URL-less IoT botnet propagation

By /

In this post I’ll cover an evasion technique used to perform URL-less binary transfer to vulnerable IoT devices.  The technique is not new and has been used by various IoT botnets in the past years, but for a different purpose, namely, to ensure the binary payload is delivered to the vulnerable IoT devices that lack wget/curl/tftp commands, which are typically used to download malware from a URL. However, starting from October 2019 until now, March 2020, we have identified several botnets employing the technique to avoid detection when performing infection over Telnet. The application of this technique as an alternative to downloading the bot sample directly using wget/curl/tftp can be of evasive nature: 1) it attempts to avoid researchers’ attention by evading honeypots that rely on URL pattern matching for collecting malware samples; 2) it aims to achieve higher propagation rate by evading signature-based network detection.

Introduction

In the past three years, cybercriminals have exercised the best of their abilities to increase IoT botnet propagation rate and resilience. In order to infect as many devices as possible, in addition to equipping the bots with multiple exploits, the cybercriminals tried different techniques for uploading the malicious payloads to the infected machines. The most widespread way used to transfer the malicious payload to the victim device is by using wget, curl or tftp commands to fetch the malicious payload from an URL.

However, not all IoT devices have the wget/curl/tftp commands available, and IoT malware adapted to such cases by performing a check for their availability:

Now, the interesting bit is how IoT malware handles the cases when none of these commands is available. The answer is by splitting the malicious binary in bits and writing them one by one as hex strings to a file. This was achieved using the echo command found on all Unix systems. In other words, this procedure transfers the malware by “echoing” multiple hex-strings to a local file, as shown in the extract from a telnet session from one of our Telnet honeypots:

The extract above is part of infection over Telnet performed by Hajime bot. Hajime is one of the botnets who has heavily utilised this technique in order to infect as many devices as possible.

The “abuse” of echoed hex-strings malware transfer technique for evasion purposes

Although originally utilised only when necessary, i.e. to infect devices lacking wget/curl/tftp, we found this technique to be also used to upload malware to devices that in fact can run wget/curl/tftp commands. 

In the extract from a telnet session below, it can be seen that although the wget/tftp commands are available, the bot proceeds with echoed hex-strings file transfer technique. This example is from one of the first bot versions we discovered to employ this technique for evasion. The botnet has used this technique to perform under the radar telnet infections since October 2019.

The file uploaded to the device to be infected is not the actual bot binary, but a tiny stripped ELF file which has the functionality of a loader. In other words, the echoed hex-strings compose a light ELF loader that fetches and runs the bot sample from a URL address. The loader is ARM ELF binary, 1.5 kB in size and it is not packed. The infection took place on 2019-10-26. When executed, the loader in this example downloads and runs bot sample from the following URL: 

http://159.65.238.132/.configs/xEx0x.arm

The downloaded xEx0x.arm sample is also not packed. When executed in our sandbox environment, the bot did TCP SYN scans on ports 23/2323, scanning for telnet services. It resolved netflux.flexsec.xyz to 185.224.130.72 and connected to port 8512. 

C2: 185.224.130.72:8512

We did a retrospective analysis from all telnet sessions established by this botnet, and in all of them the bots used the echoed hex-string technique to upload a small loader on the infected device. The wget/tftp/curl commands were never used, and also this botnet spreads exclusively over Telnet. This seems like a good indicator that the echoed hex-strings method is used in attempt to prevent the sample from being collected by honeypots and later reversed/analysed by malware researchers.

The xEx0x or v3Ex0 botnet

We have been tracking the botnet since October 2019. In this period of 5 months, the botnet has moved servers and updated its samples 6 times in total. We detected the first version on 26 October 2019 and the last version on 14 February 2020. The botnet preserved its infection technique throughout this period. The infection begins with the transfer of tiny non-packed loaders to our Telnet honeypot in chunks via echoed hex-strings. The loaders had the URL of the bot samples hardcoded.

Below is a table of the updates of this botnet in the last 5 months:

URLdate detected
http://159.65.238.132/.configs/xEx0x2019-10-26
http://159.65.168.221/.configs/v3Ex02019-11-24
http://157.245.36.58/.configs/v3Ex02019-12-28
http://81.4.122.217/.configs/v3Ex02020-01-24
http://64.227.0.216/.configs/v3Ex02020-01-30
http://185.132.53.57/.configs/v3Ex02020-02-14

Other botnets

Fbot

The xEx0x or v3Ex0 botnet is not the only botnet which has taken advantage of the echoed hex-strings technique for avoiding detection. In the most recent study on the newest variant of Fbot from February 2020, the Malware Must Die research group also confirmed the utilisation of the echoed hex-strings technique which they call Hexstrings-push method to deliver loaders as an alternative to directly downloading the sample using wget/tftp/curl. The major difference is that the dropped samples of the new Fbot are packed unlike the dropped samples of the xEx0x or v3Ex0 botnet. In their in-depth analysis, MMD confirms that a combination of multiple evasion techniques can result in rapid and undetected botnet propagation. Although MMD has focused on the Fbot variant from February 2020, we have also noticed that the echoed hex-strings technique has been used in combination with loaders by earlier Fbot samples in November 2019. We first detected the Fbot to use this technique to deliver loaders on 13–11–2019 and it shares the same behaviour to transfer the loader as the one described by MalwareMustDie, as it can be seen form the strings extracted from the unpacked loader:

Switchnets.net

Another botnet that has used this method when infecting devices over Telnet is the switchnets.net botnet, notorious for continuously migrating from server to server. This botnet has also spread using Jaws RCE exploit as discussed by @bad_packets on Twitter. It seems that some variants of Switchnets from early November 2019 used the typical direct way to download bot sample from URL using wget/tftp, but the later variants have been using the echoed hex-strings file transfer technique to deliver loaders via Telnet. 

The URLs extracted from the loaders delivered as echoed hex-strings via Telnet, the detection date and the botnets to which the loaders belong are shown in a chronological order below:

URLdetection dateBotnet
http://83.97.20.130/b/2019-10-01switchnets
http://83.97.20.130/b/2019-10-08switchnets
http://159.65.238.132/.configs/xEx0x2019-10-26xEx0x
http://83.97.20.130/b/2019-11-04switchnets
http://78.141.218.132/b/2019-11-06switchnets
http://78.141.218.132/b/2019-11-08switchnets
http://188.209.49.44/b/2019-11-13switchnets
http://5.206.227.65/fbot2019-11-13fbot
http://5.206.227.65/fbot2019-11-14fbot
http://188.209.49.44/b/2019-11-15switchnets
http://188.209.49.44/b/2019-11-16switchnets
http://188.209.49.44/b/2019-11-18switchnets
http://188.209.49.44/b/2019-11-21switchnets
http://159.65.168.221/.configs/v3Ex02019-11-24xEx0x
http://188.209.49.44/b/2019-11-24switchnets
http://188.209.52.200/bins/2019-11-24moobot
http://45.56.105.114/ralph2019-11-24ralph
http://45.79.144.121/hoho2019-11-24switchnets
http://5.206.227.65/fbot2019-11-24fbot
http://45.33.83.105/b/2019-11-25switchnets
http://45.33.83.105/hoho2019-11-30switchnets
http://157.245.36.58/.configs/v3Ex02019-12-28xEx0x
http://46.166.151.200/2020-01-02elrooted.com
http://81.4.122.217/.configs/v3Ex02020-01-24xEx0x
http://64.227.0.216/.configs/v3Ex02020-01-30xEx0x
http://190.115.18.86/hoho2020-02-02switchnets
http://190.115.18.86/b/2020-02-03switchnets
http://190.115.18.28/hoho2020-02-11switchnets
http://190.115.18.86/b/2020-02-11switchnets
http://185.132.53.57/.configs/v3Ex02020-02-14xEx0x
http://190.115.18.28/hoho2020-02-16switchnets