Malware analysis

Mirai botnet evolution since its source code is available online

Mirai – The evolving IoT threat

Since the release of the source code of the Mirai botnet, crooks have improved their own versions by implementing new functionalities and by adding new exploits.

A recent report published by NetScout's Arbor Security Engineering and Response Team (ASERT) confirmed the intense activities of threat actors related to the Mirai botnet, in a few months experts spotted at least four Mirai variants in the wild tracked as Satori, JenX, OMG, and Wicked.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

The availability of the Mirai source code allows malware author to create their own version.

"Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets. The Mirai source is not limited to only DDoS attacks. A variant of Satori was discovered which attacks Ethereum mining clients," states the report published by NetScout.

Figure 1 - Mirai botnet

Below the key findings for the new Mirai variants discovered by the experts:

• Satori uses a remote code injection exploits to implement scanning feature.
• The JenX bot evolved from Mirai to include similar coding, but authors removed scanning and exploitation capabilities.
• The OMG bot adds HTTP and SOCKS proxy capabilities.
• The Wicked Mirai exploits RCE flaws to infect Netgear routers and CCTV-DVR devices. When vulnerable devices are found, a copy of the Owari bot is downloaded and executed.

Let's see the technical details for each variant.

Satori Botnet

In December 2017, security experts from Check Point Security firm discovered a new variant of the Mirai botnet dubbed Satori that was responsible for hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.

The activity of the Satori botnet has been observed over the past month by researchers from Check Point security.

• "A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild.
  
• The delivered payload has been identified as OKIRU/SATORI, an updated variant of Mirai.
  
• The suspected threat actor behind the attack has been identified by his nickname, 'Nexus Zeta'." states the report published by Check Point security.
  

The new botnet attempted to compromise Huawei HG532 devices in several countries, including the USA, Italy, Germany, and Egypt.

Figure 2 - Satori Botnet

The attacks associated with the new botnet attempted to exploit the CVE-2017-17215 zero-day vulnerability in the Huawei home router caused by the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

"In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP). From looking into the UPnP description of the device, it can be seen that it supports a service type named `DeviceUpgrade`. This service is supposedly carrying out a firmware upgrade action by sending a request to "/ctrlt/DeviceUpgrade_1" (referred to as controlURL ) and is carried out with two elements  named`NewStatusURL` and `NewDownloadURL`," continues the analysis.

"The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters "$()" in the NewStatusURL and NewDownloadURL."

The attackers exploited the vulnerability to download and execute the Satori bot. Huawei was informed of the vulnerability on November 27, a few days later it published a security advisory that notified the issue to the users and provided the following recommendations to prevent the exploitation of the flaw:

• Configure the built-in firewall function.
• Change the default password.
• Deploy a firewall at the carrier side.

"The customers can deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2017120100 released on December 1, 2017 to detect and defend against this vulnerability exploits initiated from the Internet," reads the advisory published by Huawei.

Experts noticed that the Satori bot floods targets with manually crafted UDP or TCP packets, it first attempts to resolve the IP address of a C&C server using DNS request with the hardcoded domain name, then gets the addresses from the DNS response and tries to connect via TCP on the hardcoded target port (7645).

The C&C server, in turn, provides the number of packets used for the flooding action and their corresponding parameters, and can also pass an individual IP for attack or a subnet. The bot uses a custom protocol to communicate with the C&C; it includes two hardcoded requests to check in with the server that responds with the DDoS attack parameters.

Further investigation on the bot allowed the researchers to determine that the actor behind the Satori botnet might be using the online moniker of NexusZeta.

NexusZeta was very active on social media such as Twitter and Github; experts discovered he was associated with Skype and SoundCloud accounts under the name of Caleb Wilson (caleb.wilson37 / Caleb Wilson 37).

While the actor described himself as a novice ("an amateur with lots of motivation, looking for the crowd's wisdom."), it is unclear how he discovered the zero-day vulnerability.

"Nonetheless, as seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results," Check Point concluded.

In May, researchers from several security firms (Qihoo 360 Netlab, SANS ISC, and GreyNoise Intelligence) observed hackers using the Satori botnet to mass-scan the Internet for exposed Ethereum mining pools; they were scanning for devices with port 3333 exposed online.

https://twitter.com/360Netlab/status/995008775244443648

Attackers targeted the port 3333 because it is commonly used for remote management by a large number of cryptocurrency-mining equipment.

Since May 11, experts started observing the spike in activity of the Satori botnet.

Figure 3 - Satori Botnet scanning activity

According to the researchers at GreyNoise, threat actors are focused on equipment running the Claymore mining software, once the attackers have found a server running this specific application they will push instructions to force the device to join the 'dwarfpool' mining pool using the ETH wallet controlled by the attackers.

Most of the devices involved in the mass scanning are compromised GPON routers located in Mexico, according to GreyNoise Intelligence five botnets are currently using the compromised these to scan for Claymore miners, and one of them is the Satori botnet.

GreyNoise has observed ~13,000 compromised home routers probing the Internet for the '/GponForm/diag_Form' URI in just 96 hours, likely related to the weaponization of CVE-2018-10561. Most devices are located in the "Uninet" ISP in Mexico.

Researchers at SANS ISC that analyzed the Satori botnet activity discovered the bot is currently exploiting the CVE-2018-1000049 remote code execution flaw that affects the Nanopool Claymore Dual Miner software.

The experts observed the availability online of proof-of-concept code for the CVE-2018-1000049 vulnerability.

"The scan is consistent with a vulnerability, CVE 2018-1000049, released in February [2]. The JSON RPC remote management API does provide a function to upload "reboot.bat," a script that can then be executed remotely. The attacker can upload and execute an arbitrary command using this feature," reads the analysis published by the SANS ISC.

"The port the API is listening on is specified when starting the miner, but it defaults to 3333. The feature allows for a 'read-only' mode by specifying a negative port, which disables the most dangerous features. There doesn't appear to be an option to require authentication."

Masuta botnet

Early 2018, security experts at NewSky's conducted further investigation on the Satori botnet and discovered that the operators behind it were also working on a new project, so-called Masuta botnet.

The Masuta botnet targets routers using default credentials, one of the versions analyzed by the experts, tracked as "PureMasuta," relies on the old network administration EDB 38722 D-Link exploit.

"We analyzed two variants of an IoT botnet named "Masuta" where we observed the involvement of a well-known IoT threat actor and discovered a router exploit being weaponized for the first time in a botnet campaign," reads the analysis published by NewSky.

"We were able to get hands on the source code of Masuta (Japanese for "master") botnet in an invite only dark forum. After analyzing the configuration file., we saw that Masuta uses 0xdedeffba instead of Mirai's 0xdeadbeef as the seed of the cipher key, hence the strings in the configuration files were effectively xored by ((DE^DE)^FF) ^BA or 0x45."

The Masuta botnet is responsible for hundreds of thousands of attempts to exploit a vulnerability in Huawei HG532 home routers; it also targeted routers using default credentials, one of the versions analyzed by the experts dubbed "PureMasuta" relies on the old network administration EDB 38722 D-Link exploit. The experts detected a rise in activity associated with the Masuta botnet since September; their honeypots observed 2400 IPs involved in the malicious. Architecture

Figure 4 - Masuta botnet activity

The flaw triggered by the EDB 38722 D-Link exploit was discovered in 2015 by the researchers Craig Heffner, it affects the D-Link's Home Network Administration Protocol.

"The weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol," continues the analysis published by NewSky.

"It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution."

An attacker using a string like the following one will cause a reboot.

SOAPAction: "hxxp://purenetworks.com/HNAP1/GetDeviceSettings/`reboot`"

An attacker can run any command inserted after 'GetDeviceSettings,' this mechanism is used by the PureMasuta bot to run a wget to fetch and run a shell script and take over the target router.

The command and control server (93.174.93.63) used by PureMasuta variant is the same as used in the original Masuta variants, this means that PureMasuta is an evolution of the botnet operated by the same threat actors.

NewSky attributes the Masuta botnet to an entity dubbed "Nexus Zeta," the name comes from the C&C URL nexusiotsolutions(dot)net, this URL is the same used by the Satori botnet.

Wicked Mirai

In May, security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed 'Wicked Mirai' that includes new exploits and spread a new bot.

"The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago," reads the analysis published by Fortinet.

"Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and crypto miners. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED."

The name Wicked Mirai comes from the strings found in the code by the researchers, according to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai-based botnets are usually composed of three main modules: Attack, Killer, and Scanner. The researchers from Fortinet focused their analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once the bit has established a connection, it will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The Wicked Mirai bot chooses the exploit based on the specific port it was able to connect to. Below the list of devices targeted by the Wicked Mirai

• Port 8080: Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet)
• Port 81: CCTV-DVR Remote Code Execution
• Port 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)
• Port 80: Invoker shell in compromised web servers

The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet.

Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would connect to a malicious domain to download the Owari Mirai bot.

"After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot," reads the analysis.

"However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot."

The analysis of the website's /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Figure 5 - Omni samples

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found an interview with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of "Wicked," said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

"Based on the author's statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author's succeeding projects," Fortinet concludes.

I contacted Malware Must Die, the expert that first discovered the Mirai botnet, for a comment on the Wicked Mirai variant.

He told me that the variants were developed by the same coder that put all the high-possibility exploit code in Mirai.

"GPON was seemed used on separate pwn scheme by different script outside of the Mirai, but being used to infect Mirai," he added.

MalwareMustDie researchers told me that they passed the identity of the author to the related country LEA. They explained to me that even if they made several reports to the authorities, law enforcement failed in preventing the diffusion of the malicious code. The experts showed me official report to LEA dated back January 2018, when they alerted authorities of propagations of new Mirai variants.

"The ID of the actor was passed to the related country LEA from our team that investigated result too since we published the Satori/Okiru variant a while ago, way before ARC CPU variant was spotted," MMD told me.

"So by the release of the OWARI, SORA, and WICKED, this is what will happen if we let the malware actor running loose unarrested. More damage will be created and they just don't know how to stop them self."

JenX botnet

In February 2018, experts from security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and leveraged the Grand Theft Auto videogame community to infect devices.

The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security; it leveraged the CVE-2017-17215 flaw in the Huawei home router HG532.

JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.

"A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:

• CVE-2014-8361 "Realtek SDK Miniigd UPnP SOAP Command Execution" vulnerability and related exploit.
  
• CVE-2017–17215 "Huawei Router HG532 – Arbitrary Command Execution" vulnerability and related exploit." states Radware in a blog post.
  

"Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the "Janit0r," author of "BrickerBot."

JenX also implemented some techniques used by the PureMasuta botnet. The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.

JenX is a DDoS botnet, the DDoS option offered by San Calvicie is called "Corriente Divina."

The users of the website can rent a GTA San Andreas multiplayer modded server for $16, and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.

"The Corriente Divina ('divine stream') option is described as 'God's wrath will be employed against the IP that you provide us," wrote Radware's Cyber Security expert Pascal Geenens. "It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a 'Down OVH' option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time."

Figure 6 - JenX DDoS botnet

Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure; it uses a central server to perform the scanning of new hosts.

"The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets," continues the analysis.

The botnet architecture with a central server that coordinates the activity makes exposes it to takedown operated by law enforcement and security firms. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.

Even if the JenX can power massive DDoS attacks, it doesn't represent a serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.

"The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet," Geenens concluded.

"But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it."

OMG botnet

In February, a new variant of the Mirai botnet was spotted by the researchers at Fortinet; this is the first variant that sets up proxy servers on the compromised IoT devices.

The experts tracked the new variant as OMG because of strings containing "OOMGA" in the configuration table.

"For this reason, we decided to name this variant OMG. The table, originally encrypted, was decrypted using 0xdeadbeef as the cipher key seed, using the same procedure adopted for the original Mirai. The first thing we noticed are the strings /bin/busybox OOMGA and OOMGA: applet not found," wrote Fortinet.

"The name Mirai was given to the Mirai bot because of the strings /bin/busybox MIRAI and MIRAI: applet not found, which are commands to determine if it has successfully brute-forced its way into the targeted IoT device. These strings are similar with other variations such as Satori/Okiru, Masuta, etc."

The OMG botnet includes most of the features and modules observed for the Mirai botnet, including the attack, killer, and scanner modules, but also adds new ones.

According to Fortinet, its configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed.

"This variant also adds and removes some configurations that can be found in the original Mirai code. Two notable additions are the two strings that are used to add a firewall rule to allow traffic on two random ports, which we will discuss in the latter part of the article," continues the analysis.

Figure 7 - OMG Mirai botnet uses firewall rules

After initialization, OMG connects to the command and control (C&C) server; the configuration table analyzed in the post contains the CnC server string, ccnew.mm.my, which resolves to 188.138.125.235.

The malware connects to the C&C port 50023; then it sends a defined data message (0x00000000) to the server to identify itself as a new bot.

The server, in turn, sends a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used as a proxy server, the two options are:

• 1 for attack
• >1 to terminate the connection.

The analysis of the source code of the OMG botnet revealed it leverages the open source software 3proxy as its proxy server and during the set-up phase the bot adds firewall rules to allow traffic on the two random ports.

"This variant of Mirai uses 3proxy, an open source software, to serve as its proxy server. The set up begins by generating two random ports that will be used for the http_proxy_portand socks_proxy_port. Once the ports are generated, they are reported to the CnC," continues the analysis. 

"For the proxy to work properly, a firewall rule must be added to allow traffic on the generated ports. As mentioned earlier, two strings containing the command for adding and removing a firewall rule to enable this were added to the configuration table."

Fortinet experts believe the operators behind the OMG botnet sell access to the IoT proxy server; they highlighted that this is the first Mirai variant that sets up proxy servers on vulnerable IoT devices.

"With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization," concluded Fortinet.

Conclusion

Cybercriminals will continue to create their own versions of the Mirai botnet for this reason organizations have to apply proper patching, updates, and DDoS mitigation strategies to protect their infrastructure.

"As seen with the four samples covered above, botnet authors are already using the Mirai source code as their building blocks. As the explosion of IoT devices does not look to be slowing down, we believe we'll continue to see increases in IoT botnets," concluded the report published by NetScout's Arbor Security Engineering and Response Team (ASERT) t.

"We are likely to see remnants of Mirai live on in these new botnets as well."

References

https://securityaffairs.co/wordpress/73114/malware/mirai-evolution.html

https://securityaffairs.co/wordpress/50929/cyber-crime/linux-mirai-elf.html

https://securityaffairs.co/wordpress/51868/cyber-crime/mirai-botnet-source-code.html

https://securityaffairs.co/wordpress/72640/malware/wicked-mirai.html

https://securityaffairs.co/wordpress/69449/cyber-crime/omg-botnet.html

https://asert.arbornetworks.com/omg-mirai-minions-are-wicked/

https://securityaffairs.co/wordpress/72651/cyber-crime/satori-botnet-mass-scanning.html

https://securityaffairs.co/wordpress/67040/hacking/satori-botnet-mirai-variant.html

https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/

https://www.fortinet.com/blog/threat-research/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers.html

https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7?gi=afd502ef8c1c

https://research.checkpoint.com/good-zero-day-skiddie/

https://securityaffairs.co/wordpress/68153/malware/masuta-botnet.html

https://securityaffairs.co/wordpress/68153/malware/masuta-botnet.html

https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html