Yet another variant of the Mirai botnet has appeared on the scene, but this one has a twist: The code is integrated with at least three exploits that target unpatched IoT devices, including closed-circuit cameras and Netgear routers. It also has ties to a web of other botnets, made for DDoS attacks, which can all be traced back to one threat actor.
The original Mirai used traditional brute-force attempts to gain access to connected things in order to enslave them, but the Wicked Botnet, named after the underground handle chosen by its author, prefers to go the exploit route to gain access.
Fortinet’s FortiGuard Labs team analyzed the botnet, and found that the exploits it uses are matched to the ports it uses.
“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”
Specifically, port 8080 brings an exploit for a flaw in Netgear DGN1000 and DGN2200 v1 routers (also used by the Reaper botnet); a connection to port 81 makes use of a CCTV-DVR remote code execution flaw; port 8443 connections use a command injection exploit for the Netgear R7000 and R6400 routers (CVE-2016-6277); and port 80 corresponds with an invoker shell in compromised web servers. The latter does not directly exploit the device, but instead takes advantage of compromised web servers with malicious web shells already installed.
“Since a lot of IoT malware (e.g. Mirai) have already attacked devices via default passwords/ brute-forcing, new attacks like Wicked bot are forced to take a different option like the use of exploits to become effective,” explained Joven, in an interview with Threatpost.
They also uncovered that Wicked is a botnet that’s used to download another botnet. Rather than just equipping Wicked itself with the ability to carry out whatever action the criminal behind the bot wants, the author wanted to separate the distribution and its payload.
“This has advantages in development as well to evade detection,” Joven told us. “The same goes with other malware (e.g. ransomware) which has a document or script to download the ransomware payload.”
A Wicked Web of Botnets
The analysts also found that the Wicked bot is connected to other, previous Mirai-based botnets; in fact, in terms of payloads, Wicked is built to download them. This led them to the author behind the Wicked bot.
They essentially followed a trail of breadcrumbs: For one, the Wicked bot’s code contains a the string called “SoraLOADER,” which seems to indicate that it’s a spreader for the Sora botnet, another Mirai variant.
However, the malicious website that houses the bad code contains the name “Owari,” which is the name of yet another Mirai variant.
On top of that, the payload that it delivers is not Owari at all, but rather the Omni bot, which based on its code can be used for DDoS attack similar to Mirai.
“At the time of analysis, the Owari bot samples could no longer be found in the website directory,” the researchers explained. “[However], we doublechecked the history of the malicious website and confirmed that it had previously delivered the Owari botnet.”
Thus, it would seem that Omni, Owari and Sora are all connected to the Wicked bot.
“Fuzzing the website’s /bins directory, we found other Omni samples in the directory, which were reported to be delivered using the GPON vulnerability (CVE-2018-10561),” the researchers said. “Payloads are regularly updated, as shown by its timestamp.”
Putting this connection together with an interview last April conducted by NewSky Security, the researchers were able to trace the new bot back to an author using the pseudonym “Wicked” in which he confirmed himself as the author of both Sora and Owari.
“Apparently, as seen in the /bins repository, Sora and Owari botnet samples have now both been abandoned and replaced with Omni,” Fortinet’s Joven and Yang said. “This also leads us to the conclusion that while the Wicked bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects.”
Sean Newman, director of product management at Corero Network Security, said via email that while the rash of Mirai variants is unsurprising given that the source code leaked two years ago, “the suggestion that hackers don’t get it right every time, with some variants apparently abandoned before they were actively used, is both interesting and concerning.”
He added, “The fact that hackers can even experiment with their innovation in the wild on live systems, without being detected, further highlights the scale of the challenge that the poor security posture of IoT devices presents.”