Affected platforms: Windows, Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical
FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. (Figure 1 shows trigger counts from our IPS signatures of the CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) vulnerabilities.)
ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. Moobot is a Mirai variant botnet that targets exposed networking devices. We discovered that it had attacked Hikvision products in 2021. Compromised endpoints can be controlled by its C&C server and deliver further attacks, such as distributed denial-of-service attacks.
This article will examine the payloads of these two attacks and their resulting malware behavior.
Payload – Realtek Jungle SDK Remote Code Execution
CVE-2021-35394 is an arbitrary command injection vulnerability that affects UDPServer due to insufficient legality detection on commands received from clients. The complete payloads are shown in Figure 2.
Payload – Cacti Command Injection Vulnerability
CVE-2022-46169 is a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti. The vulnerability resides in the “remote_agent.php” file, which can be accessed without authentication. The Moobot payload is shown in Figure 3, and the ShellBot payload is in Figure 4.
Malware Analysis – Moobot
The script file to further download Moobot is shown below. It executes the Moobot with the parameter realtek.<Filename>.
Analyzing the MIPS version (SHA256: 455314A186B4A9A1788E2ACB85A9B6B34FB0A7700D0DECC6DE056030FEA543DF), we can identify Moobot from the specific seed “w5q6he3dbrsgmclkiu4to18npavj702f” for generating random strings in Figure 6. Like most Mirai variants, it has an encrypted data section with a botnet configuration. The encryption key “0xDEADBEEF “ is shown in Figure 7.
Once executed, it prints “listening to tun0” to the console and then starts communicating with the C2 host “troon[.]dns[.]army” with the heartbeat message “0x336699”. The traffic capture is shown in Figure 8. Once it receives the command from the C2 server, it starts its attack.
Moobot includes the following process names of known bots and uses the command “kill -9” to ensure it’s the only one running in the infected device:
dvrHelper, Ni**eR69xd, 1337SoraLOADER, Ni**eRd0nks1337, X19I239124UIU, IuYgujeIqn, 14Fa, ccAD, BOGOMIPS, /etc/rc.d/rc.local, g1abc4dmo35hnp2lie0kjf, /dev/FTWDT101_watchdog, /dev/netslink/, PRIVMSG, GETLOCALIP, KILLATTK, Eats8, v[0v, 93OfjHZ2z, GhostWuzHere666, WsGA4@F6F, ACDB, AbAd, iaGv
Technical Analysis – ShellBot
ShellBot’s activity began in January and primarily targeted Cacti vulnerability. We collected three ShellBot variants in our traffic capture system. The first is “PowerBots (C) GohacK” from http[:]//80[.]68[.]196[.]6/ff, and the configuration is shown in Figure 9. Its C2 is “49[.]212[.]234[.]206:3303”, and the bot’s process masquerades as “/usr/sbin/sshd” to evade detection.
After the communication channel setup, the client waits for a command from the server. There are six commands, shown below:
The second variant is “LiGhT’s Modded perlbot v2” from 85[.]239[.]33[.]32. It downloads the files “ce” and “plm”. Each has a slightly different configuration, as shown in Figure 10. The C2 host is “juice[.]baselinux[.]net”, and the process name is “/usr/sbin/mysql”. The traffic capture is shown in Figure 11. The server was created in March 2023, and hundreds of victims are already in this channel.
The commands used in perlbot are listed below. It includes numerous types of flooding attacks and hacking functions. It also includes an exploit enhancement module that gets news from a public website offering exploits and security advisories.
The third variant is “B0tchZ 0.2a” from 46[.]101[.]183[.]162/.xx/web. The malicious website is shown in Figure 12. All files on this website are IRC botnets that use the same C2 server, 198[.]98[.]61[.]106:8080. The configuration from the payload that targets vulnerable Cacti servers is shown in Figure 13.
The file is written in Portuguese, and the command list is below:
Conclusion
Over the past few months, threat actors have been spreading ShellBot and Moobot malware on exploitable servers. Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server. Because Moobot can kill other botnet processes and also deploy brute force attacks, administrators should use strong passwords and change them periodically. Moreover, some of the ShellBot variants can install other malware from their C2 server.
The vulnerabilities mentioned above have a critical security impact that can lead to remote code execution. Therefore, it is highly recommended that patches and updates be applied as soon as possible.
Fortinet Protections
This malware is detected and blocked by FortiGuard Antivirus as:
Perl/IRCBot.I!tr
ELF/Moobot.A!tr
BASH/Agent.A!tr.dldr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.
Fortinet has released IPS signatures to proactively protect our customers from the threats contained in the exploit list.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
Malware Host:
104[.]244[.]76[.]105
156[.]224[.]24[.]249
206[.]217[.]205[.]24
199[.]195[.]250[.]172
80[.]68[.]196[.]6
85[.]239[.]33[.]32
46[.]101[.]183[.]162
C2 Server:
49[.]212[.]234[.]206:3303
198[.]98[.]61[.]106:8080
juice[.]baselinux[.]net:6667
apid[.]mutoujs[.]xyz
troon[.]dns[.]army
botnet[.]goelites[.]cc
j[.]xnyidc[.]top
www[.]xiaojue[.]cyou
bot[.]layer7[.]top
Files – Moobot:
bc1ded2f3a9fc50614a159b3971a26868e6a5b09a6f6ba65d6bee1b05335e69b
55048b3df95d4dbb681be32cfe6c9e4a128045917c49da9ff1c30723debc1854
661f0fb1cf928c40333eaefc86522ddc74c7b96a8e32b93ed8153b8244d66721
d3b13f71e7637d7118ac3e170d33b3bbb15814357e21fa3318b4bf7ecbe6dc7b
0d4be7af347f2cb80dcd71cd94f1f39a6f3dbe71765d824bb0d66c11b8759cd7
e2075d6b723d7daf2303af31e3970ed79d435e52b4338ee63499c4644332ea10
3dbea4436ef3e00dcfb73608164e3d1ded9434f8ee1679cd3a790e22c91cbe11
455314a186b4a9a1788e2acb85a9b6b34fb0a7700d0decc6de056030fea543df
cd47c9db5e3ec59221361ca7459bb12a5a84014c1f8aa2e2bdad07ccb37a4e29
9144c4768b457fb5384bc807d9e992671c25dbefe9d2781672c018e1b4d8c36a
979bf642f67d5df2e8fa664c0bdecbc2954c9ced44f47122c71ad5f71a52aa0d
e2ff90f5bdf51da577be88266cc9dc8be48f1776af46949dcdd2d54e4c84449f
0cb77fabcef38d5ec4e1e64945bac8c33ea8e97346a3140e67ec30eecedc9ea0
0cd6a246eb6933bf5ac8639d8972e2c80dcdb7723a15435a914cf6b5bd30af4c
cf1b136558e7b5faf6bfce3b460afed06e613ca6747257273571399d106dea2b
175b536d5c825b78bd2567b836bb18046928f33f7ae1865afb66a4fe064ebb81
cdf1c2610bde8ae870bc083d06fb00ba1c3441c075fc6c26e9cc9f93c9a3703f
903c340da7c6ef32b2e3098389748fc5d94e88e61bfeea8a67313327f021fb9f
33aa8e731eca7ba051626845541f91fad6f69862aa1deaea7b80a15dae8d67bf
f473597e5fda9051522a52c78965d0eb050ff2971cfce8d359618e1c136ad77b
de5e60ab541838c4c3cb0bfd0733417f2fe4a19bac08683391022cdaabe263de
565d09c8fc9f712b82eae45a39029ac996904564cc08dae6306678081087e933
c33c66e7a161718da4535b34078edb04600c5a06eb1e05fe514a5ad5ac149594
e356ba8fe6ae21fbbba785ade3220a666e3fae947c68093e05b01f0c3f98e15f
7e4dadf93fbb7a01b55eadacbb40ae8d5e95f5b9592e55f0fb2340d89fc78f17
ae2c71e3e177721c336f76946d24b95512accf677c87e829a31b315d56624df3
e1366976365db1f2bffdc37d4e64e12f883f9a20e02b12d52b6a1b346b8f0692
abb3d04a081ee199cfb5687361fbbca3fa2012f588832e05de0e21874f162afd
5f0f2b2e3e839e50631b89cc2e9d980b337db417cab51f21beb0a56043297a6f
7d2c0cba18d51ed84e7a888d56dbcb5e73c1d076ed5f8e5db2528f826601b2cc
9a067e32dd6c25053c302de7caf61cdc0f3982289eb91d06c449fe08a47fc6d3
6804cebbf837d7c5559519c364cc0b20c4f9b514c74039321bc69bcfdbfb5e93
947675c8b2a65bf9b38f4d3d15d108e0826f570086c6a758d3e02be9315da1cd
Files – ShellBot
c05cf5b2c94edd15c40db1ce52f97bdc09ec61e78386c8878b15515cbde99528
47ac3a2c51fc64479ceff1e842a414bc11dc59b9dcdbd3dd1bf011e243f91ffa
0c67234ce88958c9319ca9a8f8fdc4b48690136871515324509ac956704f1373
b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a