One curious thing I have noticed with these Global malicious epidemics is that most of them happen very close to a weekend. Wannacry went viral on a Thursday, GoldenEye on a Friday and with minimal support available on a weekend, they easily impact large corporations.
What started last night with a blog post from Checkpoint and 360 NetLab Researchers has now snowballed into a major news topic. They have discovered a brand new botnet that is continuously evolving with its writers continuously updating code and it has the potential to do more potential damage than the Mirai botnet which came out in 2016.
The researchers at 360 Netlab caught a sample last week specifically targeting IoT devices. Upon deeper analysis, they found that the bot borrowed some code from the famous Mirai botnet, but it does not do any password cracking at all. If you recall, Mirai used a list of default credentials to login to devices and then enslave them as part of the botnet. Instead, this one purely focuses on exploiting IoT device vulnerabilities. So, they named it IoT_reaper. Which makes a lot of sense if you think about it.
While Mirai caused widespread outages, it impacted IP cameras and internet routers by simply exploiting their weak or default passwords. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead. It’s the difference between checking for open doors and actively picking locks—and it’s already enveloped devices on a million networks and counting.
The researchers are also tracking multiple command and control servers and based on that they estimate that the number of newly infected hosts exceeds 10k per day. While this is happening, there are millions of potentially vulnerable devices IPs that are queued into the C&C system waiting to be processed by an automatic loader. The loader injects malicious code to the devices to expand the size of the botnet.
Just yesterday, I saw a tweet by @dalmoz_
There are many such devices out there that are either vulnerable or already hacked. Now they can or maybe they are not part of the same botnet, there are possibilities and for now that’s all we have on this.
So far we know that its different from Mirai because:
- It doesnt crack or try to connect with default credentials, only exploits IoT devices vulnerabilities;
- A LUA execution environment integrated, which means in the future a more complex attack can be supported and carried out;
- Scan behavior is not very aggressive, so it can stay under the radar and avoid any sort of rate limitation.
It has a downloader that is distinctly different from Mirai, for example when samples are downloaded from a server, it usually uses d as a subdomain like d.badsite[.]com
The Reaper malware has pulled together a grab-bag of IoT hacking techniques that include nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. While many of those devices have patches available, most consumers aren’t in the habit of patching their home network router, not to mention their surveillance camera systems.
Anyone who fears that their device might be compromised should check the company’s list of affected gadgets. An analysis of the IP traffic from those devices should reveal if they’re communicating with the command-and-control server helmed by the unknown hacker that’s administering the botnet, a checkpoint researcher – Horowitz says. But most consumers don’t have the means to do that network analysis. She suggests that if your device is on Check Point’s list, you should update it regardless, or even perform a factory reset on its firmware, which she says will wipe the malware.
As usual, though, it’s not the owners of the infected machines who will pay the real price for allowing Reaper to persist and grow. Instead, the victims would be the potential targets of that botnet once its owner unleashes its full DDoS firepower. In the case of Reaper, the potentially millions of machines it’s amassing could be a serious threat: Mirai, which McAfee measured as having infected 2.5 million devices at the end of 2016, was able to use those devices to bombard the DNS provider Dyn with junk traffic that wiped major targets off the face of the internet in October of last year, including Spotify, Reddit, and The New York Times.
We have collected some Indicators of Compromise which you can use to protect yourselves.
As always, Mjolnir’s customers are automatically protected against these threats. We routinely scan our customers environments for unseen threats.
Indicators of Compromise:
Category |
Data |
ip-dst |
119.82.26.157 |
hostname |
f.hl852.com |
ip-dst |
27.102.101.121 |
hostname |
d.hl852.com |
ip-dst |
162.211.183.192 |
ip-dst |
222.112.82.231 |
hostname |
e.hl852.com |
md5 |
ca92a3b74a65ce06035fcc280740daf6 |
url |
http://27.102.101.121/down/1506753086 |
url |
http://bbk80.com/api/api.php |
url |
http://162.211.183.192/sm |
url |
http://23.234.51.91/htmpbe |
url |
http://198.44.241.220:8080/run.lua |
url |
http://cbk99.com:8080/run.lua |
url |
http://27.102.101.121/down/1506851514 |
url |
http://162.211.183.192/xget |
url |
http://162.211.183.192/down/server.armel |
url |
http://23.234.51.91/control-MIPS32-MSB |
url |
http://162.211.183.192/sa5 |
url |
http://23.234.51.91/control-ARM-LSB |
url |
http://23.234.51.91/htam5le |
url |
http://162.211.183.192/sa |
url |
http://103.1.221.40/63ae01/39xjsda.php |
url |
http://162.211.183.192/server.armel |
md5 |
a3401685d8d9c7977180a5c6df2f646a |
md5 |
abe79b8e66c623c771acf9e21c162f44 |
md5 |
9f8e8b62b5adaf9c4b5bdbce6b2b95d1 |
md5 |
726d0626f66d5cacfeff36ed954dad70 |
md5 |
6f91694106bb6d5aaa7a7eac841141d9 |
md5 |
704098c8a8a6641a04d25af7406088e1 |
md5 |
3182a132ee9ed2280ce02144e974220a |
md5 |
95b448bdf6b6c97a33e1d1dbe41678eb |
md5 |
4406bace3030446371df53ebbdc17785 |
md5 |
6587173d571d2a587c144525195daec9 |
md5 |
4e2f58ba9a8a2bf47bdc24ee74956c73 |
md5 |
596b3167fe0d13e3a0cfea6a53209be4 |
md5 |
41ef6a5c5b2fde1b367685c7b8b3c154 |
md5 |
76be3db77c7eb56825fe60009de2a8f2 |
md5 |
9ad8473148e994981454b3b04370d1ec |
md5 |
b2d4a77244cd4f704b65037baf82d897 |
md5 |
3d680273377b67e6491051abe17759db |
md5 |
fb7c00afe00eeefb5d8a24d524f99370 |
md5 |
e9a03dbde09c6b0a83eefc9c295711d7 |
md5 |
f9ec2427377cbc6afb4a7ff011e0de77 |
Read more:
- https://twitter.com/dalmoz_/status/921077447034105856
- https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/
- http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
- https://blog.checkpoint.com/2017/10/19/new-iot-botnet-storm-coming/
Header image from: Image from https://boingboing.net