A new botnet is recruiting Internet of Things (IoT) devices by exploiting two vulnerabilities already popular among IoT botnets, Radware has discovered.
Dubbed JenX, the threat is abusing the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP Command Execution) and CVE-2017–17215 (Huawei Router HG532 – Arbitrary Command Execution) vulnerabilities. Both of these security issues were previously abused by the Mirai variant Satori.
The new threat also uses techniques associated with the recently detailed PureMasuta variant of Mirai, which recently had its source code published on an invite-only dark forum.
The botnet’s command and control (C&C) server also provides gaming mod servers and distributed denial of service (DDoS) services, Radware’s researchers discovered.
The DDoS feature includes attack vectors such as Valve Source Engine Query and 32bytes floods, TS3 scripts, and a Down OVH option (likely a reference the Mirai attack on a cloud hosting provider OVH in September 2016). The miscreants guarantee attack volumes of 290-300Gbps, supposedly leveraging the power of the new botnet.
JenX uses servers to perform the scanning and exploit operations, unlike previously observed IoT botnets such as Mirai, Hajime, Persirai, Reaper, Satori, and Masuta, which leverage infected systems for scanning and exploiting (which also fuels an exponential growth of the botnet).
Because it does not include scanning and exploit payloads, JenX’ code is unsophisticated and lighter on the delivery, Radware says. With centralized scan and exploit functionality, the operators also have increased flexibility to expand and improve the functionality without impacting the size of the bot.
Because there are fewer nodes scanning and exploiting, the botnet is less noisy and can better avoid being detected by honeypots. This also makes it more difficult to estimate the botnet’s size, without accessing the C&C server, the security researchers say. On top of that, the botnet only impacts the victim’s network connection when instructed to perform an attack.
“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” Radware notes.
The malware is protected with anti-debugging detection and its binary forks three processes obfuscated in the process table much like Mirai. All processes listen to a port bound to localhost while one opens a TCP socket to the C&C at 126.96.36.199 on port 127. The bot uses XOR obfuscation with the exact same key used in PureMasuta.
When executed, the malware connects to the C&C server located by the hostname ‘skids.sancalvicie.com’ using the TCP session (the domain is registered to Calvos S.L.). The server supposedly provides a command line interface.
The code has indicators of a Valve Source Engine Query attack payload, likely because of the GTA San Andreas multiplayer servers on the domain. The attack vector was included in the original Mirai code that went public in October 2016, and Radware believes the botnet is being built by the San Calvicie hacker group and served through their Clearnet website.
“Unless you frequently play GTA San Andreas, you will probably not be directly impacted. The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet! But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month,” Radware’s Pascal Geenens note.
Two providers informed on the issue have already taken down the exploit servers hosted in their datacenters, but some servers remain active and the botnet is still operational, Geenens says. However, should the attackers decide to move their exploit servers to the darknet, the botnet’s takedown would be much more difficult, as was the case with BrickerBot.
“JenX, in particular, can be easily concealed and hardened against takedowns. As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones. These providers do not care about abuse,” Geenens says.