Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hosting methods lack.
Over the past month, FortiGuard Labs has been monitoring botnets that have adopted this strategy, abusing cloud services to enhance their malicious capabilities. These botnets, such as UNSTABLE and Condi, have been observed leveraging cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices. Using cloud servers for C2 operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack. We have also observed a threat actor exploiting multiple vulnerabilities to target JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21, and Ivanti Connect Secure to amplify their attacks.
In this article, we will detail this threat actor’s initial attack method and further explore the botnets being used.
UNSTABLE Botnet
Initial access by the UNSTABLE Botnet targets the JAWS Webserver RCE vulnerability, CVE-2016-20016, and retrieves the downloader script “jaws” from 45[.]128[.]232[.]15.
It includes multiple binary files for 13 architectures executed using the parameter “jaws.exploit.” The UNSTABLE Botnet is a Mirai variant that uses XOR to encode its configuration. It has three main modules: exploitation, scanner, and DDoS attack. The exploitation module targets three vulnerabilities: CVE-2016-20016, CVE-2018-10561/10562, and CVE-2017-17215.
The scanner module includes a hard-coded list of usernames and passwords that it uses for brute-force scanning of other endpoints in the network.
|
root |
Zte521 |
swsbzkgn |
|
taZz@23495859 |
grouter |
juantech |
|
tsgoingon |
telnet |
pass |
|
solokey |
oelinux123 |
password |
|
admin |
tl789 |
svgodie |
|
default |
GM8182 |
t0talc0ntr0l4! |
|
user |
hunt5759 |
zhongxing |
|
guest |
telecomadmin |
zlxx. |
|
telnetadmin |
twe8ehome |
zsun1188 |
|
1111 |
h3c |
xmhdipc |
|
12345 |
nmgx_wapia |
klv123 |
|
123456 |
private |
hi3518 |
|
54321 |
abc123 |
7ujMko0vizxv |
|
88888888 |
ROOT500 |
7ujMko0admin |
|
20080826 |
ahetzip8 |
dreambox |
|
666666 |
anko |
system |
|
888888 |
ascend |
iwkb |
|
1001chin |
blender |
realtek |
|
xc3511 |
cat1029 |
00000000 |
|
vizxv |
changeme |
12341234 |
|
5up |
iDirect |
huigu309 |
|
jvbzd |
nflection |
win1dows |
|
hg2x0 |
ipcam_rt5350 |
antslq |
Figure 5: Scanner module and hard-coded username/password
The DDoS attack module is a typical list that covers several protocols. The UNSTABLE botnet contains nine methods: attack_tcp_ack, attack_tcp_syn, attack_tcp_legit, attack_tcp_sack2, attack_udp_plain, attack_udp_vse, attack_udp_thread, attack_gre_ip, and attack_method_nudp. The botnets can choose the appropriate method based on commands from its C2 server.
Condi DDoS Botnet
FortiGuard Labs previously disclosed the Condi DDoS botnet, which continues to exploit CVE-2023-1389 to gain control of devices and execute its malicious activities. The binary file is hosted on “45[.]128[.]232[.]90” for distribution.
Once a device is infected, the malware kills off the competition and specific processes. It then sets up a connection to a central Command and Control (C2) server, “trembolone[.]zapto[.]org.”
UDP Flooder and Process Checker
FortiGuard Labs noticed the incident as the payload “ping -c 20 209.141.35.56,” which seemed unusual within such an attack. Since the IP address is neither the attack source nor the destination intranet, we suppose these two IP addresses, 45[.]128[.]232[.]229 and 209[.]141[.]35[.]56, might be controlled by the attacker simultaneously and one of them is a command and control (C2) server.
The attack source IP address, “45[.]128[.]232[.]229,” has four files named “msgbox.exe,” “udp,” “udparm,” and “udpmips,” respectively. These are DoS tools for different Linux architectures, except “msgbox.exe,” which pops up a message box with the string “RAT.”
The following analysis examines the “udp” file.
The tool has an unmistakable usage message, “Usage: %s <IP> <SECONDS> [PORT],” while executing without any arguments.
When executing with the necessary “IP” and “SECONDS” arguments, the tool triggers a UDP flooding DoS attack using system-generated random characters.
The IP address “209[.]141[.]35[.]56” pinged by the compromised device is exploited by the attack source IP address “45[.]128[.]232[.]229” using the CVE-2023-1389 vulnerability. It was first met with a page that the FBI has seized due to its use as a DDoS service (Figure 12). However, FortiGuard Labs found the IP address also has another route, “hxxp://209[.]141[.]35[.]56/getters/,” which contains 19 malware variants for different Linux architectures. (see Figure 13)
|
aarch64 |
microblazebe |
|
aarch64be |
microblazeel |
|
arcle-750d |
mips |
|
arcle-hs38 |
mipsel |
|
armv4l |
nios2 |
|
armv5l |
openrisc |
|
armv6l |
powerpc |
|
armv7l |
riscv64 |
|
i586 |
sh4 |
|
m68k |
sparc |
|
m68k-68xxx |
x86_64-core-i7 |
|
m68k-coldfire |
x86-core2 |
|
m68k-coldfire.gdb |
x86-i686 |
|
xtensa-lx60 |
Figure 13: The malware for different Linux architectures
We focus on analyzing the file for architecture “x86-i686.” The malware creates a socket and checks whether the C2 server is valid. If not, it terminates the program. If the server is confirmed reachable, the malware sets up a connection with C2 server “45[.]128[.]232[.]229,” which is the exploit CVE-2023-1389 source IP address, executes the “ps” command, and gathers process-related output information.
The malware executes the command “ps -eo pid,comm –no-headers” through “/bin/bash” to get all process PIDs (Process IDs) and command names running without a header line.
It then leverages the obtained PIDs (Process IDs) to further check the commands of those executing processes using “/proc/<PID>/comm.”
Afterward, the malware sends related information to the C2 server.
According to our analysis, the attackers seem to have a cloud command and control (C2) server (45[.]128[.]232[.]229) and a network-attached malware storage (209[.]141[.]35[.]56). The attacker first checks to see if the leveraged device can reach the network-attached malware storage to download malware and execute the following attack stages.
Skibidi
This malware, which we named “Skibidi,” was spread by the attacker using two different vulnerabilities simultaneously. One is CVE-2023-1389 in TP-Link Archer AX21, which botnets have continuously exploited since it was launched, as detailed in the report produced by FortiGuard Lab. The other is CVE-2024-21887 in Ivanti Connect Secure, which caused a sensation in April 2024.
Attackers first download the “Skibidi” malware with a downloader script. It downloads and executes each malware to determine the proper Linux architecture attack.
|
arm4 |
mips |
|
arm5 |
mipsel |
|
arm6 |
ppc |
|
arm7 |
sh4 |
|
x86_64 |
Figure 21: The malware targets Linux architectures
The following analysis is based on the malware “skibidi.x86_64.” While executing the malware, it displays the string “youre not skibidi enough.”
It then calls the Linux function “ptrace” to handle the process on the victim host. The malware sends signals like a debugger to the sub-program, the malware itself, to fork another process to evade detection.
The malware then decodes strings encoded by XOR for the behaviors creating process and popping up execution result string.
It calls the system function “prctl,” which manipulates the calling process by naming it with the XOR-encoded strings “-bash” and “x86_64.”
Afterward, the malware tries to connect with its C2 server through a socket. Meanwhile, it uses the system call “select” to listen to the events of files the attacker is interested in, such as process events.
The malware repeats these steps of listening to events and sends the results back to the server.
Conclusion
Cloud services’ inherent flexibility and efficiency have unwittingly provided cybercriminals with a new arena for their activities. This shift to cloud-based operations marks a significant evolution in the threat landscape, with malware operators exploiting these platforms’ advantages. Organizations must bolster their cloud security defenses as botnets and DDoS tools continue to leverage cloud services. Robust security measures and vigilant monitoring within cloud environments are imperative to combat these sophisticated attacks. Implementing a multi-layered security approach, including regular patching, updates, and network segmentation, is essential to isolate critical assets and mitigate potential breaches.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
BASH/Mirai.AEH!tr.dldr
ELF/Gafgyt.ST!tr
ELF/Mirai.CDB!tr
ELF/Mirai.CEA!tr
ELF/Mirai.CPD!tr
ELF/Mirai.OX!tr
ELF/Skibidi.CQC!tr
ELF/UDPFlooder.1C8B!tr
ELF/UDPFlooder.1EE7!tr
ELF/UDPFlooder.E063!tr
Linux/Mirai.CPD!tr
Linux/Mirai.REAL!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard Web Filtering Service blocks the C2 servers and downloads URLs.
FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:
CVE-2016-20016: JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution
CVE-2017-17215: Huawei.HG532.Remote.Code.Execution
CVE-2018-10561: Dasan.GPON.Remote.Code.Execution
CVE-2018-10562: Dasan.GPON.Remote.Code.Execution
CVE-2023-1389: TP-Link.Archer.AX21.Unauthenticated.Command.Injection
CVE-2024-21887: Ivanti.Connect.Secure.Policy.Secure.Authentication.Bypass
We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
C2
45[.]128[.]232[.]15
45[.]128[.]232[.]90
45[.]128[.]232[.]229
45[.]128[.]232[.]234
URLs
hxxp://45[.]128[.]232[.]15
hxxp://45[.]128[.]232[.]90
hxxp://45[.]128[.]232[.]229
hxxp://209[.]141[.]35[.]56/getters
hxxp://45[.]128[.]232[.]234
Files
d5e81e9575dcdbbaa038a5b9251531d8beccedc93bd7d250a4bb2389c1615cd6
6226e896850de8c5550b63481b138067582ebf361f7c5448d9d0596062150d89
4c2dcd13685f24800b73856d1f3ec9a2c53c2b5480a9c10b73035a43df26c2e8
31914b317ba6a44a9d3acb99979ec8c163bef8667b0ae41524e335847d70afb0
5fbfc4c8204309e911d22d3b544773f8d4f9ab2edc71f8967bbdcce6cbc834ca
53daa1e4c2f5c11a75989334c2a0227689509606aeda9d7ab11dd200ee6138c6
a9690df4542f28fc4e3b9161b9f8d685d4ce8753bfd9b1f5c8aacd6aa4bef873
fb86bb0863d15ac65a916979052220f755765eb0d5bc4c1c47e34762738d2311
cd05eaa2b01ec1a4880839628d1c6e3bed9045478cacbfb88f14d1937ccf667b
c88da56b348f8d89b5ab99a710de7131bdbc2f1dba4bb9809b1b3fd27322630e
83a2608a93b643f68ab3dcfccf8de7b13394cc214a78fa59b6867e47fc56928c
3660fbe90420f60664e68859de918a5c592dd33024f69bebff8bb77ab41b8fca
75b594a20110e487e35ec4590a5211a425119cdf0fea6fcf030ee20cb548b7e5
ef2e57a5992d85ea2bfb5c5645f8b361dcd5c49eede38185a7b99ec00c287550
2e69d9942a4c0d6d0294d038263f2d12f3a5f6aef8d72279b01e025d32addab2
1a8508f62447e5ee624866b571a29cedc369d6ee8182782f32a75dcd58494d8c
305e0eb9b815dddd40d73f4464946a0ec21866b7727e4fe073692bf82bb46936
0092b27bee2df9536e8aff8948a1007ed1eb03f0e12e0348b72a113e7d4cb585
65f2850892365a4d6bafc303ed04379bef3b41a85336e274f9348603105d2f37
c569eb7f33dcec3e6cdcfee7195202813fda6b7bf9ecb786a4a909d6745cbbff
5110f8af13cdd872b904784d2aec75031c663baad01d68b5f05daa950d18ced3
eec122d6480803bcdd2c6906b0ae35bcffaf6bf5117dac8c7b2621f0b98b68ea
9f14cdea1b41ac1c7251e3f2d4186e12d480d108942bc8f1f7bcac133ed88ccc
5a0a8de050cc8ad2f9af41e4018b0317afc39c571f23bc9cfa115c6558205722
eb9ba3171a98dc543cbc599eb6ab9aa3a5a47cc6931afe511fa839c6a5fb889c
1825c787c308d3cb1125d416025af8c8344a158f0a0b3467df6c0c875d2d8800
eb926f93bdd9b38d44d2239b4ec9c1d45762f850bee80cf9556b23372b6f0639
8fb6110b2114e7786b1d4e7f600a08de0a25432417f863d9663d576a3c895e86
dc87ff82199cb60a8bcf59d4f8c0a706bf10051d0c15a911d37d1cda8fcf5f9e
1816c473ba94f4740c0931e118d038ecb0733f8ffb7cbb74dedc7b78952f8318
d4dbd379f914ff5ba40c1aac1be37602e4cde687e47cfd7793cb10192617f4af
d034664f627af11bd2a34ba1b228b5a6841309caabfd72a731bbd4724d947e27
4cc2110f89afac1de0c1989d0af07f8879003cac0803660f37cf394a0027db69
bd42e67e6238dfec0b7786797733c54ae1d92fe0e883758dddea779e113b5271
bd42e67e6238dfec0b7786797733c54ae1d92fe0e883758dddea779e113b5271
e758c4428a590519a281344a31f236146c996c784433fbe82eee009dd922516c
3a3581da268d0fdb8c8027e261b682b07b6715c62fbf2c8aca301b7e8dd9d637
6e21e400928f24630339441f6da0f3f1b66860bf480a9f5af20482878b686189
8363ecc977d426f0e922abbeb4f1e8ed06397c0b6951dd75233016d3b5af58c9
e511f5c8fc0bd713dc9b9742e8c682ba66177bb617e9118f84b150cf6ff4a07f
ddcb420c4141760feed2fc8c76425b72ab111d271385040c1446f6ab3993c6d7
2b526e5ac01916d74e7aa88770102a8f34d4c57cea7a4e45c501331670635e26
666eed520d2b430e1016eec555c0cd125912f9a8f7590d77c286eff52416fbaf
ba4229f5e44c378ae293b58139233a9bfbecbfd22fb51e05f74de38b186a071c
c376db6e6f6905113e7beb1f14d8e5a44b8374a959eefd0f5d25ab0f3cbabee2
ae999de92c369e53a3287ab034f2839367b44f7fd82d6ed56a5700c22ed44635
e94b6b99fae4dc8e5b0796c877ed01bf25f77ccab95fb43d24abed00e0f8a15a
8fcb5c4c5306f3e7ffa2a47dedaddc108c77ef8ef48ec0980a0c441333e0a18b
34f653119e418621c1cbfe7cf0614ea62e9a98dc345e4d7408eea96a08d3ac0d
a51333460fb711e0b172b6e4893d5bca6b9996f240b450fdaa5cbf14511c9e27
90a43ca83efb2d460b86ff897b1bc657170b6c79c2c804610cdfca8f24adc71e
c5b6320925963ca6d5439dca7154c526c3a26500e204b48ff30a50c3a1b875ad
e7d87e68265a9a324d76759cca4f613c28c590b36490c8c65ee3d17918e5d3ec
2867b3fd3c840aa9c868a88a5f6d417a09e4158f8209f0450a07eeb7e99ba4c8
Source: Original Post