JenX , New IoT Botnet
A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of three known vulnerabilities that have become popular in IoT botnets recently:
- CVE-2017–17215 “Huawei Router HG532 — Arbitrary Command Execution”
- CVE-2015–2051 : D-Link Devices — HNAP SOAPAction-Header Command Execution
- CVE-2014–8361 “Realtek SDK Miniigd UPnP SOAP Command Execution”
Since January 30, the malware has begun to spread. Radware honeynets have detected several attempts to operate from multiple servers …
I posted a tweet about this event
JenX is a DDoS botnet, the DDoS option offered by San Calvicie is called “Corriente Divina.”
Analysis
The malware binary is called ‘jennifer’ and was in all occurrences downloaded from the same server 5.39.22.8 which is hosted at a different provider compared to the provider of the exploit servers.
The download server hosts samples for MIPS, ARM, ARM7 and x86, all very recently uploaded:
IOCs for the samples at time of analysis:
Strings in the binary have been obfuscated:
Some very basic cryptanalysis with Python soon revealed the obfuscation algorithm to be a simple XOR with a fixed key 0x45:
After decryption :
I used the script below to decrypt the string :
C&C :
There is still the question on how to get the string that contains the hostname of the C2 server behind IP 80.82.70.202 which we witnessed earlier.
Ultimately, we found by XORing with 0x22 the hostname of the C2 server to be ‘skids.sancalvicie.com’.
After decryption : skids.sancalvicie.com
Should you be concerned?
Unless you frequently play GTA San Andreas, you will probably not be directly impacted.
External Analysis
This analysis is done based on the following link
Contact :
[+] Email : smii.mondher@gmail.com
[+] LinkedIn : https://www.linkedin.com/in/mondher-smii/
[+] Tweeter : https://twitter.com/smii_mondher
#mirai #satori #masuta #cybersecurity #malware #JenX #radware
To be continued, Good reading …