BotnetsDDoSDDoS AttacksSecurity

New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers

February 12, 2018 — by Radware0



On February 8th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. The C2/Exploit server for this botnet is (AS49349 – BlazingFast LLC, Ukraine)

It is not clear what is the purpose of this new botnet, as we were unable to find specific attack vectors in the binary.

Our analysis suggests that Satori is looking to take over 40,000 IoT devices to join its growing family of cryptocurrency miners, as we saw here, and here. This would make the Satori.dasan malware a stage #1 infection, responsible for rapidly scanning the internet looking for vulnerable devices.

Network Coverage

Over the past two days Radware has detected over 2000 malicious Unique IPs daily, almost 10 times higher than the daily average in the weeks prior.

The majority of the traffic came from Vietnam originating almost entirely from an ISP named ‘Viettel.’

A significant percentage of those malicious bots were also listening themselves on port 8080.

By sampling roughly 1000 IPs and querying their server headers, Radware revealed that 95% identified  themselves as running “Dasan Network Solution.”

A quick Shodan search revealed about 40,000 devices listening on port 8080, with over half located in Vietnam, and not surprisingly an ISP named ‘Viettell Corporation.’

Botnet Activity:  Distributed Scanning and Central Exploitation Server

The infected bots will perform aggressive scanning of random IP addresses, exclusively targeting port 8080. Once it finds a suitable target, it notifies a C2 server which immediately attempts to infect it.

See the following sequence captured at one of Radware’s sensors (

Step #1

The infected bot sends a half-open stealth-scan SYN request to port 8080. Instead of Ack, a TCP Reset is sent. Typical to Mirai code, the initial TCP SYN packet contains a sequence number identical to the 32bit value of the target victim.

Step #2

After 4 seconds, the bot establishes a 3-way TCP handshake to port 8080

Step #3

The following 113 bytes payload is sent:

Note that this is not the actual exploitation attempt, but rather a screening process to find vulnerable hosts.

Step #4

Radware’s Deception Network sensor is answering the probe with the following response:

The bot closes the connection.

Step #5

Now comes the interesting part.

Notice the timestamp – it is just 106 milliseconds after the last packet and we suddenly get an exploitation attempt from a completely different IP address. This IP belongs to a central exploitation server running on

The exploit server sends the following payload over HTTPS port 8080:

Investigating the Malware

The threat actors who operate this C2 Crime Server are responsible for numerous attacks that were recently covered by different security vendors, including Fortinet, 360netlab, SANS.

With some scanning, fuzzing and Open-Source Intelligence (OSINT0) we found some interesting details.

As with previous incidents, the domain is used to point to the C2 server.

The following entries have an associated TXT record:

As we saw in the exploit payload, the server is listening on port 7777. Connecting to it brings the following download code:

So let’s get the file and check the contents:

It looks like a downloader that will be running on an infected device. The script downloads several versions of the binary and tries to execute it. If it fails (due to wrong CPU architecture), it will just go over to the next one.

Let’s grab the binaries (and guess some additional ones, like the x86_64). They look quite fresh according to server timestamps:

At the moment, VirusTotal already knows about the C2 address and shows that less than five antivirus products detect the files as malicious. Not very promising right now, but this should improve.

We will use this opportunity to submit some of the binaries that are missing in VT.


The Satori.Dasan variant is a rapidly growing botnet which utilizes a worm-like scanning mechanism, where every infected host looks for more hosts to infect. In addition, it also has a central C2 server that handles the exploitation itself once the scanners detect a new victim.

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now

Attack MitigationDDoS AttacksSecurity

Obama’s Cyber-Security Proposals: Does this Safe Platform Translate to a Safer Network?

January 21, 2015 — by Ben Desjardins0

President Obama’s mention of cyber-security in last night’s State of the Union Address came as no surprise.  The Obama camp implemented a novel approach this year of “previewing” the President’s main agenda items through a series of speeches in the week preceding the SOTU. But even without the preview, the comments on cyber-security were rather predictable (and brief).

DDoS AttacksSecurity

The Right Way to Secure Your Applications Against DDoS Using Signaling

January 12, 2015 — by David Monahan0

David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.

Let’s face it. DDoS are the big, fat, scary bully of the Internet. When organizations have sufficiently tight security or a would-be attacker doesn’t have the skills to overcome a target’s security, he or she can buy capacity on a bot-net or other delivery vehicle and slam packets from all over the world at the target’s site and application(s).

Attack MitigationDDoS AttacksSecurity

Tsunami SYN Flood Attack – A New Trend in DDoS Attacks?

October 8, 2014 — by Radware28

Over the past week Radware’s Emergency Response Team (ERT) detected a new type of SYN flood which is believed to be specially designed to overcome most of today’s security defenses with a TCP-based volume attack. Within a 48-hour period two different targets in two different continents were targeted with this new technique and have experienced very high attack volumes.

DDoS AttacksSecurity

Can Your Business Meet the Demands of Cyber-Ransom?

September 25, 2014 — by David Hobbs1

Online criminality has become a big business and new faces of social engineering and fraud are sweeping the globe. News articles regularly report on major breaches and outages, but rarely, if ever, do we see the underlying ransom demands that are presented before a business is attacked. The stand that organizations often take is that they do not negotiate with terrorists or pirates. But this approach, while noble, can become costly to a business, some may lose everything.

Attack MitigationDDoS AttacksSecurity

6 Types of DDoS Protection for Your Business

July 14, 2014 — by David Monahan2

David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.

DDoS attacks have become commonplace these days.  The offending attackers may be hacktivists, cyber-criminals, and nation states or just about anyone else with an Internet grudge and a PayPal or Bitcoin account.  These attacks themselves often require no technical skill.  Someone with a bone to pick can simply purchase the use of any number of nodes on one or more botnets for an hourly fee (long term rate discounts available); use a Graphical User Interface (GUI) to organize the attack and then launch it.

Attack MitigationDDoS AttacksSecurity

Cyber Attacks on Oil and Gas

July 11, 2014 — by David Hobbs1

A few weeks ago, news agencies shared reports on the Energetic Bear attack. This cyber-attack, or rather virus, was reportedly introduced by a Russian hacking group and it targeted oil, gas, power, and energy investment companies. The threatening malware had the ability to shut down major power grids, oil pipelines, gas, and energy traders. Analysts speculate that the attack motive was to gain competitive advantage in state-sponsored espionage against global oil and energy producers.

DDoS AttacksSecurity

Five Burning Security Issues in Cloud Computing

June 20, 2014 — by Bill Lowry3

As companies accelerate their adoption of cloud technologies – like infrastructure as a service (IaaS) or software as a service (SaaS) – the need for solutions that provide secure access and reliable operations in the cloud increase in importance. Since your data will now reside in several different facilities, with different providers or partners, you now have a new “security perimeter” to monitor and defend. As such, the need to closely evaluate how cloud-based data is protected should be part of the overall security strategy. A top area of concern is defending applications from distributed-denial-of-service (DDoS) attacks.

Brute Force AttacksDDoS AttacksSecurity

A 5 Step Plan on How to Protect Yourself from Cybercrime

June 16, 2014 — by Adrian Crawley32

Recently, I wrote an article for Help Net Security to discuss the modus operandi of cybercriminals and how this can lead to different types of cyber attacks.  While we have previously encountered huge distributed denial of service (DDoS) attacks that appear to come from nowhere and flood the victim’s network security, we have begun to see much more stealth and more sophisticated attacks causing just as much, if not more, damage.