Moobot Milks Tenda Router Bugs for Propagation

An analysis of the campaign revealed Cyberium, an active Mirai-variant malware hosting site.

A variant of the Mirai botnet called Moobot saw a big spike in activity recently, with researchers picking up widespread scanning in their telemetry for a known vulnerability in Tenda routers. It turns out that it was being pushed out from a new cyber-underground malware domain, known as Cyberium, which has been anchoring a large amount of Mirai-variant activity.

According to AT&T Alien Labs, the scanning for vulnerable Tenda routers piqued researcher interest given that such activity is typically rare. The targeted bug is a remote code-execution (RCE) issue (CVE-2020-10987).

“This spike was observed throughout a significant number of clients, in the space of a few hours,” according to an AT&T analysis, released Monday. “This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November.”

Following the breadcrumbs of the activity, researchers tracked down the infrastructure behind the Tenda scans in late March – discovering that it was being used to scan for additional bugs, in the Axis SSI, Huawei home routers (CVE-2017-17215) and the Realtek SDK Miniigd (CVE-2014-8361). It was also deploying a DVR scanner that tried default credentials for the Sofia video application. These compromise efforts were tied to a variety of different Mirai-based botnet infections, including the Satori botnet.

Cyberium in Action

A commonality across all of the activity is that the malware deposited on compromised devices was pulled from the same malware hosting page: dns.cyberium[.]cc.

“When this domain was investigated, several campaigns were identified, going back at least one year to May 2020,” according to AT&T. “Most of the attacks lasted for approximately a week while they hosted several Mirai variants.”

Interestingly, each campaign had its own subdomain page below the top-level Cyberium page, and when it was completed, the subdomain became unresolvable. While active, the campaign would cycle between different Mirai variants: The same URL could be hosting Satori one day and Moobot the week after, according to AT&T.

“The actors appear to come back to the same domain with a new subdomain for each new campaign,” researchers explained. “Activity in between campaigns goes quiet to increase the trust of the original domain. Keeping a long-running existing domain while issuing a brand-new subdomain helps to divert attention to the new domain and thus distract from the original.”

After initial compromise of a targeted internet of things (IoT) device, the first request to Cyberium was for a bash script that acted like a downloader.

“The script attempts to download a list of filenames (associated with different CPU architectures), executes each one of them, achieves persistence through a crontab that redownloads the bash script itself and finally deletes itself,” according to the analysis.

This script is very similar to downloaders previously seen for Mirai variants, researchers noted.

Moobot Stampedes onto Malware Scene

Moobot was first spotted in April 2020, using a pair of zero-day exploits to compromise multiple types of fiber routers. Then last October, it was seen going after vulnerable Docker APIs. In all cases, the goal is to add devices as nodes in a botnet used to carry out distributed denial of service (DDoS) attacks, just like Mirai itself. It isn’t one of the more common variants, however.

One of the main distinctions of Moobot is a hardcoded string that’s used several times throughout the code, including generating the process name to be used during execution, according to AT&T.

“The number of samples Alien Labs has seen with that string has greatly increased in the last months, scattering from the original Moobot sample,” AT&T noted. “This could potentially mean that last year’s Moobots samples were used to create new branches of Mirai variants.”

In a new wrinkle, the observed Moobot samples were encrypted.

“However, it did maintain other previously seen characteristics, like a hardcoded list of IP addresses to avoid, such as: Private ranges, the Department of Defense, IANA IPs, GE, HP and others,” according to the analysis.

Cyberium: Unanswered Questions

AT&T found that Cyberium has been in action for the past year or so and that it appears to be active still. At the time of publication, some of the Cyberium subdomains were up, but not hosting any malware samples – potentially indicating that the pages are awaiting new requests for command-and-control server (C2) lists, according to AT&T.

The researchers said that the cybercriminals behind Cyberium remain somewhat mysterious.

“Several questions remain unanswered,” researchers concluded. “Why would the attackers deliver different Mirai variants with different C2s on the same campaign? Are they trying to avoid anti-virus detection through diversification of variants? Or, are they trying to improve the botnet resiliency by diversifying C2.”

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free

Suggested articles