Hakai :New Linux IoT Botnet

A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims . Samples were served from the IP 176.32.32[.]156.

http://176.32.32[.]156/bins.sh

Malware

Samples:

  • hakai.arm4 :15f1a5fda20ebc62a0f0cb5ef8163b41
  • hakai.arm7 :21d6ea6836156b3b477980df7f5e93ff
  • hakai.mips :5ab32bdead9a6043f0db9ab7809be4f1
  • hakai.ppc :940ebf509b2cda8efb7d8cfe23656ae7
  • hakai.x86 :cb461e9c3788ad760f6e82c6f70005a1
  • hakai.x86_64:327798ab42d8280822d911b9138b4b7b
    hakai.arm :94c82c990a3b16b2ea3c4bb58a26677c
  • hakai.arm6 :e5244b287da9839bb13f4c4415c43e17
  • hakai.m68k :d12671452ad29b15d875027bc98a7837
  • hakai.mpsl :3b676aa130e58772bb1c4fcc7e42fb39
  • hakai.sh4 :cc4c69451084bfc2272d07e40c219108
  • hakai.x86_32:ea9ba0c4f809d85cb74afef938177d48

Vulnerabilities

by Analysing the Strings of samples ,i found exploits:

  • Multiple vulnerabilities in Dlink Router:

Multiple D-Link routers suffer from insecure implementations of the Home Network Administration Protocol which allow un-authenticated and/or un-privileged users to view and configure administrative.For more informations please contact this link:https://regmedia.co.uk/2016/11/07/dlink_hnap_captcha.pdf

Deobfuscate Malware

Strings in the binary have been obfuscated.look at image number 2.Now I try to collect informations about this malware from strings resulat.the first step is to deobfuscate strings.

When i execute the binary ,the below message to the terminal

the next step, i use this script XORSEARCH.py(https://blog.didierstevens.com/programs/xorsearch/) to khnow the key used in the algorithm XOR .

this malware is obfuscate with a fixed key 0x45.

I used Now this script to deobfuscate all strings:

deobfuscate strings
Code to deobfuscate strins

Clear=””
filepath = ‘Cipher.txt’ 
with open(filepath) as fp: 
 line = fp.readline()
 while line:
 line = fp.readline()
 for c in line:
 Clear += chr(ord(c)~x45)
 Clear += “\n”
print Clear

result of deobfuscate strings

we can see the default password used to brute force :root,admin,1234...12341234

IOC:

  • 176.32.32[.]156.
  • hakaiboatnet.pw
  • 15f1a5fda20ebc62a0f0cb5ef8163b41
  • 21d6ea6836156b3b477980df7f5e93ff
  • 5ab32bdead9a6043f0db9ab7809be4f1
  • 940ebf509b2cda8efb7d8cfe23656ae7
  • cb461e9c3788ad760f6e82c6f70005a1
  • 327798ab42d8280822d911b9138b4b7b
  • 94c82c990a3b16b2ea3c4bb58a26677c
  • e5244b287da9839bb13f4c4415c43e17
  • d12671452ad29b15d875027bc98a7837
  • 3b676aa130e58772bb1c4fcc7e42fb39
  • cc4c69451084bfc2272d07e40c219108
  • ea9ba0c4f809d85cb74afef938177d48

Mitigations

  • There is no known way to disable HNAP. There is no known fix at the time of this writing.
  • Scan your network looking for vulnerabilities.
  • Changing the default password of routers