AnalysisAfter downloading the malware samples, I found that they had distinct characteristics of a Mirai-based botnet likely built from the recently released source code. Upon loading, the malware would attempt to block further exploit attempts by running ‘busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP’. It would also then proceed to unlink itself from the filesystem and use prctl/PR_SET_NAME to set a random process name as shown in the main() function for the released Mirai bot source. At this point, it should be clear that this is, in fact, malware derived from Mirai but the similarity does not end there. Dumping strings from the binary reveals a long list of clearly obfuscated strings, such as ‘qGVlvrqGPTGPQ’. Looking in the Mirai source code, there is an encoding tool designed to obfuscate strings through a relatively simple XOR process using a dummy key of 0xdeadbeef. Sure enough, a hex dump of the binary reveals these bytes starting at offset 0x18054 (MIPSEL binary), so I figured it would be worth a try to extract and decode the obfuscated strings using a simple Python function to apply the XOR process. I have put this code in a Gist in case it is of use for anyone else.
import sys def decode(input): key = 0xdeadbeef k1 = key & 0xFF k2 = (key>>8) & 0xFF k3 = (key>>16) & 0xFF k4 = (key>>24) & 0xFF output = "" for n in input: output += chr(ord(n)^k4^k3^k2^k1) print output decode(sys.argv)Applying this process to the bytes stored in my malware sample revealed additional strings confirming Mirai and also showing the various payloads being sent. (It is also interesting to note that the attacker was apparently too lazy to change the 0xdeadbeef XOR key.) Further analysis of the binary demonstrated some potential indicators of compromise, including domain names rep.securityupdates.us, ntp.timeserver.host, tr069.pw, and p.ocalhost.host. Checking out the registration details for securityupdates.us and ocalhost.host made me laugh a little when seeing that it was registered by Peter Parker out of Kiev, Ukraine (hence the title of this post). Whois records for timeserver.host, on the other hand, indicate the same street address (27 Hofit St) but this time, indicate a name of ‘spider man’ and that the address is in Tel Aviv, Israel. Additional analysis on this attack is here: ISC SANS Port 7547 SOAP Remote Code Execution Attacks Against DSL Modems
Sample DetailsSamples obtained from p.ocalhost.host on Monday, Nov. 28:
LSB MIPS: 7e84a8a74e93e567a6e7f781ab5764fe3bbc12c868b89e5c5c79924d5d5742e2 MSB MIPS: fc683bdfc51b2f4eec162e80ab253f3d7f5f22a1c64630c7c7d5509932a6a346 ARM: 1fce697993690d41f75e0e6ed522df49d73a038f7e02733ec239c835579c40bf Renesas: 828984d1112f52f7f24bbc2b15d0f4cf2646cd03809e648f0d3121a1bdb83464 PowerPC: c597d3b8f61a5b49049006aff5abfe30af06d8979aaaf65454ad2691ef03943b SPARC: 046659391b36a022a48e37bd80ce2c3bd120e3fe786c204128ba32aa8d03a182 M68k: 5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07ccSamples obtained from tr069.pw on Tuesday, Nov. 29:
LSB MIPS: 4b759457fbb423375510fa5125b6ac28ae7b347eb544be4ad21b4cbc8e91450d MSB MIPS: fc683bdfc51b2f4eec162e80ab253f3d7f5f22a1c64630c7c7d5509932a6a346 ARM: 1fce697993690d41f75e0e6ed522df49d73a038f7e02733ec239c835579c40bf Renesas: 828984d1112f52f7f24bbc2b15d0f4cf2646cd03809e648f0d3121a1bdb83464 PowerPC: c597d3b8f61a5b49049006aff5abfe30af06d8979aaaf65454ad2691ef03943b SPARC: 046659391b36a022a48e37bd80ce2c3bd120e3fe786c204128ba32aa8d03a182 M68k: 5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc