Hakai :New Linux IoT Botnet
A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims . Samples were served from the IP 176.32.32[.]156.
Malware
Samples:
- hakai.arm4 :15f1a5fda20ebc62a0f0cb5ef8163b41
- hakai.arm7 :21d6ea6836156b3b477980df7f5e93ff
- hakai.mips :5ab32bdead9a6043f0db9ab7809be4f1
- hakai.ppc :940ebf509b2cda8efb7d8cfe23656ae7
- hakai.x86 :cb461e9c3788ad760f6e82c6f70005a1
- hakai.x86_64:327798ab42d8280822d911b9138b4b7b
hakai.arm :94c82c990a3b16b2ea3c4bb58a26677c - hakai.arm6 :e5244b287da9839bb13f4c4415c43e17
- hakai.m68k :d12671452ad29b15d875027bc98a7837
- hakai.mpsl :3b676aa130e58772bb1c4fcc7e42fb39
- hakai.sh4 :cc4c69451084bfc2272d07e40c219108
- hakai.x86_32:ea9ba0c4f809d85cb74afef938177d48
Vulnerabilities
by Analysing the Strings of samples ,i found exploits:
- Multiple vulnerabilities in Dlink Router:
Multiple D-Link routers suffer from insecure implementations of the Home Network Administration Protocol which allow un-authenticated and/or un-privileged users to view and configure administrative.For more informations please contact this link:https://regmedia.co.uk/2016/11/07/dlink_hnap_captcha.pdf
- CVE-2017–17215 (Huawei Router HG532 -Arbitrary Command Execution): vulnerability and related exploit.
- CVE-2014–8361( Realtek SDK Miniigd UPnP SOAP Command Execution):vulnerability and related exploit.
Deobfuscate Malware
Strings in the binary have been obfuscated.look at image number 2.Now I try to collect informations about this malware from strings resulat.the first step is to deobfuscate strings.
When i execute the binary ,the below message to the terminal
the next step, i use this script XORSEARCH.py(https://blog.didierstevens.com/programs/xorsearch/) to khnow the key used in the algorithm XOR .
this malware is obfuscate with a fixed key 0x45.
I used Now this script to deobfuscate all strings:
Clear=””
filepath = ‘Cipher.txt’
with open(filepath) as fp:
line = fp.readline()
while line:
line = fp.readline()
for c in line:
Clear += chr(ord(c)~x45)
Clear += “\n”
print Clear
we can see the default password used to brute force :root,admin,1234...12341234
IOC:
- 176.32.32[.]156.
- hakaiboatnet.pw
- 15f1a5fda20ebc62a0f0cb5ef8163b41
- 21d6ea6836156b3b477980df7f5e93ff
- 5ab32bdead9a6043f0db9ab7809be4f1
- 940ebf509b2cda8efb7d8cfe23656ae7
- cb461e9c3788ad760f6e82c6f70005a1
- 327798ab42d8280822d911b9138b4b7b
- 94c82c990a3b16b2ea3c4bb58a26677c
- e5244b287da9839bb13f4c4415c43e17
- d12671452ad29b15d875027bc98a7837
- 3b676aa130e58772bb1c4fcc7e42fb39
- cc4c69451084bfc2272d07e40c219108
- ea9ba0c4f809d85cb74afef938177d48
Mitigations
- There is no known way to disable HNAP. There is no known fix at the time of this writing.
- Scan your network looking for vulnerabilities.
- Changing the default password of routers