Router Honeypot for an IRC Bot

In our previous post we have provided some details about a new fork of Kinsing malware, a Linux malware that propagates across misconfigured Docker platforms and compromises them with a coinminer.

Several days ago, the attackers behind this malware have uploaded a new ELF executable b_armv7l into the compromised server dockerupdate[.]anondns[.]net.

The executable b_armv7l is based on a known source of Tsunami (also known as Kaiten), and is built using uClibc toolchain:

$ file b_armv7l
b_armv7l: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, with debug_info, not stripped

Unlike glibc, the C library normally used with Linux distributions, uClibc is smaller and is designed for embedded Linux systems, such as IoT. Therefore, the malicious b_armv7l was built with a clear intention to install it on such devices as routers, firewalls, gateways, network cameras, NAS servers, etc.

Some of the binary’s strings are encrypted. With the help of the HexRays decompiler, one could clearly see how they are decrypted:

memcpy(&key, "xm@_;w,B-Z*j?nvE|sq1o$3\"7zKC<F)utAr.p%=>4ihgfe6cba~&5Dk2d!8+9Uy:", 0x40u);
memcpy(&alphabet, "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. ", 0x40u);

for (i = 0; i <= 64; ++i)
{
    if (encoded[j] == key[i])
    {
        if (psw_or_srv)
            decodedpsw[k] = alphabet[i];
        else
            decodedsrv[k] = alphabet[i];
        ++k;
    }
}

The string decryption routine is trivial — it simply replaces each encrypted string’s character found in the array key with a character at the same position, located in the array alphabet.

Using this trick, the critical strings can be decrypted as:

How to Run/Debug It?

Rather than infecting a physical router or re-building a uClibc-based distribution for Raspberry Pi, a viable alternative is to set up an emulation environment where uClibc toolchain is used by default.

For example, Valerio Di Giampietro has provided an excellent set of scripts to set up a Qemu emulation environment to emulate D-link DVA-5592 router. The environment it builds will emulate the router’s ARM v7 Cortex A9 Processor, memory, root file system and an older version of Linux kernel (3.4.11-rt19).

As a result, the IRC bot b_armv7l will run under such QEMU VM out-of-the-box. Apart from an opportunity to deploy such honeypot into a cloud, another advantage of this approach is that the honeypot traffic can easily be sniffed on the host.

When the IRC bot is executed in the virtual honeypot, it will connect to the remote IRC server. As seen in the intercepted traffic, the IRC server will respond with high-level statistics along with the Message of the Day (MOTD):

:-                        _____             _____ _  _ _____ 
:-                       |_   _|__ __ _ _ _|_   _| \| |_   _|
:-                         | |/ -_) _` | '  \| | | .` | | |  
:-                         |_|\___\__,_|_|_|_|_| |_|\_| |_|  
:- 
:-                                          \|/
:-                                         .-*-
:-                                        / /|\
:-                                       _L_
:-                                     ,"   ".
:-                                 (\ /  O O  \ /)
:-                                  \|    _    |/
:-                                    \  (_)  /
:-                                    _/.___,\_
:-                                   (_/     \_)
:-                             
:- 
:-             '##:::::'##:'########:::::'######:::::'###::::'##::: ##:
:-              ##:'##: ##: ##.....:::::'##... ##:::'## ##::: ###:: ##:
:-              ##: ##: ##: ##:::::::::: ##:::..:::'##:. ##:: ####: ##:
:-              ##: ##: ##: ######:::::: ##:::::::'##:::. ##: ## ## ##:
:-              ##: ##: ##: ##...::::::: ##::::::: #########: ##. ####:
:-              ##: ##: ##: ##:::::::::: ##::: ##: ##.... ##: ##:. ###:
:-             . ###. ###:: ########::::. ######:: ##:::: ##: ##::. ##:
:-             :...::...:::........::::::......:::..:::::..::..::::..::
:-           '########::::'###::::'##:::'##:'########::::'####:'########:
:-           ... ##..::::'## ##::: ##::'##:: ##.....:::::. ##::... ##..::
:-           ::: ##:::::'##:. ##:: ##:'##::: ##::::::::::: ##::::: ##::::
:-           ::: ##::::'##:::. ##: #####:::: ######::::::: ##::::: ##::::
:-           ::: ##:::: #########: ##. ##::: ##...:::::::: ##::::: ##::::
:-           ::: ##:::: ##.... ##: ##:. ##:: ##::::::::::: ##::::: ##::::
:-           ::: ##:::: ##:::: ##: ##::. ##: ########::::'####:::: ##::::
:-           :::..:::::..:::::..::..::::..::........:::::....:::::..:::::
:-                   '########:::'#######::'##:::::'##:'##::: ##:
:-                    ##.... ##:'##.... ##: ##:'##: ##: ###:: ##:
:-                    ##:::: ##: ##:::: ##: ##: ##: ##: ####: ##:
:-                    ##:::: ##: ##:::: ##: ##: ##: ##: ## ## ##:
:-                    ##:::: ##: ##:::: ##: ##: ##: ##: ##. ####:
:-                    ##:::: ##: ##:::: ##: ##: ##: ##: ##:. ###:
:-                    ########::. #######::. ###. ###:: ##::. ##:
:-                   ........::::.......::::...::...:::..::::..::
:-                   
:- 
:-                              .-.                      .-. _    .-.
:-                              : :                      : ::_;   : :
:-               .--.  ,-.,-. .-' :  .-..-..-. .--.    .-' :.-. .-' :
:-              ' .; ; : ,. :' .; :  : `; `; :' '_.'  ' .; :: :' .; :
:-              `.__,_;:_;:_;`.__.'  `.__.__.'`.__.'  `.__.':_;`.__.'
:-                                                                   
:-                                                                   
:-                          just talk to us,
:-                          when you spot us

 

Next, the client will join an IRC channel GLIBC_2.

Once joined, the server will reply its vendetta message aimed at Cado security, a company that reported about TeamTNT earlier.

:TeamTNT.IRC.Hub 332 DPAOKJ #GLIBC_2 :CadoSecurity lies to look really good

After that, the client falls into a waiting state, periodically sending PING commands to the server and receiving PONG responses.

We’ve got a bee! (or, is it a fly?)

After approximately two days of running, the honeypot has finally registered a remote command sent by the attackers to the IRC bot running in the virtualised honeypot:

:!* SH netstat -ntl | grep -v grep | grep -v “:1982 ” | grep -v “:6697 ” | grep -v “:1982 ” | grep -v “:2105 ” | grep -v “:51982 “

The request starts from the “SH “ command, which is then parsed by the bot and executed with popen() function — a function that opens a process by invoking the shell.

With this remote command, the attackers have executed netstat command to see what ports were open on the ‘router’. The command was accompanied with a filter to exclude ‘noisy’ ports from reporting.

The bot complied — it executed the netstat command, and then sent back the output as a private message, using the NOTICE command. The message stated that the ‘router’ had only one port open: SSH port 22.

NOTICE NKDE :Active Internet connections (only servers)
NOTICE NKDE :Proto Recv-Q Send-Q Local Address           Foreign Address         State      
NOTICE NKDE :tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
NOTICE NKDE :
NKDE!~NKDE@[HONEYPOT_IP_ADDRESS] QUIT :Client closed connection

If the router’s SSH server is not hidden behind an ISP’s NAT, the attackers might then attempt to connect to it directly, either by using default credentials or by brute-forcing them.

The ultimate goal of the attackers is to infect a compromised device with an XMRig coinminer, also built for ARMv7 CPU.

As an extra feature, the IRC bot itself can be instructed to initiate a DoS attack against other targets.

As their Message of the Day claims, they’ve done this before.