In our monitoring we see little being created from scratch in everyday cybercrime. Generally speaking, most of what we find are adaptations of crimes, techniques and tools already used previously. This is no different with IoT botnets.
Since the Mirai botnet’s source code was made available on the Internet (October 2016), several variants have appeared, with little or no modification to the original code. Depending on the variant, what changes is the infection method, which, in some cases, focuses on devices that use standard passwords and on others that exploit vulnerabilities which allow for remote code execution; in a few other cases, multiple methods of infection are used.
From this stage, the operation is very similar in almost all variants. They all use access (obtained through a standard credential or exploiting a vulnerability) to download a payload that is typically a Shell script.
The use of the shell script language appears to be purposeful. These botnets exhibit a very worm-like behavior and, after infection, they scan the Internet for new IoT devices to infect. There is no control over which device will be infected or what architecture this device uses, so a simple way to make code work in any architecture is to use shell script because, despite the differences, these devices always use Linux as the operating system. which supports the shell language by standard.
Once the malware identifies the target’s architecture and forces it to download and execute the corresponding binary, that device becomes part of the botnet and begins performing the actions defined by its administrator. Whether it is DDoS attacks or the search for new victims.
This month, more than half of the attempted invasions of our honeypots were made by the Bushido variant, followed by Hajime, Ares, and Sefa. The Bushido variant was identified by the Fortinet company in an 26 October publication, according to which this variant would be used in DDoS rental services.
This infection process occurs either through bruteforce in the Telnet service or by exploiting remote code execution vulnerabilities on routers.
The passwords used in the bruteforce process originate from lists of factory default passwords or are defined by Internet providers.
When access is obtained, a wget command is executed to download the payload on the web server 176 [.] 32 [.] 33 [.] 123. In this case, the author does not care to verify the architecture of the device and downloads executables compiled for various architectures.
Once executed, the binary establishes connection with the same server from which the previous files were downloaded (176 [.] 32 [.] 33 [.] 123) on port 3265 without the need for authentication, and receives an initial command “BIGEPS ON” to start the search for other vulnerable devices. We detected the “BIGEPS OFF” message in some cases, which indicates that the attacker can determine when the devices should start the search for other victims. After infected, the device waits for commands to initiate DDoS attacks.
During our monitoring, it was possible to identify at least 70 UDP and STD attacks (1024 bytes random payload) being triggered by this variant, but none of them targeted Brazilian companies or IP addresses.
By analyzing its binary, it was possible to identify that, in addition to bruteforce, this variant attempts to exploit at least three vulnerabilities in largely used routers: Dasan GPON routers, Huawei HG532 and Eircom D-1000. This is a small amount of exploited vulnerabilities when compared to other variants — we have already seen some variants using more than 10 different vulnerabilities for the infection process.
The trend is that the number of exploited vulnerabilities and the number of infections will only increase as Internet operators continue to distribute standard password devices to their subscribers, and the firmware update process still depends on user interaction.
We recommend that home users constantly check for updates to their devices and that companies always check the status of their routers in order to identify as quickly as possible if there has been any compromise in the device.
Payload and C2
Logins and passwords used in this campaign