Hakai :New Linux IoT Botnet

A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims . Samples were served from the IP 176.32.32[.]156.

http://176.32.32[.]156/bins.sh

Malware

Samples:

  • hakai.arm7 :21d6ea6836156b3b477980df7f5e93ff
  • hakai.mips :5ab32bdead9a6043f0db9ab7809be4f1
  • hakai.ppc :940ebf509b2cda8efb7d8cfe23656ae7
  • hakai.x86 :cb461e9c3788ad760f6e82c6f70005a1
  • hakai.x86_64:327798ab42d8280822d911b9138b4b7b
    hakai.arm :94c82c990a3b16b2ea3c4bb58a26677c
  • hakai.arm6 :e5244b287da9839bb13f4c4415c43e17
  • hakai.m68k :d12671452ad29b15d875027bc98a7837
  • hakai.mpsl :3b676aa130e58772bb1c4fcc7e42fb39
  • hakai.sh4 :cc4c69451084bfc2272d07e40c219108
  • hakai.x86_32:ea9ba0c4f809d85cb74afef938177d48

Vulnerabilities

by Analysing the Strings of samples ,i found exploits:

Deobfuscate Malware

Strings in the binary have been obfuscated.look at image number 2.Now I try to collect informations about this malware from strings resulat.the first step is to deobfuscate strings.

deobfuscate strings
Code to deobfuscate strins
result of deobfuscate strings

IOC:

  • 176.32.32[.]156.
  • hakaiboatnet.pw
  • 15f1a5fda20ebc62a0f0cb5ef8163b41
  • 21d6ea6836156b3b477980df7f5e93ff
  • 5ab32bdead9a6043f0db9ab7809be4f1
  • 940ebf509b2cda8efb7d8cfe23656ae7
  • cb461e9c3788ad760f6e82c6f70005a1
  • 327798ab42d8280822d911b9138b4b7b
  • 94c82c990a3b16b2ea3c4bb58a26677c
  • e5244b287da9839bb13f4c4415c43e17
  • d12671452ad29b15d875027bc98a7837
  • 3b676aa130e58772bb1c4fcc7e42fb39
  • cc4c69451084bfc2272d07e40c219108
  • ea9ba0c4f809d85cb74afef938177d48

Mitigations

  • There is no known way to disable HNAP. There is no known fix at the time of this writing.
  • Scan your network looking for vulnerabilities.
  • Changing the default password of routers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store