home/ubuntu/scripts/vt-scan.sh -k $APIKEY -f $file >> $log_file
done

Note that the VirusTotal submissions would not work with the API key parsed so are presently with the API key in the curl command.

The call out to vt-scan.sh is using a script that is maintained and documented here. The above script calls that command line and parses the API key and file to the REST interface at Virustotal.com.

In order to have this script load at boot, add it to the system daemon.

sudo nano /etc/systemd/system/folder-watch.service
[Unit]
Description=Folder-Watcher
After=syslog.target
After=network-online.target

[Service]
KillMode=process
Restart=always
ExecStart=/home/ubuntu/scripts/folder-watcher.sh &

[Install]
WantedBy=multi-user.target

You will need to force the service refresh and enable the service before starting it.

sudo systemctl enable folder-watch.service
sudo systemctl start folder-watch.service

Now the script will run on startup and you can also start or stop the service by running sudo systemctl start [or stop] folder-watch respectively.

#!/bin/bash

### BEGIN INIT INFO
# Provides:          my_script
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start my_script at boot time
# Description:       Enable service provided by my_script.
### END INIT INFO

# Set the path of your script
SCRIPT="/home/ubuntu/scripts/folder-watcher.sh"

case "$1" in
  start)
    echo "Starting Folder-Watcher"
    $SCRIPT &
    ;;
  stop)
    echo "Stopping Folder-Watcher"
    pkill -f "bash $SCRIPT"
    ;;
  *)
    echo "Usage: /etc/init.d/init.d.folder-watcher.sh {start|stop}"
    exit 1
    ;;
esac

exit 

Last but not least is the cronjob task to clean out the folder once a month; it should then be attractive enough to whomever is putting the files there while not being obnoxious in supporting malware-serving campaigns (although I believe the person putting the file there wants it to execute on the host, surely?).

#!/bin/bash

# Set the directory where the files will be moved from
source_dir="/home/ubuntu/samba"

# Set the directory where the files will be moved to
dest_dir="/home/ubuntu/quarantine"

# Set the log file
log_file="/home/ubuntu/logs/malware-mover.log"

# Move all files from the source directory to the destination directory
mv $source_dir/* $dest_dir

# Write the file information to the log file
for file in $dest_dir/*; do
    echo "$(date) - $file moved to $dest_dir" >> $log_file
done

I called this script “malware-mover.sh” and enabled it in crontab:

1 1 24 * * /home/ubuntu/scripts/malware-mover.sh

At 01:01 on the 24th of each month, the contents of the folder will be moved into the quarantine directory. Maybe I need to increase the frequency, let’s see where this goes…..!!