GPON Exploit in the Wild (II) - Satori Botnet

This article was co-authored by Rootkiter, Yegenshen, and Hui Wang.

In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days.

We mainly focused on the muhstik botnet in the previous blog. Before and after the publication of the article, through joint efforts with the security community, we managed to kill 12 IP addresses of the Muhstik botnet on the OVH and 1 IP address on the Microsoft network. For a detailed list of IP addresses, see the Annex IoC section.

One thing noteworthy is about these botnets' exploit effectiveness. From our estimate, only 2% all GPON home router is affected, most of which located in Mexico. This happens because of the way they utilizing the published PoC.

Now let’s take a look at the these botnets:

  • Satori: Satori is the infamous variant of the mirai botnet.
    • We first observed this botnet coming after the GPON vulnerable devices at 2018-05-10 05:51:18, several hours before our last publish.
    • It has quickly overtakes muhstik as the No.1 player.
  • Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module
  • Hajime: Hajime pushed an update which adds the GPON's exploits
  • Two Mirai variants: At least two malicious branches are actively exploiting this vulnerability to propagate mirai variants. One of them has been called omni by newskysecurity team.
  • imgay: This appears like a botnet that is under development. Its function is not finished yet.

This article will mainly introduce the current update of the Satori botnet. In the follow-up we may publish a third article and go over the remaining ones. 

Comparison of Delivery Frequency of Different Botnets

Honeypot data can provide some basic comparison between different botnets that try to hit the GPON-related vulnerabilities. And following is a top10 list of attack payload that been requested by the bots. For a complete list, see the IoC section at the end of the article:

%    botnet_name url
57.77%    satori  hxxp://185.62.190.191/r  
32.66%    muhstik hxxp://51.254.219.134/gpon.php  
2.20%    muhstik hxxp://162.243.211.204/gpon  
1.99%    muhstik hxxp://165.227.78.159/gponb6abe42c3a9aa04216077697eb1bcd44.php  
0.96%    muhstik hxxp://128.199.251.119/gpon.php  
0.64%    imgay   hxxp://149.28.96.126/forky  
0.60%    imgay   hxxp://149.28.96.126/80  
0.57%    imgay   hxxp://149.28.96.126/  
0.57%    imgay   hxxp://149.28.96.126/81  
0.53%    muhstik hxxp://165.227.78.159/gpon.php  

You can see Satori (account for 57.80% of all attempts we saw) and muhstik (38.87%) are the main force behind of the current GPON exploits bots.

Satori Malware Download URL

The new Satori uses the following set of URLs to propagate malicious code:

hxxp://185.62.190.191/arm  
hxxp://185.62.190.191/arm7  
hxxp://185.62.190.191/m68k  
hxxp://185.62.190.191/mips  
hxxp://185.62.190.191/mipsel  
hxxp://185.62.190.191/r  
hxxp://185.62.190.191/sparc  

Satori Malicious Code Samples Analysis

Take this sample as an example:

hxxp://185.62.190.191/arm md5hash:d546bc209d315ae81869315e8d536f36  

The code of this sample has changed a lot from the original version of Satori. From the aspect of sample binary alone, the relationship with the original Satori is not very strong. However, considering some of its key factors, such as some key strings, domain name TXT information, email addresses, etc., we still attribute it to the Satori variant.

There are four encrypted strings in this sample, and the corresponding decryption results are as follows:

  1. c.sunnyjuly.gq
  2. Viam0610TCiLpBvezPFGL2aG
  3. {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
  4. {"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","4574684463724d696e657236342e657865202d65706f6f6c206574682d7573322e6477617266706f6f6c2e636f6d3a38303038202d6577616c20307864303839376461393262643764373735346634656131386638313639646263303862656238646637202d6d6f64652031202d6d706f72742033333333202d6d707377206775764a746f43785539"]}

The first string is the C2.
The second string will be printed at the device console.
The third and fourth strings are only defined but not being used.

It is worth mentioning that these two strings are similar to the code used in Satori.robber, which can serve as a circumstantial evidence that the sample is homologous to Satori.

The Hex part of the fourth string can be deciphered as follows. Although not used, it looks like a command string, containing a mine pool address, and a wallet address

EthDcrMiner64.exe -epool eth-us2.dwarfpool.com:8008 -ewal 0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7 -mode 1 -mport 3333 -mpsw guvJtoCxU9  

The Wallet Address of Satori

The wallet address information is as follows. According to the current estimate of $700 per ETH token, Satori received a total of approximately $200 in the current 6-day operation

$ curl "http://dwarfpool.com/eth/api?wallet=0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7"
{
  "autopayout_from": "0.050",
  "earning_24_hours": "0.04629051",
  "error": false,
  "immature_earning": 0.0037158866909999997,
  "last_payment_amount": "0.05286277",                    #last pay amout
  "last_payment_date": "Tue, 15 May 2018 17:26:04 GMT",   #last pay day
  "last_share_date": "Wed, 16 May 2018 09:46:47 GMT",
  "payout_daily": false,
  "payout_request": false,
  "total_hashrate": 137.57,
  "total_hashrate_calculated": 781.0,
  "transferring_to_balance": 0,
  "wallet": "0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7", #wallet address
  "wallet_balance": "0.02818296",                         #balance due to pay
  "workers": {
    "": {
      "alive": true,
      "hashrate": 137.57,
      "hashrate_below_threshold": false,
      "hashrate_calculated": 781.0,
      "last_submit": "Wed, 16 May 2018 09:46:47 GMT",
      "second_since_submit": 335,
      "worker": ""
    }
  }
}

The Domain Name and the Out-coming Message from Its TXT

The C2 name in the sample c.sunnyjuly.gq has no IP address resolution yet. But, it does provide TXT record, which might carry the information its author communicates to the outside world. The author changed TXT information twice so far and note it uses a @riseup.net email address

2018-05-14 04:22:43    c.sunnyjuly.gq  DNS_TXT Irdev here, i can be reached at village@riseup.net, goodbye  
2018-05-10 00:55:06    c.sunnyjuly.gq  DNS_TXT It is always the simple that produces the marvelous  

Worth noting that the origin Satori.robber also used the same DNS zone sunnyjuly.qg. At that time, the author also leave a message in the sample, as follows. The email address in it is also a @riseup.net。

Satori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes move along. I can be contacted at curtain@riseup.net  

The Port 3333 Scan Spike Caused by Satori

The current version of Satori also scans port 3333 which can be seen at our ScanMon system. The source of this scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico.

Contact Us

We can be reached at  twitter or at WeChat subscription account 360Netlab.

Ioc

Those IPs once under muhstik control, but now cleared by security community:

139.99.101.96:9090    AS16276 OVH SAS  
142.44.163.168:9090    AS16276 OVH SAS  
142.44.240.14:9090    AS16276 OVH SAS  
144.217.84.99:9090    AS16276 OVH SAS  
145.239.84.0:9090    AS16276 OVH SAS  
145.239.93.125:9090    AS16276 OVH SAS  
147.135.210.184:9090    AS16276 OVH SAS  
192.99.71.250:9090    AS16276 OVH SAS  
51.254.221.129    "AS16276 OVH SAS"  
66.70.190.236:9090    AS16276 OVH SAS #当前未生效  
51.254.219.137    "AS16276 OVH SAS"  
51.254.219.134    "AS16276 OVH SAS"  
191.238.234.227    "AS8075 Microsoft Corporation"  

All the malware downloading URLs exploiting GPON vulnerability.

%    botnet_name url Country & Region    ASN
57.77%    satori  hxxp://185.62.190.191/r Netherlands/NL  AS49349 Dotsi, Unipessoal Lda.  
32.66%    muhstik hxxp://51.254.219.134/gpon.php  France/FR   AS16276 OVH SAS  
2.20%    muhstik hxxp://162.243.211.204/gpon United States/US New York   AS62567 DigitalOcean, LLC  
1.99%    muhstik hxxp://165.227.78.159/gponb6abe42c3a9aa04216077697eb1bcd44.php  United States/US Clifton    AS14061 DigitalOcean, LLC  
0.96%    muhstik hxxp://128.199.251.119/gpon.php Singapore/SG Singapore  AS14061 DigitalOcean, LLC  
0.64%    imgay   hxxp://149.28.96.126/forky  United States/US College Park   None  
0.60%    imgay   hxxp://149.28.96.126/80 United States/US College Park   None  
0.57%    imgay   hxxp://149.28.96.126/   United States/US College Park   None  
0.57%    imgay   hxxp://149.28.96.126/81 United States/US College Park   None  
0.53%    muhstik hxxp://165.227.78.159/gpon.php  United States/US Clifton    AS14061 DigitalOcean, LLC  
0.32%    muhstik hxxp://162.243.211.204/gponexec United States/US New York   AS62567 DigitalOcean, LLC  
0.28%    imgay   hxxp://149.28.96.126/8080   United States/US College Park   None  
0.25%    untitled-1  hxxp://186.219.47.178:8080  Brazil/BR   AS262589 INTERNEXA Brasil Operadora de Telecomunicações S.A  
0.11%    imgay   hxxp://149.28.96.126/imgay  United States/US College Park   None  
0.11%    muhstik hxxp://162.243.211.204/aio  United States/US New York   AS62567 DigitalOcean, LLC  
0.11%    muhstik hxxp://46.243.189.102/  Netherlands/NL  AS205406 Hostio Solutions B.V.  
0.07%    untitled-2  hxxp://114.67.227.83/busybox    China/CN Beijing    AS4808 China Unicom Beijing Province Network  
0.07%    omni    hxxp://185.246.152.173/omni Netherlands/NL  AS56630 Melbikomas UAB  
0.07%    untitled-2  nc://114.67.227.83:7856 China/CN Beijing    AS4808 China Unicom Beijing Province Network  
0.04%    satori  hxxp://185.62.190.191/s Netherlands/NL  AS49349 Dotsi, Unipessoal Lda.  
0.04%    untitled-2  hxxp://114.67.227.83    China/CN Beijing    AS4808 China Unicom Beijing Province Network  
0.04%    untitled-3  hxxp://209.141.42.3/gponx   United States/US Las Vegas  AS53667 FranTech Solutions  
0.04%    untitled-2  hxxp://114.67.227.83/   China/CN Beijing    AS4808 China Unicom Beijing Province Network