Top Categories

Spotlight

todayMarch 28, 2020

Case Study Mjolnir Security

Attack Type – Exploitation of novel / 0-day vulnerability

Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation [...]

Top Voted
Sorry, there is nothing for the moment.

The Reaper is finally here and he has come for your IoT Devices

News + Malware + Botnet + Threat Intelligence Mjolnir Security todayOctober 20, 2017

Background
share close

One curious thing I have noticed with these Global malicious epidemics is that most of them happen very close to a weekend. Wannacry went viral on a Thursday, GoldenEye on a Friday and with minimal support available on a weekend, they easily impact large corporations.

What started last night with a blog post from Checkpoint and 360 NetLab Researchers has now snowballed into a major news topic.  They have discovered a brand new botnet that is continuously evolving with its writers continuously updating code and  it has the potential to do more potential damage than the Mirai botnet which came out in 2016.

The researchers at 360 Netlab caught a sample last week specifically targeting IoT devices. Upon deeper analysis, they found that the bot borrowed some code from the famous Mirai botnet, but it does not do any password cracking at all. If you recall, Mirai used a list of default credentials to login to devices and then enslave them as part of the botnet. Instead, this one purely focuses on exploiting IoT device vulnerabilities. So, they named it IoT_reaper. Which makes a lot of sense if you think about it.

While Mirai caused widespread outages, it impacted IP cameras and internet routers by simply exploiting their weak or default passwords. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead. It’s the difference between checking for open doors and actively picking locks—and it’s already enveloped devices on a million networks and counting.

The researchers are also tracking multiple command and control servers and based on that they estimate that the number of newly infected hosts exceeds 10k per day. While this is happening, there are millions of potentially vulnerable devices IPs that are queued into the C&C system waiting to be processed by an automatic loader. The loader injects malicious code to the devices to expand the size of the botnet.

Just yesterday, I saw a tweet by @dalmoz_

There are many such devices out there that are either vulnerable or already hacked. Now they can or maybe they are not part of the same botnet, there are possibilities and for now that’s all we have on this.

So far we know that its different from Mirai because:

  • It doesnt crack or try to connect with default credentials, only exploits IoT devices vulnerabilities;
  • A LUA execution environment integrated, which means in the future a more complex attack can be supported and carried out;
  • Scan behavior is not very aggressive, so it can stay under the radar and avoid any sort of rate limitation.

It has a downloader that is distinctly different from Mirai, for example when samples are downloaded from a server, it usually uses d as a subdomain like d.badsite[.]com

The Reaper malware has pulled together a grab-bag of IoT hacking techniques that include nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. While many of those devices have patches available, most consumers aren’t in the habit of patching their home network router, not to mention their surveillance camera systems.

Anyone who fears that their device might be compromised should check the company’s list of affected gadgets. An analysis of the IP traffic from those devices should reveal if they’re communicating with the command-and-control server helmed by the unknown hacker that’s administering the botnet, a checkpoint researcher – Horowitz says. But most consumers don’t have the means to do that network analysis. She suggests that if your device is on Check Point’s list, you should update it regardless, or even perform a factory reset on its firmware, which she says will wipe the malware.

As usual, though, it’s not the owners of the infected machines who will pay the real price for allowing Reaper to persist and grow. Instead, the victims would be the potential targets of that botnet once its owner unleashes its full DDoS firepower. In the case of Reaper, the potentially millions of machines it’s amassing could be a serious threat: Mirai, which McAfee measured as having infected 2.5 million devices at the end of 2016, was able to use those devices to bombard the DNS provider Dyn with junk traffic that wiped major targets off the face of the internet in October of last year, including Spotify, Reddit, and The New York Times.

We have collected some Indicators of Compromise which you can use to protect yourselves.

As always, Mjolnir’s customers are automatically protected against these threats. We routinely scan our customers environments for unseen threats.

Indicators of Compromise:

Category Data
ip-dst 119.82.26.157
hostname f.hl852.com
ip-dst 27.102.101.121
hostname d.hl852.com
ip-dst 162.211.183.192
ip-dst 222.112.82.231
hostname e.hl852.com
md5 ca92a3b74a65ce06035fcc280740daf6
url http://27.102.101.121/down/1506753086
url http://bbk80.com/api/api.php
url http://162.211.183.192/sm
url http://23.234.51.91/htmpbe
url http://198.44.241.220:8080/run.lua
url http://cbk99.com:8080/run.lua
url http://27.102.101.121/down/1506851514
url http://162.211.183.192/xget
url http://162.211.183.192/down/server.armel
url http://23.234.51.91/control-MIPS32-MSB
url http://162.211.183.192/sa5
url http://23.234.51.91/control-ARM-LSB
url http://23.234.51.91/htam5le
url http://162.211.183.192/sa
url http://103.1.221.40/63ae01/39xjsda.php
url http://162.211.183.192/server.armel
md5 a3401685d8d9c7977180a5c6df2f646a
md5 abe79b8e66c623c771acf9e21c162f44
md5 9f8e8b62b5adaf9c4b5bdbce6b2b95d1
md5 726d0626f66d5cacfeff36ed954dad70
md5 6f91694106bb6d5aaa7a7eac841141d9
md5 704098c8a8a6641a04d25af7406088e1
md5 3182a132ee9ed2280ce02144e974220a
md5 95b448bdf6b6c97a33e1d1dbe41678eb
md5 4406bace3030446371df53ebbdc17785
md5 6587173d571d2a587c144525195daec9
md5 4e2f58ba9a8a2bf47bdc24ee74956c73
md5 596b3167fe0d13e3a0cfea6a53209be4
md5 41ef6a5c5b2fde1b367685c7b8b3c154
md5 76be3db77c7eb56825fe60009de2a8f2
md5 9ad8473148e994981454b3b04370d1ec
md5 b2d4a77244cd4f704b65037baf82d897
md5 3d680273377b67e6491051abe17759db
md5 fb7c00afe00eeefb5d8a24d524f99370
md5 e9a03dbde09c6b0a83eefc9c295711d7
md5 f9ec2427377cbc6afb4a7ff011e0de77

Read more:

  • https://twitter.com/dalmoz_/status/921077447034105856
  • https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/
  • http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
  • https://blog.checkpoint.com/2017/10/19/new-iot-botnet-storm-coming/

Header image from: Image from https://boingboing.net

Written by: Mjolnir Security

Tagged as: , , , , , , , , .

Previous post
locky-analysis by Mjolnir Security

todayOctober 10, 2017

close

News Mjolnir Security

The return of Locky Ransomware

Locky is a ransomware released in 2016, which became very active in early 2017, died for a bit and came back from the dead towards the end of August 2017. ...


Similar posts