On February 8th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. The C2/Exploit server for this botnet is 220.127.116.11 (AS49349 – BlazingFast LLC, Ukraine)
It is not clear what is the purpose of this new botnet, as we were unable to find specific attack vectors in the binary.
Our analysis suggests that Satori is looking to take over 40,000 IoT devices to join its growing family of cryptocurrency miners, as we saw here, and here. This would make the Satori.dasan malware a stage #1 infection, responsible for rapidly scanning the internet looking for vulnerable devices.
Over the past two days Radware has detected over 2000 malicious Unique IPs daily, almost 10 times higher than the daily average in the weeks prior.
The majority of the traffic came from Vietnam originating almost entirely from an ISP named ‘Viettel.’
A significant percentage of those malicious bots were also listening themselves on port 8080.
By sampling roughly 1000 IPs and querying their server headers, Radware revealed that 95% identified themselves as running “Dasan Network Solution.”
A quick Shodan search revealed about 40,000 devices listening on port 8080, with over half located in Vietnam, and not surprisingly an ISP named ‘Viettell Corporation.’
Botnet Activity: Distributed Scanning and Central Exploitation Server
The infected bots will perform aggressive scanning of random IP addresses, exclusively targeting port 8080. Once it finds a suitable target, it notifies a C2 server which immediately attempts to infect it.
See the following sequence captured at one of Radware’s sensors (10.0.0.70):
The infected bot sends a half-open stealth-scan SYN request to port 8080. Instead of Ack, a TCP Reset is sent. Typical to Mirai code, the initial TCP SYN packet contains a sequence number identical to the 32bit value of the target victim.
After 4 seconds, the bot establishes a 3-way TCP handshake to port 8080
The following 113 bytes payload is sent:
Note that this is not the actual exploitation attempt, but rather a screening process to find vulnerable hosts.
Radware’s Deception Network sensor is answering the probe with the following response:
The bot closes the connection.
Now comes the interesting part.
Notice the timestamp – it is just 106 milliseconds after the last packet and we suddenly get an exploitation attempt from a completely different IP address. This IP belongs to a central exploitation server running on 18.104.22.168
The exploit server sends the following payload over HTTPS port 8080:
Investigating the Malware
With some scanning, fuzzing and Open-Source Intelligence (OSINT0) we found some interesting details.
As with previous incidents, the domain rippr.me is used to point to the C2 server.
The following entries have an associated TXT record:
As we saw in the exploit payload, the server is listening on port 7777. Connecting to it brings the following download code:
So let’s get the file and check the contents:
It looks like a downloader that will be running on an infected device. The script downloads several versions of the binary and tries to execute it. If it fails (due to wrong CPU architecture), it will just go over to the next one.
Let’s grab the binaries (and guess some additional ones, like the x86_64). They look quite fresh according to server timestamps:
At the moment, VirusTotal already knows about the C2 address and shows that less than five antivirus products detect the files as malicious. Not very promising right now, but this should improve.
We will use this opportunity to submit some of the binaries that are missing in VT.
The Satori.Dasan variant is a rapidly growing botnet which utilizes a worm-like scanning mechanism, where every infected host looks for more hosts to infect. In addition, it also has a central C2 server that handles the exploitation itself once the scanners detect a new victim.