Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323

[Updates on 2017-11-28]

  • Both C2s have been sink-holed now by security community.
  • admin/CentryL1nk is a typo for admin/CenturyL1nk.

About 60 hours ago, since 2017-11-22 11:00, we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina. After investigation, we are quite confident to tell this is a new mirai variant.

Root Cause Analysis

In our honeypot traffic, two new credentials admin/CentryL1nk and admin/QwestM0dem are now actively being used. Note the credential admin/CentryL1nk was first appeared in an exploit about ZyXEL PK5001Z modem in exploit-db less than a month ago.

The abuse of these two credentials began at around 2017-11-22 11:00, and reached its peak during 2017-11-23 daytime. This is a good time span match with this 2323/23 port scanning on Scanmon.

Quite a lot of IP abusing these two credential also appear in ScanMon radar.

  • admin/CentryL1nk : 748 (66.5%) out of 1125
  • admin/QwestM0dem : 1175 (69.4%) out of 1694

The IP overlap together with the time span match, make us believe this is the root cause.

Figure-1 two new credentials being actively abused

Figure-2 scanning uptick on port 2323

Malware Sample and C2

The corresponding malware samples are:

  • 0ee0fc76a8d8ad37374f4ac3553d8937
  • 018a9569f559bfafbc433dc81caf3ec0
  • be6165a3e131cc92d3f7d51284cf70bb

The C2 represents in the samples is:

  • bigboatreps.pw:23
  • blacklister.nl:23

Most Infection in Argentina till Now

We noticed that most of the scanner IP came from Argentina: about 65.7k unique scanners from Argentina in less than a single day, almost 100k in last 60 hours.

Figure-3 most of the scanner IP came from Argentina

This make us wondering it is an attack focus on several specific types of IoT device, and these devices are widely deployed in Argentina, just as what happened in last year Telekom event.

IoC

C2

bigboatreps.pw:23
blacklister.nl:23

Sample md5 and download URL list

http://80.211.173.20:80/amnyu.arm 0255c6d7b88947c7bc82c9b06169e69d
http://80.211.173.20:80/amnyu.arm 3e72bbab07516010ab537d7236c48a2c
http://80.211.173.20:80/amnyu.arm 6c5cadcc9dbcac55b42d1347f4b51df1
http://80.211.173.20:80/amnyu.arm7 2e5ec99ef2cf8878dc588edd8031b249
http://80.211.173.20:80/amnyu.arm7 359527251c09f4ec8b0ad65ab202f1bb
http://80.211.173.20:80/amnyu.arm7 4c21d1f6acfb0155eb877418bb15001d
http://80.211.173.20:80/amnyu.arm7 5cd69f7c5cd6aef4f4b8e08181028314
http://80.211.173.20:80/amnyu.arm7 794f01740878252e8df257b0511c65df
http://80.211.173.20:80/amnyu.arm7 b0791270cc6b180ff798440f416f6271
http://80.211.173.20:80/amnyu.arm7 eee4ff0e2c9482acea3251c9c2ce6daf
http://80.211.173.20:80/amnyu.arm a6f11eba76debd49ee248b6539c4d83c
http://80.211.173.20:80/amnyu.arm ccc8761335b2d829dff739aece435eac
http://80.211.173.20:80/amnyu.arm dd10fb3ed22a05e27bca3008c0558001
http://80.211.173.20:80/amnyu.arm e090660bbc7c673bf81680648718e39e
http://80.211.173.20:80/amnyu.m68k 1782f07f02d746c13ede8388329921e4
http://80.211.173.20:80/amnyu.m68k 4ccd3036cadcbe2a0c4b28ce4ad77b7b
http://80.211.173.20:80/amnyu.m68k 84d737bc5a1821c2f21489695c2c3a71
http://80.211.173.20:80/amnyu.m68k 8f347206f06b05ea8d2e8ea03f4f92d4
http://80.211.173.20:80/amnyu.m68k 94353157ddcd3cb40a75a5ecc1044115
http://80.211.173.20:80/amnyu.m68k b1c66e2a2ed68087df706262b12ca059
http://80.211.173.20:80/amnyu.m68k b8aedf6ee75e4d6b6beeafc51b809732
http://80.211.173.20:80/amnyu.mips 0ee0fc76a8d8ad37374f4ac3553d8937
http://80.211.173.20:80/amnyu.mips 2aa0c53d7d405fa6ffb7ccb895fb895f
http://80.211.173.20:80/amnyu.mips 56b74e34ddf0111700a89592b5a8b010
http://80.211.173.20:80/amnyu.mips 62fa57f007a32f857a7e1d9fb5e064eb
http://80.211.173.20:80/amnyu.mips 633df071ac6f1d55193fc4c5c8747f2a
http://80.211.173.20:80/amnyu.mips 6eed6b55c5cd893aa584894a07eec32f
http://80.211.173.20:80/amnyu.mips 97c314a2a100ea4987e73e008225d3be
http://80.211.173.20:80/amnyu.mpsl 09d98cbaa9794184841450221d410f15
http://80.211.173.20:80/amnyu.mpsl 21f1ab847a9b27f8aaabcafd9cf59756
http://80.211.173.20:80/amnyu.mpsl 33e1e2803bb70cd0d66911175782c6a1
http://80.211.173.20:80/amnyu.mpsl 4e63eccca00b01b66162fa5258d03956
http://80.211.173.20:80/amnyu.mpsl 7d2c1f3d81a2df7beea99552d0704c2d
http://80.211.173.20:80/amnyu.mpsl 7e0f883f239c922a151aab2500400880
http://80.211.173.20:80/amnyu.mpsl e46cbc10309e970ec267afee496832c9
http://80.211.173.20:80/amnyu.ppc 3dadafe1cc9639a7d374682dafab954c
http://80.211.173.20:80/amnyu.ppc 49e4b3e5d7302c2faf08c1ed585a89ca
http://80.211.173.20:80/amnyu.ppc 80bcea07b752ae4306da5f24f6693bea
http://80.211.173.20:80/amnyu.ppc 9e4caeada13676ddc5b7be44e03fe396
http://80.211.173.20:80/amnyu.ppc a40852f9895d956fe198cb2f2f702ebf
http://80.211.173.20:80/amnyu.ppc a8bde89d2fe98268801b58f42214cdca
http://80.211.173.20:80/amnyu.ppc e968bf902db104c91d3aaa0bb363f1bd
http://80.211.173.20:80/amnyu.sh4 141930ed206ef5f076b2a233b390ea65
http://80.211.173.20:80/amnyu.sh4 1bdaf4cd21fb9cb42d971a25fb183d04
http://80.211.173.20:80/amnyu.sh4 25d3ddb85bf392c273dd93922199628c
http://80.211.173.20:80/amnyu.sh4 39eddba755333e22841b2627a2a19e59
http://80.211.173.20:80/amnyu.sh4 485f2b2a684865ead274bba6931c95c9
http://80.211.173.20:80/amnyu.sh4 56afda94860e8d1ca8a7b9960769020d
http://80.211.173.20:80/amnyu.sh4 9dc0c166e30922d1ea8da06ba46996dc
http://80.211.173.20:80/amnyu.spc 3f0322c0b7379e492a17d3cb4fa2c82e
http://80.211.173.20:80/amnyu.spc 53c60f58ce576071c71ede7df656e823
http://80.211.173.20:80/amnyu.spc 5db44876c3acc0b589c8d696c41b6413
http://80.211.173.20:80/amnyu.spc 651b186b04583f0067d4cc2d95565a95
http://80.211.173.20:80/amnyu.spc a18b4a6250f51c1f350b37e1187292fb
http://80.211.173.20:80/amnyu.spc c5e1a57671dab607b8fa7363ab6582ab
http://80.211.173.20:80/amnyu.spc e6cd9197d443fb9fa79ab103232e2b67
http://80.211.173.20:80/amnyu.x86 018a9569f559bfafbc433dc81caf3ec0
http://80.211.173.20:80/amnyu.x86 1663952daca0c49326fb8fa5585d8eec
http://80.211.173.20:80/amnyu.x86 243d2c8ba1c30fa81043a82eaa7756e7
http://80.211.173.20:80/amnyu.x86 4b375509896e111ef4c3eb003d38077f
http://80.211.173.20:80/amnyu.x86 6371b6b1d030ac7d2cb1b0011230f97f
http://80.211.173.20:80/amnyu.x86 64bda230a3b31a115a29e0afd8df5d8a
http://80.211.173.20:80/amnyu.x86 ed825b8aadee560e5c70ffaa5b441438
http://80.211.173.20/amnyu.arm7 b0791270cc6b180ff798440f416f6271
http://80.211.173.20/amnyu.arm e090660bbc7c673bf81680648718e39e
http://80.211.173.20/amnyu.m68k 4ccd3036cadcbe2a0c4b28ce4ad77b7b
http://80.211.173.20/amnyu.mips 97c314a2a100ea4987e73e008225d3be
http://80.211.173.20/amnyu.mpsl 7d2c1f3d81a2df7beea99552d0704c2d
http://80.211.173.20/amnyu.ppc e968bf902db104c91d3aaa0bb363f1bd
http://80.211.173.20/amnyu.sh4 485f2b2a684865ead274bba6931c95c9
http://80.211.173.20/amnyu.spc 5db44876c3acc0b589c8d696c41b6413
http://80.211.173.20/amnyu.x86 4b375509896e111ef4c3eb003d38077f
http://blacklister.nl/bins/mirai.arm be6165a3e131cc92d3f7d51284cf70bb
http://blacklister.nl/bins/mirai.arm5n c639bc6b50ab0be250147572956a9d6b
http://blacklister.nl/bins/mirai.arm6 8f9c5099e3749d0199262289c9deaa3d
http://blacklister.nl/bins/mirai.arm7 e508956188f2cb71605ae0e8fbdf4a64
http://blacklister.nl/bins/mirai.i486 25846ce769f0bd5b204f440127d51f21
http://blacklister.nl/bins/mirai.i686 d3c82dd5d512304efc6a42018f0bf2a7
http://blacklister.nl/bins/mirai.m68k 3ef657efcfe16ad869a587d30480306f
http://blacklister.nl/bins/mirai.mips b4af22c2b3b1af68f323528ee0bc6637
http://blacklister.nl/bins/mirai.mips64 1e1d6b41a13c97ad3754815021dd0891
http://blacklister.nl/bins/mirai.mpsl 6adb31781db797712d759f564b9761b6
http://blacklister.nl/bins/mirai.ppc 7936cc1d021664892c48408ec1c9143c
http://blacklister.nl/bins/mirai.ppc440fp fd6235e4e1cf4a0f6c2d609a7b1ffc55
http://blacklister.nl/bins/mirai.sh4 5c8ef7f23f26e0e48ab527ef83874213
http://blacklister.nl/bins/mirai.spc 7ce73df7fb50beda2f549f9695a23538
http://blacklister.nl/bins/mirai.x86 539e9bf8c81bd3e9ae520fd74218a6b8
http://blacklister.nl/bins/mirai.x86_64 d69e501480f03f06e4579fa13e47d04a