Copyright © 2019 Zingbox, Inc. 1 Proprietary. All rights reserved.

Some Botnets Will Never Become Old-fashioned Asher Davila – Zingbox Security Researcher

Mirai, first found in August 2016, wreaked havoc by taking advantage of insecure IoT devices. Hundreds of thousands of devices were enslaved to this malware, creating a massive botnet that was used to launch several crippling DDoS (distributed denial-of-service) attacks.

The public release of the Mirai and Gafgyt source code enabled (not-so-advanced) attackers to create countless variants of these infamous malware families. These variants all commonly exploit known vulnerabilities in IoT devices. In February 2019, the Zingbox security research team discovered one of these variants targeting our customers.

Malware Detection Methodology It was possible to identify malware targeting one of our clients and found that the targeted device continually attempted to connect to IP address 185.244.25.220 on port 20.

This IP address belongs to the 185.244.25.0/24 subnet, which had been previously reported as malicious:

We observed that Bad Packets Report mentioned abusive behavior on several other IP addresses in this subnet related to Mirai-like malware. See https://twitter.com/bad_packets/status/1082066618962796544 (shown below).

Some Botnets Will Never Become Old-fashioned

Copyright © 2019 Zingbox, Inc. 2 Proprietary. All rights reserved.

We also gathered information regarding this block of IP address in this thread:

https://twitter.com/bad_packets/status/1090099611887235073

To make sure what type of malware it was, we performed a quick analysis. To begin with, the malware sample itself turned out to be packed with UPX (Ultimate Packer of Executables), one of the most common packers used in malware:

The above shows how it was possible to see that the malware was packed with UPX.

Some Botnets Will Never Become Old-fashioned

Copyright © 2019 Zingbox, Inc. 3 Proprietary. All rights reserved.

After unpacking the malware, we proceeded to the analysis. Examination of the functions in this malware sample shows striking similarities to those of Gafgyt variants, especially to the Satori variant. The DoS option attacks on this variant are SendTCP, SendHTTP, sendSTD, xmas & udpflood.

We found the above functions in the analyzed sample.

Some Botnets Will Never Become Old-fashioned

Copyright © 2019 Zingbox, Inc. 4 Proprietary. All rights reserved.

The Connection() function gathers information to try to communicate with a C2 server. If it cannot connect to the server, it waits 5 seconds and tries again. This process repeats until it connects to the server. This follows a similar process to what other botnets do.

When the malware can reach the server, it opens TCP port 8888 on the victim machine to communicate with the C2 server:

Some Botnets Will Never Become Old-fashioned

Copyright © 2019 Zingbox, Inc. 5 Proprietary. All rights reserved.

The malware tries to obtain information about the system it just infected, such as its local IP address:

This is the local_addr() function.

Some Botnets Will Never Become Old-fashioned

Copyright © 2019 Zingbox, Inc. 6 Proprietary. All rights reserved.

The malware calls the getBuild() function to register the device using the architecture of its CPU. The value returned after calling this function is passed as an argument to register the device in the botnet. The value of the return of this function is already hardcoded as “ARM”, which indicates that this malware is targeting embedded devices. Some variants actually look for the CPU architecture of the infected machine.

For the CPU architecture type, registermydevice() uses the value that the getBuild() function returns, which is hardcoded as “ARM”.

Some Botnets Will Never Become Old-fashioned

Copyright © 2019 Zingbox, Inc. 7 Proprietary. All rights reserved.

This campaign uses the following user agents to perform HTTP attacks.

Those are the main differences in this variant. The rest of the code is nearly the same as the one found in qbot and its variants, the code for which was leaked and is available on the Internet.

Conclusion After almost four months since the 185.244.25.0/24 block was reported and almost 4 years since Mirai first appeared, our research team observed Mirai-like and Gafgyt variants targeting IoT devices. We still see Mirai-like malware targeting IoT devices from our customers.

Additionally, we observed other IP addresses that belong to the 185.244.25.0/24 block targeting our customers’ medical devices with different types of known botnets for IoT devices, such as Owari.

Src IP Src port Dst IP Dst Port

Some Botnets Will Never Become Old-fashioned

Copyright © 2019 Zingbox, Inc. 8 Proprietary. All rights reserved.

MD5: 312b5e6b568be8bb777af74ff68b261f

SHA-256 : cca9a4b3210c21bda0d82cb7f92ced9c90acc90333be934c698a123575bbe591

C2 server: 185.244.25[.]220:20

Malicious Subnet: 185.244.25.0/24

Usage of port 8888 on the victim machine

User agents used in this campaign for HTTP attacks:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2

Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11

Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1