main

BotnetsDDoSDDoS AttacksSecurity

New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers

February 12, 2018 — by Radware4

Overview

On February 8th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. The C2/Exploit server for this botnet is 185.62.188.88 (AS49349 – BlazingFast LLC, Ukraine)

It is not clear what is the purpose of this new botnet, as we were unable to find specific attack vectors in the binary.

Our analysis suggests that Satori is looking to take over 40,000 IoT devices to join its growing family of cryptocurrency miners, as we saw here, and here. This would make the Satori.dasan malware a stage #1 infection, responsible for rapidly scanning the internet looking for vulnerable devices.

Network Coverage

Over the past two days Radware has detected over 2000 malicious Unique IPs daily, almost 10 times higher than the daily average in the weeks prior.

The majority of the traffic came from Vietnam originating almost entirely from an ISP named ‘Viettel.’

A significant percentage of those malicious bots were also listening themselves on port 8080.

By sampling roughly 1000 IPs and querying their server headers, Radware revealed that 95% identified  themselves as running “Dasan Network Solution.”

A quick Shodan search revealed about 40,000 devices listening on port 8080, with over half located in Vietnam, and not surprisingly an ISP named ‘Viettell Corporation.’

Botnet Activity:  Distributed Scanning and Central Exploitation Server

The infected bots will perform aggressive scanning of random IP addresses, exclusively targeting port 8080. Once it finds a suitable target, it notifies a C2 server which immediately attempts to infect it.

See the following sequence captured at one of Radware’s sensors (10.0.0.70):

Step #1

The infected bot sends a half-open stealth-scan SYN request to port 8080. Instead of Ack, a TCP Reset is sent. Typical to Mirai code, the initial TCP SYN packet contains a sequence number identical to the 32bit value of the target victim.

Step #2

After 4 seconds, the bot establishes a 3-way TCP handshake to port 8080

Step #3

The following 113 bytes payload is sent:

Note that this is not the actual exploitation attempt, but rather a screening process to find vulnerable hosts.

Step #4

Radware’s Deception Network sensor is answering the probe with the following response:

The bot closes the connection.

Step #5

Now comes the interesting part.

Notice the timestamp – it is just 106 milliseconds after the last packet and we suddenly get an exploitation attempt from a completely different IP address. This IP belongs to a central exploitation server running on 185.62.188.88

The exploit server sends the following payload over HTTPS port 8080:

Investigating the Malware

The threat actors who operate this C2 Crime Server are responsible for numerous attacks that were recently covered by different security vendors, including Fortinet, 360netlab, SANS.

With some scanning, fuzzing and Open-Source Intelligence (OSINT0) we found some interesting details.

As with previous incidents, the domain rippr.me is used to point to the C2 server.

The following entries have an associated TXT record:

As we saw in the exploit payload, the server is listening on port 7777. Connecting to it brings the following download code:

So let’s get the file and check the contents:

It looks like a downloader that will be running on an infected device. The script downloads several versions of the binary and tries to execute it. If it fails (due to wrong CPU architecture), it will just go over to the next one.

Let’s grab the binaries (and guess some additional ones, like the x86_64). They look quite fresh according to server timestamps:

At the moment, VirusTotal already knows about the C2 address and shows that less than five antivirus products detect the files as malicious. Not very promising right now, but this should improve.

We will use this opportunity to submit some of the binaries that are missing in VT.

Summary

The Satori.Dasan variant is a rapidly growing botnet which utilizes a worm-like scanning mechanism, where every infected host looks for more hosts to infect. In addition, it also has a central C2 server that handles the exploitation itself once the scanners detect a new victim.

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now

Radware

4 comments

  • Hunter

    January 17, 2019 at 10:23 pm

    Thanks! I realy helped me with my website!

    Reply

  • Pingback: IoT Expands the Botnet Universe - Security Boulevard - TLO

  • Pingback: DDos attacks: worse always? – HelpDev

  • PabloJouby

    July 10, 2019 at 8:02 am

    Find No String Girls Near Online for Sex Tonight: https://s.coop/2315n?2VJITUYzbmQG57

    Popular tags: dating norway singles, dating white girl vs asian girl, matchmaking america, common era dating, free gay singles dating sites, top social dating apps, ac unity matchmaking issues, dating websites herpes, attractive headlines for dating sites, dating couples devotional online, arts dating sites, mixed signals from guy i’m dating, bipolar dating website, free online dating dallas, no strings dating uk, 8 minute dating new york, speed dating lakeland florida, dating memes funny, all online dating, speed dating pacha pessac, best oman dating site, dating a person with multiple personality disorder, lds dating age difference, dating a girl 10 years older, dating a male primary school teacher, finnish dating online, hook up schools, std dating website, dating on phone in india, dating and marriage in fiji, girl jokes about dating you, free dating sites for asians, are any dating in the dark couples still together, free dating sims for mac, kim xian dating, best dating site in canada free, dating in portales nm, deutsch dating seiten, flirty dating site, best dating sites for middle aged, dating sites match, dating site for hippies uk, dating sites in south africa for blacks, hook up turntable to receiver, internet dating attack, matchmaking russian, dating a girl with a crazy ex, ocala online dating, minute dating, the dating divas website, teacher dating her student, radiocarbon dating mass spectrometry, speed dating cary nc, best sex hookup site, dating but not sure if i like him, canada dating website, 100 percent free dating sites australia, dating site athletes, all free dating services, okcupid best dating site, what is the age range for dating, hookup in queenstown, mgs peace walker dating paz, guys addicted to online dating, dating app schweiz test, dating rednecks, grindr gay dating site, plenty of fish dating brisbane, dating 4 years, speed dating event in manila 2015, fml dating, model sues dating website for 1.5bn, what dating site is right for me quiz, ihk azubi speed dating essen, dating a snobby guy, alpha male dating behaviour, online dating poly, nicaragua dating, t28 matchmaking, best online dating in seoul, benaughty dating login, dating advice friend zone, free dating landing page templates, dating hervey bay, dating my daughter rules, rating dating agency cyrano, sky dating site, online dating profile writing tips, younger guys dating cougars, dating app in sweden, fordson tractor dating, online dating by breast size, questions to ask on a dating site, relative dating exercises, dating websites st louis, south asian dating website, best free dating site in switzerland, dating the boss’s son, dating websites the times, dating comparison websites, 20 dating 40, tiffany snsd rumors dating, marital affairs dating site, pua online dating first date, dating first meeting, dating bedford, online dating ontario canada, matthew hussey online dating profile, hazel e dating chet, dating show carmen electra, dating chating online, bad dating stories blog, cancer matchmaking, red flags dating a man, site-uri dating romania, online dating chennai india, how to tell your parents you are dating someone, namibia online dating sites, vibeline dating service, matchmaking services ireland, how is half life used in radioactive dating, casual dating dress up, top dating sims for guys, dating websites for business professionals, is britt dating anyone from the bachelorette, disadvantages of dating a lawyer, metal dating sites, speed dating survey questions, what does a girl mean by hook up, qatar dating online, lesbian free dating sites, indian dating site uae, match dating site usa, dating topics to avoid, how to create a dating site for free, terminal illness dating, hook up 220 volt breaker, not quite dating catherine bybee tuebl, dating sites george western cape, 33 year old man dating 25 year old woman, how to build your own dating website, matchmaking games for parties, cf patients dating, dating with bad teeth, 100 free dating sites with no hidden charges, how does potassium argon dating work, yp dating, tom gormican are we officially dating, rat 2 dating, dating daan beliefs and practices, match dating parties, best black dating sites free, beacon ny dating, nadja bender dating, dating boise idaho, browse dating websites without joining, dating advice he’s not my type, reasons to join a dating website, free online dating sites marriage, rachel mcadams dating history, hindu gujarati speed dating, kathryne dora brown dating, example online dating messages, dating sites for shy, married after dating for 3 months, dating culture in china, dating student after graduation, australia dating forums, zephyrhills dating, is spencer dating toby, introductory emails for online dating, matchmaking chart 9.1, afghanische frauen dating, asian fish dating login, 28 dating 23, apollo and kenya dating, dating websites for athletes, is okcupid a good dating site, bn dating avis, mormon dating age, how to move on after dating a sociopath, berlin dating english, frum online dating, speed dating crewe, how to flirt on dating site, speed dating havelock hotel, online dating stats 2012, speed dating orlando free, speed dating happy dates, matchmaking espanol, free dating sites owen sound, chaste dating catholic, good messages dating sites, so you’re ready to start dating again, how to build a successful online dating profile, singapore government dating site, carly girl code dating, south park online dating, dating vintage revere ware, free dating site in norway online, best dating sites for over 35, speed dating brighton over 40, how should you act after a hookup, dating profile of every montreal man, hookah hookup locations, plus size dating australia, 8th grade dating and relationships, dating sites van nederland, minecraft dating servers ip, dating fallout 4, papua new guinea online dating, speed dating hoboken w hotel, stages of dating john gray, male to male online dating, best dating website for uk, 100 free dating sites in nepal, speed dating hawaii 2013, elite dating sverige, rugby dating online, online dating for 50 year old, dating antiques, quick dating jokes, dating afrikanske kvinder, benefits of dating later in life, when do ross and rachel start dating again, hook up fishing pole, free dating sites in malta, ryska dating bilder, free dating sites middlesbrough, no sign up dating websites, virgo man dating aquarius woman, denver dating online, dating show chinese, 17 year old dating 21, hook up sharpstown mall, style savvy dating dominic, ex dating my best friend, i love (and hate) dating russian guys, dating website international, free dating brampton, christian dating cruise, toll free phone dating, your experience with dating sites, online dating izmir, new free online dating sites 2012, real life dating, liberty ross dating history, gwen stefani dating history, speed dating puglia, dating in fishers indiana, email dating sites, dating services in palm beach county, ugly bug ball dating service

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *