Hakai :New Linux IoT Botnet

A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims . Samples were served from the IP 176.32.32[.]156.

http://176.32.32[.]156/bins.sh

Malware

Samples:

• hakai.arm4 :15f1a5fda20ebc62a0f0cb5ef8163b41
• hakai.arm7 :21d6ea6836156b3b477980df7f5e93ff
• hakai.mips :5ab32bdead9a6043f0db9ab7809be4f1
• hakai.ppc :940ebf509b2cda8efb7d8cfe23656ae7
• hakai.x86 :cb461e9c3788ad760f6e82c6f70005a1
• hakai.x86_64:327798ab42d8280822d911b9138b4b7b
  hakai.arm :94c82c990a3b16b2ea3c4bb58a26677c
• hakai.arm6 :e5244b287da9839bb13f4c4415c43e17
• hakai.m68k :d12671452ad29b15d875027bc98a7837
• hakai.mpsl :3b676aa130e58772bb1c4fcc7e42fb39
• hakai.sh4 :cc4c69451084bfc2272d07e40c219108
• hakai.x86_32:ea9ba0c4f809d85cb74afef938177d48

Vulnerabilities

by Analysing the Strings of samples ,i found exploits:

• Multiple vulnerabilities in Dlink Router:

Multiple D-Link routers suffer from insecure implementations of the Home Network Administration Protocol which allow un-authenticated and/or un-privileged users to view and configure administrative.For more informations please contact this link:https://regmedia.co.uk/2016/11/07/dlink_hnap_captcha.pdf

• CVE-2017–17215 (Huawei Router HG532 -Arbitrary Command Execution): vulnerability and related exploit.

• CVE-2014–8361( Realtek SDK Miniigd UPnP SOAP Command Execution):vulnerability and related exploit.

Deobfuscate Malware

Strings in the binary have been obfuscated.look at image number 2.Now I try to collect informations about this malware from strings resulat.the first step is to deobfuscate strings.

When i execute the binary ,the below message to the terminal

the next step, i use this script XORSEARCH.py(https://blog.didierstevens.com/programs/xorsearch/) to khnow the key used in the algorithm XOR .

this malware is obfuscate with a fixed key 0x45.

I used Now this script to deobfuscate all strings:

deobfuscate strings

Code to deobfuscate strins

Clear=””
filepath = ‘Cipher.txt’
with open(filepath) as fp:
line = fp.readline()
while line:
line = fp.readline()
for c in line:
Clear += chr(ord(c)~x45)
Clear += “\n”
print Clear

result of deobfuscate strings

we can see the default password used to brute force :root,admin,1234...12341234

IOC:

• 176.32.32[.]156.
• hakaiboatnet.pw
• 15f1a5fda20ebc62a0f0cb5ef8163b41
• 21d6ea6836156b3b477980df7f5e93ff
• 5ab32bdead9a6043f0db9ab7809be4f1
• 940ebf509b2cda8efb7d8cfe23656ae7
• cb461e9c3788ad760f6e82c6f70005a1
• 327798ab42d8280822d911b9138b4b7b
• 94c82c990a3b16b2ea3c4bb58a26677c
• e5244b287da9839bb13f4c4415c43e17
• d12671452ad29b15d875027bc98a7837
• 3b676aa130e58772bb1c4fcc7e42fb39
• cc4c69451084bfc2272d07e40c219108
• ea9ba0c4f809d85cb74afef938177d48

Mitigations

• There is no known way to disable HNAP. There is no known fix at the time of this writing.
• Scan your network looking for vulnerabilities.
• Changing the default password of routers