"Oinasf" Bash Script

Beginning on 1 January 2024 throughout 7 January 2024, Clipeus honeypots have been targeted in various attempts to run an unusual bash script named "oinasf." The events intensified on 5 January with four separate attempts, including three in close temporal proximity.

Activity logged by the honeypots suggest the script carries out a reconnaissance of the targeted environment. Run commands include an empty command line entry which, alongside the irregular temporal sequence of logged attempts, may suggest manual activity rather than a bot. However, there is no definitive evidence to support this assessment.

Open sources offer recent references to such script being run against a honeypot; in late November 2023, a Medium blogger identified the same script being run against a honeypot. Based on the originating IP addresses, this blogger hypothesized that the attackers employ cloud services for opportunistic attacks.

Our assessment is that these attacks are opportunistic in nature as they are run against honeypots. However, the source IP addresses that have been logged on Clipeus end do not confirm the exclusive employment of cloud services which remains likely nonetheless.

Almost all attempts originated from infrastructure owned by an internet service provider in Korea, Korea Telecom, and a single attempt from an Australian provider, Telstra Internet. Interestingly enough, each attempt came from a different IP address which may be consistent with the usage of a cloud service - as the previously referenced blogger suggested.

The very name of the script is quite unusual as it does not appear to have a specific meaning in itself. The first part of the name - "oinas" - may recall a Greek word and it is indeed a family name which - according to a cursory research - exists in various geographies including the Philippines and Eastern Europe. The letter "f" may be an addition to "oinas" - possibly a given name initial. However, there are no definite elements to substantiate this interpretation.