Views: 30
Thank you for reading this post, don't forget to subscribe!
Yet another variant of the Mirai botnet has appeared on the scene, but this one has a twist: The code is integrated with at least three exploits that target unpatched IoT devices, including closed-circuit cameras and Netgear routers. It also has ties to a web of other botnets, made for DDoS attacks, which can all be traced back to one threat actor.
The original Mirai used traditional brute-force attempts to gain access to connected things in order to enslave them, but the Wicked Botnet, named after the underground handle chosen by its author, prefers to go the exploit route to gain access.
Fortinetās FortiGuard Labs team analyzed the botnet, and found that the exploits it uses are matched to the ports it uses.
āIt scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,ā explained researchers Rommel Joven and Kenny Yang, in the analysis. āIt does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.ā
Specifically, port 8080 brings an exploit for a flaw in Netgear DGN1000 and DGN2200 v1 routers (also used by the Reaper botnet); a connection to port 81 makes use of a CCTV-DVR remote code execution flaw; port 8443 connections use a command injection exploit for the Netgear R7000 and R6400 routers (CVE-2016-6277); and port 80 corresponds with an invoker shell in compromised web servers. The latter does not directly exploit the device, but instead takes advantage of compromised web servers with malicious web shells already installed.
āSince a lot of IoT malware (e.g. Mirai) have already attacked devices via default passwords/ brute-forcing, new attacks like Wicked bot are forced to take a different option like the use of exploits to become effective,ā explained Joven, in an interview with Threatpost.
They also uncovered that Wicked is a botnet thatās used to download another botnet. Rather than just equipping Wicked itself with the ability to carry out whatever action the criminal behind the bot wants, the authorĀ wanted to separate the distribution and its payload.
āThis has advantages in development as well to evade detection,ā Joven told us. āThe same goes with other malware (e.g. ransomware) which has a document or script to download the ransomware payload.ā
A Wicked Web of Botnets
The analysts also found that the Wicked bot is connected to other, previous Mirai-based botnets; in fact, in terms of payloads, Wicked is built to download them. This led them to the author behind the Wicked bot.
They essentially followed a trail of breadcrumbs: For one, the Wicked botās code contains a the string called āSoraLOADER,ā which seems to indicate that itās a spreader for the Sora botnet, another Mirai variant.
However, the malicious website that houses the bad code contains the name āOwari,ā which is the name of yet another Mirai variant.
On top of that, the payload that it delivers is not Owari at all, but rather the Omni bot, which based on its code can be used for DDoS attack similar to Mirai.
āAt the time of analysis, the Owari bot samples could no longer be found in the website directory,ā the researchers explained. ā[However], we doublechecked the history of the malicious website and confirmed that it had previously delivered the Owari botnet.ā
Thus, it would seem that Omni, Owari and Sora are all connected to the Wicked bot.
āFuzzing the websiteās /bins directory, we found other Omni samples in the directory, which were reported to be delivered using the GPON vulnerability (CVE-2018-10561),ā the researchers said. āPayloads are regularly updated, as shown by its timestamp.ā
Putting this connection together with an interview last April conducted by NewSky Security, the researchers were able to trace the new bot back to an author using the pseudonym āWickedā in which he confirmed himself as the author of both Sora and Owari.
āApparently, as seen in the /bins repository, Sora and Owari botnet samples have now both been abandoned and replaced with Omni,ā Fortinetās Joven and Yang said. āThis also leads us to the conclusion that while the Wicked bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the authorās succeeding projects.ā
Sean Newman, director of product management at Corero Network Security, said via email that while the rash of Mirai variants is unsurprising given that the source code leaked two years ago, āthe suggestion that hackers donāt get it right every time, with some variants apparently abandoned before they were actively used, is both interesting and concerning.ā
He added, āThe fact that hackers can even experiment with their innovation in the wild on live systems, without being detected, further highlights the scale of the challenge that the poor security posture of IoT devices presents.ā