IoTroop, a new pandemic affecting connected objects

Filter by category:

October 25, 2017 by Nha-Khanh Nguyen
iotroop
Everyone remembers the attack wave generated by the Mirai botnet at the end of 2016. The world of IoT, until then rather little targeted by malware, knows one of its first devastating botnets. This is a botnet network of more than hundreds of thousands of connected devices, including surveillance cameras. In recent days, a new threat has been identified by Checkpoint. Named IoTroop by some, Reaper by others, this new botnet has already collected more than a million pieces of equipment worldwide. The firm talks about "cyber-storm" which can make the entire Internet fall down. While this claim may seem somewhat exaggerated, this is the first time in the history of connected objects that malware has impacted so many organizations including healthcare institutions, transportation networks and various companies.


Mirai's succession

The researchers believe that IoTroop has some similarities to Mirai. Indeed, malware seems to attack connected objects and spread like a worm. Thus, after identifying a vulnerable piece of equipment, IoTroop enters the device via a security breach and then attempts to identify other vulnerable equipment. According to Checkpoint, he also borrows several parts of his code from Mirai, but it is currently impossible to determine if there is a real link between these two malware.

For now, there is no sign of attack from the botnet, it only seems to infect objects and spread itself. Why does the media seems so alarming about this and talks about a much bigger threat than the Mirai botnet? The new malware no longer bruteforce default credentials of DVR cameras or recorders, but scans network devices for specific security vulnerabilities. So far, a little less than a dozen exploits used by the botnet have been listed but it seems that new exploits codes are added every day. The malware thus irremediably touches a much wider range of connected objects than its predecessor and it is just the beginning. Among the most famous brands, Netgear, D-Link, GoAhead or Synology have a wide range of impacted products. Despite the passivity of the botnet, researchers fear the calm before the storm. The botnet seems to be in a recruitment phase and the number of infected objects is increasing exponentially since the beginning of October.

trends
 
Checkpoint tends to think that IoTroop's aim is same as Mirai to perform DDoS attacks because of the numerous similarities in the source code - still being analyzed, but it is still impossible to determine the real intentions of the botnet.


IoTroop behavior

The botnet is described as much more advanced and complex than Mirai. On the one hand, it infects connected objects through vulnerabilities discovered quite recently, only a few months ago. As a result, very few devices have been corrected since then and some manufacturers are still implementing security patches. On the other hand, it integrates a LUA runtime environment allowing the attacker to develop much more complex attack scripts than most malware.

The study by the Chinese security firm 360 Netlab shows that IoTroop is composed of four types of servers, which makes it all the more complex than Mirai: a downloader, a controller, a reporter and a loader.

The downloader, as its name implies, stores the binaries downloaded on the infected equipment. These servers would seem to have an address with the subdomain "d" (e. g. d. hl852. com). The controller allows you to manage the zombies (bots) equipments. They have an address with the sub-domain "e" (e. g. e. hl852. com). The reporter collects information about potentially vulnerable equipment transmitted by bots and uses subdomain "f" (e. g. f. hl852. com). Finally, the loader implements the malicious program in the equipment collected by the reporter through the identified vulnerability.


Vulnerabilities

Unlike Mirai, IoTroop does not scan Telnet ports to perform a _bruteforce_ attack on identifiers but searches for specific vulnerabilities. To date, 9 codes of achievement have been identified, but the list seems to be regularly updated.

Here is a summary table of the exploits apparently used by the botnet:

Brand
Model
Security bulletin
Patch
D-Link 850L https://blogs.securiteam.com/index.php/archives/3364 1.14B07 BETAs
DIR-300/600 http://www.s3cur1ty.de/m1adv2013-003 -
GoAhead Wireless IP Camera (P2P) WIFICAM https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html -
JAWS web server Multiple DVR Devices https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/ -
Netgear ReadyNAS Surveillance https://blogs.securiteam.com/index.php/archives/3409 1.4.3-17 (x86)
1.1.4-7 (ARM)
DGN1000 http://seclists.org/bugtraq/2013/Jun/8 1.1.00.48
DGN2200 v1 EOL
Vacron Multiple NVR https://blogs.securiteam.com/index.php/archives/3445 -
Linksys E1500/E2500 http://www.s3cur1ty.de/m1adv2013-004 -
AVTECH Multiple IP camera, NVR, DVR https://github.com/Trietptm-on-Security/AVTECH -

However, it is not sure that all vulnerabilities in those advosories are exploited and this list is not exhaustive. Other products affected by the same vulnerabilities are potentially impacted as well. The article by Checkpoint lists additional brands and products found in their study.


Detection and IOCs

Several IoCs are already available about the botnet:
  • hxxp://cbk99.com:8080/run.lua
  • hxxp://bbk80.com/api/api.php
  • hxxp://103.1.221.40/63ae01/39xjsda.php
  • hxxp://162.211.183.192/down/server.armel
  • hxxp://162.211.183.192/sa
  • hxxp://162.211.183.192/sa5
  • hxxp://162.211.183.192/server.armel
  • hxxp://162.211.183.192/sm
  • hxxp://162.211.183.192/xget
  • hxxp://198.44.241.220:8080/run.lua
  • hxxp://23.234.51.91/control-ARM-LSB
  • hxxp://23.234.51.91/control-MIPS32-MSB
  • hxxp://23.234.51.91/htam5le
  • hxxp://23.234.51.91/htmpbe
  • hxxp://27.102.101.121/down/1506753086
  • hxxp://27.102.101.121/down/1506851514

  • 3182a132ee9ed2280ce02144e974220a
  • 3d680273377b67e6491051abe17759db
  • 41ef6a5c5b2fde1b367685c7b8b3c154
  • 4406bace3030446371df53ebbdc17785
  • 4e2f58ba9a8a2bf47bdc24ee74956c73
  • 596b3167fe0d13e3a0cfea6a53209be4
  • 6587173d571d2a587c144525195daec9
  • 6f91694106bb6d5aaa7a7eac841141d9
  • 704098c8a8a6641a04d25af7406088e1
  • 726d0626f66d5cacfeff36ed954dad70
  • 76be3db77c7eb56825fe60009de2a8f2
  • 95b448bdf6b6c97a33e1d1dbe41678eb
  • 9ad8473148e994981454b3b04370d1ec
  • 9f8e8b62b5adaf9c4b5bdbce6b2b95d1
  • a3401685d8d9c7977180a5c6df2f646a
  • abe79b8e66c623c771acf9e21c162f44
  • b2d4a77244cd4f704b65037baf82d897
  • ca92a3b74a65ce06035fcc280740daf6
  • e9a03dbde09c6b0a83eefc9c295711d7
  • f9ec2427377cbc6afb4a7ff011e0de77
  • fb7c00afe00eeefb5d8a24d524f99370

Note that the vulnerability scan performed by IoTroop is not very aggressive, which makes it relatively stealth and passes under the radar of monitoring tools.