Botnets Archives | Radware Blog

New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers

February 12, 2018 — by Radware — 0

blog_image_ert_alert_wordpress_vulnerability-960x720.jpg

Overview

On February 8^th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. The C2/Exploit server for this botnet is 185.62.188.88 (AS49349 – BlazingFast LLC, Ukraine)

It is not clear what is the purpose of this new botnet, as we were unable to find specific attack vectors in the binary.

Our analysis suggests that Satori is looking to take over 40,000 IoT devices to join its growing family of cryptocurrency miners, as we saw here, and here. This would make the Satori.dasan malware a stage #1 infection, responsible for rapidly scanning the internet looking for vulnerable devices.

Network Coverage

Over the past two days Radware has detected over 2000 malicious Unique IPs daily, almost 10 times higher than the daily average in the weeks prior.

The majority of the traffic came from Vietnam originating almost entirely from an ISP named ‘Viettel.’

A significant percentage of those malicious bots were also listening themselves on port 8080.

By sampling roughly 1000 IPs and querying their server headers, Radware revealed that 95% identified themselves as running “Dasan Network Solution.”

A quick Shodan search revealed about 40,000 devices listening on port 8080, with over half located in Vietnam, and not surprisingly an ISP named ‘Viettell Corporation.’

Botnet Activity: Distributed Scanning and Central Exploitation Server

The infected bots will perform aggressive scanning of random IP addresses, exclusively targeting port 8080. Once it finds a suitable target, it notifies a C2 server which immediately attempts to infect it.

See the following sequence captured at one of Radware’s sensors (10.0.0.70):

Step #1

The infected bot sends a half-open stealth-scan SYN request to port 8080. Instead of Ack, a TCP Reset is sent. Typical to Mirai code, the initial TCP SYN packet contains a sequence number identical to the 32bit value of the target victim.

Step #2

After 4 seconds, the bot establishes a 3-way TCP handshake to port 8080

Step #3

The following 113 bytes payload is sent:

Note that this is not the actual exploitation attempt, but rather a screening process to find vulnerable hosts.

Step #4

Radware’s Deception Network sensor is answering the probe with the following response:

The bot closes the connection.

Step #5

Now comes the interesting part.

Notice the timestamp – it is just 106 milliseconds after the last packet and we suddenly get an exploitation attempt from a completely different IP address. This IP belongs to a central exploitation server running on 185.62.188.88

The exploit server sends the following payload over HTTPS port 8080:

Investigating the Malware

The threat actors who operate this C2 Crime Server are responsible for numerous attacks that were recently covered by different security vendors, including Fortinet, 360netlab, SANS.

With some scanning, fuzzing and Open-Source Intelligence (OSINT0) we found some interesting details.

As with previous incidents, the domain rippr.me is used to point to the C2 server.

The following entries have an associated TXT record:

As we saw in the exploit payload, the server is listening on port 7777. Connecting to it brings the following download code:

So let’s get the file and check the contents:

It looks like a downloader that will be running on an infected device. The script downloads several versions of the binary and tries to execute it. If it fails (due to wrong CPU architecture), it will just go over to the next one.

Let’s grab the binaries (and guess some additional ones, like the x86_64). They look quite fresh according to server timestamps:

At the moment, VirusTotal already knows about the C2 address and shows that less than five antivirus products detect the files as malicious. Not very promising right now, but this should improve.

We will use this opportunity to submit some of the binaries that are missing in VT.

Summary

The Satori.Dasan variant is a rapidly growing botnet which utilizes a worm-like scanning mechanism, where every infected host looks for more hosts to infect. In addition, it also has a central C2 server that handles the exploitation itself once the scanners detect a new victim.

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now

DarkSky Botnet

February 8, 2018 — by Yuval Shapira — 0

Radware’s Threat Research has recently discovered a new botnet, dubbed DarkSky. DarkSky features several evasion mechanisms, a malware downloader and a variety of network- and application-layer DDoS attack vectors. This bot is now available for sale for less than $20 over the Darknet.

As published by its authors, this malware is capable of running under Windows XP/7/8/10, both x32 and x64 versions, and has anti-virtual machine capabilities to evade security controls such as a sandbox, thereby allowing it to only infect ‘real’ machines.

The Rise of Thingbots

November 19, 2014 — by David Monahan — 6

David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.

The Internet can be a pretty scary place. Places like the dark web exist in the form of trading houses with stolen personal information from credit cards and social security numbers, to health records and full identities being obtained for a price. Malware development and deployment and other attack services such as DDoS and botnets can be rented by the hour. Recent reports indicate that DDoS attacks are increasing in both frequency and size, and the problem of botnets being used as attack networks or launch points in DDoS and other malicious activities is significant. Indications are that it will only continue to get worse.

The Ride from RSA 2014 & Taxi Wars

March 6, 2014 — by David Hobbs — 0

The RSA Conference was amazing this year — bigger, more robust and crazier than I have ever seen it. The only void I noticed among the technical vendors was addressing the issue of hacktivism. In the packed conference and crowed exhibition halls, I never came across a discussion about this phenomenon. Can we forecast this risk? Do we know its long term effects? I think most of us are still befuddled by this concept.

More Bots and Aggressive API Abuse

November 4, 2013 — by David Hobbs — 1

In my last article about Bots and Scrapers for abuse, we explored some of the issues surrounding scripts and bots for abusing retailers. Recently, more light has been shed upon even more abuse coming to the Web in the form of aggressive API’s and bots to automate Web processes. Beyond competitors and price index advantages, people are using bots for profits and personal advantages.

Bots and Scripts for Abuse

August 9, 2013 — by David Hobbs — 2

In the last few years, we’ve discovered that many of our customers have been putting up with artificial clients hitting their websites. Scraping competitors’ websites for business intelligence purposes is quickly becoming a common practice. Recently, an article by Slashdot shared that people are even using bots and scripts to score restaurant reservations. Likewise, Variable Pricing software and methods are being used by many e-commerce websites in order to reduce their sales costs and obtain greater control over the buying process.

When Servers Attack Your Bank: The Rise of Server Botnets

February 19, 2013 — by Matan Atad — 3

Imagine the following scenario: You’re a hosting company and you receive a call from one of the largest banks in the United States informing you that they are currently experiencing a cyber attack. Why are they calling you? The attack is coming from your servers.

eCrime Congress in Germany: Restoring the Equilibrium of Attackers Vs. Defenders

February 8, 2013 — by Ron Meyran — 0

Last week, I attended eCrime Congress in Frankfurt, Germany. Held on January 30,Radware was one of the sponsors of the event, which featured a lecture track that ran throughout the day and included breaks for the sponsors’ pavilion.

Shooting From Behind the Fence

February 8, 2013 — by Eyal Benishti — 0

Can You Stay Anonymous While Participating in a DDoS Attack?
Taking part in a Hacktivist group is completely different than being part of a Botnet. In a Botnet, case participants are unknowingly “recruited” to an attack. In the Hacktivist group, case members take part in attack activities on their own accord.
Just this past month, Anonymous hackers in London were jailed for a series of DDoS attacks on PayPal and other payment services such as Visa and MasterCard.

New Attack Trends – Are You Bringing a Knife to the Gunfight?

January 22, 2013 — by Ziv Gadot — 0

Today, we launched our 2012 Global Application and Network Security report. It was prepared by our security experts – the Emergency Response Team (ERT) – who’ve seen their fair share of cyber attacks while actively monitoring and mitigating attacks in real-time. In this year’s annual report, our experts have uncovered several new trends in cyber-security worthy of a closer look.

main

Botnets DDoS DDoS Attacks Security

New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers

Overview

Network Coverage