Shulou(Shulou.com)05/31 Report--

This article shows you what the Satori botnet in GPON vulnerabilities is like, the content is concise and easy to understand, can definitely make your eyes bright, through the detailed introduction of this article, I hope you can get something.

GPON vulnerability-Satori botnet

In the 10 days since the release of the GPON vulnerability (CVE-2018-10561), at least 5 botnet families have been actively exploiting this vulnerability to build their zombie legions, including mettle, muhstik, mirai, hajime, satori and so on.

Other botnets include:

Satori:satori is a notorious variant of mirai botnet. This malicious code gang first joined the ranks of grabbing GPON vulnerable devices at 05:51:18 on May 10, 2018, and crowded out muhstik in a short time, becoming one of the most frequent infections in our field of vision. In addition, we tested and verified that the input module of Satori can be executed successfully on some versions of device firmware. This makes Satori significantly different from other botnets that attend the party.

Mettle: a malicious code ring based on the IP address in Vietnam (C2210.245.26.180) and mettle open source control module.

This update of Hajime:hajime also includes the exploit of GPON.

Two Mirai variants: at least two malicious code groups are actively exploiting this vulnerability to spread mirai variants. The second of these has been called omni.

Omni: after newskysecurity.com 's first public disclosure, we confirmed that the botnet called omni in its documentation is the second variant of mirai that we mentioned earlier.

Imgay: this seems to be a botnet under development, and its functionality is not yet perfect.

This article will focus on this round of updates to the Satori botnet. Later, we may release the third article in a series to describe the rest of the botnets. The third article is expected to be the last in a series of articles, if no more botnets join the party.

Comparison of delivery strength of different botnets

We use honeypots to collect the exploitation of GPON-related vulnerabilities. The attack payload activity frequency (Top10) we have seen is listed below. For a complete list, please see the IoC section at the end of the article:

% botnet_name url57.77% satori hxxp://185.62.190.191/r 32.66% muhstik hxxp://51.254.219.134/gpon.php 2.20% muhstik hxxp://162.243.211.204/gpon 1.99% muhstik hxxp://165.227.78.159/gponb6abe42c3a9aa04216077697eb1bcd44.php 0.96% muhstik hxxp://128.199.251.119/gpon.php 0.64% imgay Hxxp://149.28.96.126/forky 0.60% imgay hxxp://149.28.96.126/80 0.57% imgay hxxp://149.28.96.126/ 0.57% imgay hxxp://149.28.96.126/81 0.53% muhstik hxxp://165.227.78.159/gpon.php

Judging from the data collected here, Satori (cumulative 57.80%) and muhstik (cumulative 38.87%) are the main forces of current GPON vulnerability exploitation.

Download links to malicious code involved in this round of Satori updates

In this round of updates, Satori uses the following set of URL to spread malicious code:

Analysis of malicious code samples involved in the current round of hxxp://185.62.190.191/arm hxxp://185.62.190.191/arm7 hxxp://185.62.190.191/m68k hxxp://185.62.190.191/mips hxxp://185.62.190.191/mipsel hxxp://185.62.190.191/r hxxp://185.62.190.191/sparcSatori updates

We analyzed the sample http://185.62.190.191/arm (md5hash:d546bc209d315ae81869315e8d536f36).

The code of this sample has changed a lot from the original version of Satori, and it has little relationship with the original satori only from the binary aspect of the sample. However, considering its connection in key strings, domain name TXT information, email address and so on, we still put it under the Satori variant.

There are four encrypted strings in the sample, and the corresponding decryption results are as follows:

C.sunnyjuly.gq

Viam0610TCiLpBvezPFGL2aG

{"id": 0, "jsonrpc": "2.0", "method": "miner_reboot"}

{"id": 0, "jsonrpc": "2.0", "method": "miner_file", "params": ["reboot.bat", "4574684463724d696e657236342e657865202d65706f6f6c206574682d7573322e6477617266706f6f6c2e636f6d3a38303038202d6577616c20307864303839376461393262643764373735346634656131386638313639646263303862656238646637202d6d6f64652031202d6d706f72742033333333202d6d707377206775764a746f43785539"]}

The first string is C2 and the second string is output on the console. The third and fourth strings are only defined in the sample and not found to be used. It is worth mentioning that these two strings are similar to the code used in Satori.robber, which can be used as circumstantial evidence that the sample is homologous with Satori.

The Hex section after the fourth string is as follows, containing a mine pool address and a wallet address:

EthDcrMiner64.exe-epool eth-us2.dwarfpool.com:8008-ewal 0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7-mode 1-mport 3333-mpsw guvJtoCxU9Satori address of the wallet involved in this update

The information about the address of this wallet can be found as follows. If 0. 05 ETH coins are produced every 24 hours, it is estimated that a total of 0. 3 ETH coins have been excavated since May 10. Based on the current price of $700 per ETH token, Satori has earned a total of about $200 in the current six-day operation.

$curl "http://dwarfpool.com/eth/api?wallet=0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7"{" autopayout_from ":" 0.050 "," earning_24_hours ":" 0.04629051 "," error ": false," immature_earning ": 0.0037158866909999997," last_payment_amount ":" 0.05286277 ", # Last salary" last_payment_date ":" Tue, 15 May 17:26:04 GMT " # Last payday "last_share_date": "Wed, 16 May 2018 09:46:47 GMT", "payout_daily": false, "payout_request": false, "total_hashrate": 137.57, "total_hashrate_calculated": 781.0, "transferring_to_balance": 0, "wallet": "0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7", # wallet address "wallet_balance": "0.02818296" # account balance Pending "workers": {"": {"alive": true, "hashrate": 137.57, "hashrate_below_threshold": false, "hashrate_calculated": 781.0, "last_submit": "Wed, 16 May 2018 09:46:47 GMT", "second_since_submit": 335, "worker": ""}} Satori this round of updates involves domain name resolution And its message to the outside world.

In addition, c.sunnyjuly.gq does not provide IP address resolution in the DNS system. On the contrary, it provides TXT resolution, which can be regarded as a message conveyed by its author to the outside world. The two messages conveyed by the author are as follows:

2018-05-14 04:22:43 c.sunnyjuly.gq DNS_TXT Irdev here, i can be reached at village@riseup.net, goodbye 2018-05-10 00:55:06 c.sunnyjuly.gq DNS_TXT It is always the simple that produces the marvelous

By contrast, in Satori.robber, the author of Satori conveys the following information to the outside world through binaries. The two messages were written in a similar way, and the e-mail addresses left behind were also mailboxes provided by riseup.net.

Satori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes move along. The current update of I can be contacted at curtain@riseup.netSatori caused a recent scan on port 3333

The current version of Satori also scans port 3333, which directly leads to a big fluctuation on ScanMon. The scan came from about 17k separate IP addresses, mainly from Uninet S.A. De C.V., belonging to telmex.com, located in Mexico.

[external link pictures are not supported, please upload pictures or paste pictures separately]

Contact us

Interested readers can contact us at twitter or on the official account 360Netlab of Wechat.

Ioc

List of IP that were once under the control of muhstik but have been cleared by the security community:

139.99.101.96 AS16276 OVH SAS 9090 AS16276 OVH SAS 142.44.163.168 AS16276 OVH SAS 142.44.240.14 AS16276 OVH SAS 144.217.84.99 AS16276 OVH SAS 145.239.84.0 AS16276 OVH SAS 145.239.93.125 AS16276 OVH SAS 147.135.210.184Vl9090 AS16276 OVH SAS 192.99.71.250Rd 9090 AS16276 OVH SAS 51.254.221.129 "AS16276 OVH SAS 66" .70.190.236: 9090 AS16276 OVH SAS # is not currently valid 51.254.219.137 "AS16276 OVH SAS" 51.254.219.134 "AS16276 OVH SAS" 191.238.234.227 "AS8075 Microsoft Corporation"

Download links that we have recently observed using GPON to distribute malware

% botnet_name url Country & Region ASN57.77% satori hxxp://185.62.190.191/r Netherlands/NL AS49349 Dotsi, Unipessoal Lda. 32.66% muhstik hxxp://51.254.219.134/gpon.php France/FR AS16276 OVH SAS 2.20% muhstik hxxp://162.243.211.204/gpon United States/US New York AS62567 DigitalOcean, LLC 1.99% muhstik hxxp://165.227.78.159/gponb6abe42c3a9aa04216077697eb1bcd44.php United States/US Clifton AS14061 DigitalOcean, LLC 0.96% muhstik hxxp://128.199.251.119/gpon.php Singapore/SG Singapore AS14061 DigitalOcean LLC 0.64% imgay hxxp://149.28.96.126/forky United States/US College Park None 0.60% imgay hxxp://149.28.96.126/80 United States/US College Park None 0.57% imgay hxxp://149.28.96.126/ United States/US College Park None 0.57% imgay hxxp://149.28.96.126/81 United States/US College Park None 0.53 % muhstik hxxp://165.227.78.159/gpon.php United States/US Clifton AS14061 DigitalOcean LLC 0.32% muhstik hxxp://162.243.211.204/gponexec United States/US New York AS62567 DigitalOcean LLC 0.28% imgay hxxp://149.28.96.126/8080 United States/US College Park None 0.25% untitled-1 hxxp://186.219.47.178:8080 Brazil/BR AS262589 INTERNEXA Brasil Operadora de Telecomunica oblique es S.A 0.11% imgay hxxp://149.28.96.126/imgay United States/US College Park None 0.11% muhstik hxxp://162.243.211.204/aio United States/US New York AS62567 DigitalOcean LLC 0.11% muhstik hxxp://46.243.189.102/ Netherlands/NL AS205406 Hostio Solutions B.V. 0.07 untitled-2 hxxp://114.67.227.83/busybox China/CN Beijing AS4808 China Unicom Beijing Province Network 0.07 omni hxxp://185.246.152.173/omni Netherlands/NL AS56630 Melbikomas UAB 0.07 untitled-2 nc://114.67.227.83:7856 China/CN Beijing AS4808 China Unicom Beijing Province Network 0.04% satori hxxp://185.62.190.191/s Netherlands/NL AS49349 Dotsi Unipessoal Lda. 0.04% untitled-2 hxxp://114.67.227.83 China/CN Beijing AS4808 China Unicom Beijing Province Network 0.04% untitled-3 hxxp://209.141.42.3/gponx United States/US Las Vegas AS53667 FranTech Solutions 0.04% untitled-2 hxxp://114.67.227.83/ China/CN Beijing AS4808 China Unicom Beijing Province Network the above is what the Satori botnet in the GPON vulnerability is like. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.