Hakai :New Linux IoT Botnet

jouini ahmed
Aug 25, 2018 · 3 min read

A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims . Samples were served from the IP 176.32.32[.]156.

http://176.32.32[.]156/bins.sh

Malware

Samples:

  • hakai.arm4 :15f1a5fda20ebc62a0f0cb5ef8163b41
  • hakai.arm7 :21d6ea6836156b3b477980df7f5e93ff
  • hakai.mips :5ab32bdead9a6043f0db9ab7809be4f1
  • hakai.ppc :940ebf509b2cda8efb7d8cfe23656ae7
  • hakai.x86 :cb461e9c3788ad760f6e82c6f70005a1
  • hakai.x86_64:327798ab42d8280822d911b9138b4b7b
    hakai.arm :94c82c990a3b16b2ea3c4bb58a26677c
  • hakai.arm6 :e5244b287da9839bb13f4c4415c43e17
  • hakai.m68k :d12671452ad29b15d875027bc98a7837
  • hakai.mpsl :3b676aa130e58772bb1c4fcc7e42fb39
  • hakai.sh4 :cc4c69451084bfc2272d07e40c219108
  • hakai.x86_32:ea9ba0c4f809d85cb74afef938177d48

Vulnerabilities

by Analysing the Strings of samples ,i found exploits:

  • Multiple vulnerabilities in Dlink Router:

Multiple D-Link routers suffer from insecure implementations of the Home Network Administration Protocol which allow un-authenticated and/or un-privileged users to view and configure administrative.For more informations please contact this link:https://regmedia.co.uk/2016/11/07/dlink_hnap_captcha.pdf

Deobfuscate Malware

Strings in the binary have been obfuscated.look at image number 2.Now I try to collect informations about this malware from strings resulat.the first step is to deobfuscate strings.

When i execute the binary ,the below message to the terminal

the next step, i use this script XORSEARCH.py(https://blog.didierstevens.com/programs/xorsearch/) to khnow the key used in the algorithm XOR .

this malware is obfuscate with a fixed key 0x45.

I used Now this script to deobfuscate all strings:

deobfuscate strings
Code to deobfuscate strins

Clear=””
filepath = ‘Cipher.txt’
with open(filepath) as fp:
line = fp.readline()
while line:
line = fp.readline()
for c in line:
Clear += chr(ord(c)~x45)
Clear += “\n”
print Clear

result of deobfuscate strings

we can see the default password used to brute force :root,admin,1234...12341234

IOC:

  • 176.32.32[.]156.
  • hakaiboatnet.pw
  • 15f1a5fda20ebc62a0f0cb5ef8163b41
  • 21d6ea6836156b3b477980df7f5e93ff
  • 5ab32bdead9a6043f0db9ab7809be4f1
  • 940ebf509b2cda8efb7d8cfe23656ae7
  • cb461e9c3788ad760f6e82c6f70005a1
  • 327798ab42d8280822d911b9138b4b7b
  • 94c82c990a3b16b2ea3c4bb58a26677c
  • e5244b287da9839bb13f4c4415c43e17
  • d12671452ad29b15d875027bc98a7837
  • 3b676aa130e58772bb1c4fcc7e42fb39
  • cc4c69451084bfc2272d07e40c219108
  • ea9ba0c4f809d85cb74afef938177d48

Mitigations

  • There is no known way to disable HNAP. There is no known fix at the time of this writing.
  • Scan your network looking for vulnerabilities.
  • Changing the default password of routers

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store