{"id":17986,"date":"2022-02-02T10:18:04","date_gmt":"2022-02-02T18:18:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11719\/"},"modified":"2022-02-02T10:18:04","modified_gmt":"2022-02-02T18:18:04","slug":"news-11719","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11719\/","title":{"rendered":"Mirai-based Botnet &#8211; Moobot Targets Hikvision Vulnerability"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Threat\u00a0Research Report<\/b><\/p>\n<p><b>Affected platforms<\/b>: Hikvision Product<br \/> <b>Impact parties<\/b>: IP Cam\/NVR<br \/> <b>Impact<\/b>: Attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands in the web server\u00a0<br \/> <b>Severity<\/b><span>: Critical<\/span><\/p>\n<p>Last September 18th, a threat researcher released a\u00a0<a href=\"https:\/\/watchfulip.github.io\/2021\/09\/18\/Hikvision-IP-Camera-Unauthenticated-RCE.html\" target=\"_blank\">write-up<\/a><span>\u00a0about a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world.\u00a0Hikvision is a CVE CNA and quickly assigned the CVE number, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-36260\">CVE-2021-36260<\/a> and released a patch for the vulnerability on the same day as the threat researcher\u2019s disclosure. Shortly after, FortiGuard Labs developed an IPS signature to address it.\u00a0<\/span> <\/p>\n<p>During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries to drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet based on Mirai. In this blog we explain how an attacker delivers this payload through the Hikvision vulnerability, along with details of the botnet.<\/p>\n<h2>Stage 0 \u2013 Exploitation and Propagation<br \/> <\/h2>\n<p>CVE-2021-36260 results from insufficient input validation, allowing unauthenticated users to inject malicious content into a &lt;language&gt; tag to trigger a command injection attack on a Hikvision product. Below is an example of a request leveraging this exploit:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image.img.png\/1637648448180\/picture1.png\" alt=\"Figure 1. Exploit traffic of CVE-2021-36260\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Exploit traffic of CVE-2021-36260<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We collected a number of payloads leveraging this vulnerability, and eventually found a downloader. After tracing the traffic capture, the complete payload is shown in the following \u00a0figure:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_510061836.img.png\/1637648435894\/picture2.png\" alt=\"Figure 2. Payload from CVE-2021-36260\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Payload from CVE-2021-36260<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>First, because the final Moobot will be saved as \u201cmacHelper,\u201d it first tries to remove any file already named \u201cmacHelper.\u201d It then echoes code into \u201cdownloader,\u201d which is a small ELF 32-bit LSB ARM file. After downloader completes downloading, it executes Moobot with the parameter \u201chikivision\u201d. Finally, it changes commonly used commands, such as \u201creboot,\u201d to prevent an administrator from invoking reboot on the affected device.\u00a0<\/p>\n<h2>Stage 1 &#8211; Downloader\u00a0<\/h2>\n<p>The attacker leverages this vulnerability to drop a downloader (SHA256: 1DCE6F3BA4A8D355DF21A17584C514697EE0C37B51AB5657BC5B3A297B65955F). It has only one job: download the main botnet. It downloads the malware with \u201c\/arm5\u201d URI form server 199.195.250[.]233:80 and prints\u00a0\u201cRAY\u201d if the downloading process was successful. The following image shows the disassembled code:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1790419722.img.png\/1637648487483\/picture3.png\" alt=\"Figure 3. Downloader\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Downloader<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>From the IP address we not only get the moobot variants for different architectures, we also get the historic malware from directory \u201c\/h\/\u201c.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_208910713.img.png\/1637648524316\/screen-shot-2021-11-22-at-10.21.47-pm.png\" alt=\"Figure 4. Sample list from downloader\u2019s IP\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Sample list from downloader\u2019s IP<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Stage 2 &#8211; Moobot<\/h2>\n<p>Based on our analysis, the <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/malware?utm_source=blog&amp;utm_campaign=malware\">malware<\/a> (SHA256: 38414BB5850A7076F4B33BF81BAC9DB0376A4DF188355FAC39D80193D7C7F557) downloaded in the previous stage is Moobot, which is Mirai-based. Its most obvious feature is that it contains the data string \u201cw5q6he3dbrsgmclkiu4to18npavj702f\u201d, which is used in the \u201crand_alphastr\u201d function. It is used to create random alphanumeric strings with different purposes, such as for a setup process name or to generate data for attacking.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_14506396.img.png\/1637648563859\/picture5.png\" alt=\"Figure 5. Alphanumeric string function from Moobot\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Alphanumeric string function from Moobot<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It also has some elements from Satori, which is another Mirai variant botnet. It contains a \u201c<i>downloader\u201d<\/i>\u00a0that targets a victim\u2019s IoT devices, and it prints a \u201c9xsspnvgc8aj5pi7m28p\u201d string after execution. This variant also forks itself with the process name \u201c\/usr\/sbin*\u201d to try\u00a0to look like a normal process while wiping out the original file, \u201cmacHelper\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_291703359.img.png\/1637648608591\/picture6.png\" alt=\"Figure 6. Code snippet from Moobot\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Code snippet from Moobot<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Since it is based on Mirai, the botnet also contains a data section to store its configuration. The plaintext configuration can be decoded after XOR with 0x22:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_933007383.img.png\/1637648640465\/picture7.png\" alt=\"Figure 7. Decoded data containing configuration\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Decoded data containing configuration<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After getting the C2 server (life.zerobytes[.]cc) from its configuration, it starts sending heartbeat (x00x00) packets and then waits for the next control command from the C2 server. Once the victim system receives the command, it starts a <a href=\"https:\/\/www.fortinet.com\/products\/ddos\/fortiddos.html?utm_source=blog&amp;utm_campaign=ddos\">DDoS<\/a> attack to a specific IP address and port number. One example of the DDoS attack traffic is shown below:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1482714589.img.png\/1637648674394\/picture8.png\" alt=\"Figure 8. SYN flood\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. SYN flood<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The DDoS attack command is 24 bytes and can be seen in the Data section in Figure 8. This detail is illustrated in the following figure, which includes the flood method and the target IP\/Port. Except for SYN flood, the C2 server has other attacking commands, such as 0x06 for\u00a0UDP flood, 0x04 for ACK flood, and 0x05 for ACK+PUSH flood.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_516632418.img.png\/1637648741437\/picture9.png\" alt=\"Figure 9. Command\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Command<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The complete attack scenario from trying to infect Hikvision product to deploying Moobot is\u00a0shown in figure 10:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_282771466.img.png\/1637648785918\/picture10.png\" alt=\"Figure 10. Attack scenario\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Attack scenario<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We also noticed that a DDoS service provider based the packet capture from our machine in Figure 11. We tracked down a telegram channel named \u201ctianrian,\u201d which provides a DDoS service. They use a specific string, \u201copenmeokbye\u201d, in their login interface, shown in Figure 12. This channel was created on June 11, 2021, and started its service in August. From the chatting channel we can see that the service is still updating. Users should always look out for DDoS attacks and apply patches to vulnerable devices.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1588617229.img.png\/1637648853046\/picture11.png\" alt=\"Figure 11. Traffic capture from infected machine\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Traffic capture from infected machine<\/span>         <\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1684690425.img.png\/1637648879554\/picture12.png\" alt=\"Figure 12. Telegram channel\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Telegram channel<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Conclusion<\/h2>\n<p>Hikvision is one the biggest provider of IP cam\/NVR products in the global market. CVE-2021-36260 is a critical vulnerability that makes Hikvision products a target for Moobot. In this blog we showed how an attacker can leverage CVE-2021-36260 and elaborated in detail each stage of the process.<\/p>\n<p>Although a\u00a0<a href=\"https:\/\/www.hikvision.com\/en\/support\/cybersecurity\/security-advisory\/security-notification-command-injection-vulnerability-in-some-hikvision-products\/\" target=\"_blank\">patch<\/a>\u00a0has been released to address this vulnerability, this IoT botnet will never stop looking for a vulnerable end point. Because of this, users should upgrade affected devices immediately as well as apply FortiGuard protection.<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>Fortinet released <a href=\"https:\/\/www.fortinet.com\/products\/data-center-ips.html?utm_source=blog&amp;utm_campaign=ips-page\">IPS<\/a> signature Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection for CVE-2021-36260 to proactively protect our customers. The signature is officially released in IPS definition version 18.192.<\/p>\n<p>The downloader and all related malware from that site are detected and blocked by FortiGuard AntiVirus:\u00a0<\/p>\n<p style=\"margin-left: 40.0px;\">ELF\/Mirai.AE!tr<\/p>\n<p style=\"margin-left: 40.0px;\">ELF\/Mirai.BO!tr<\/p>\n<p style=\"margin-left: 40.0px;\">ELF\/Mirai.D!tr<\/p>\n<p style=\"margin-left: 40.0px;\">ELF\/Mirai.AYU!tr<\/p>\n<p style=\"margin-left: 40.0px;\">ELF\/Mirai.WJ!tr<\/p>\n<p style=\"margin-left: 40.0px;\">Linux\/Mirai.WJ!tr<\/p>\n<p>Both the downloading URL and C2 server have been rated as &quot;Malicious Websites&quot; by the FortiGuard <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">Web Filtering<\/a> service.<\/p>\n<h3><b>IOCs<\/b><\/h3>\n<p>SHA256:\u00a0<\/p>\n<p style=\"margin-left: 40.0px;\">1DCE6F3BA4A8D355DF21A17584C514697EE0C37B51AB5657BC5B3A297B65955F<\/p>\n<p style=\"margin-left: 40.0px;\">38414BB5850A7076F4B33BF81BAC9DB0376A4DF188355FAC39D80193D7C7F557<\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\"><i>portfolio<\/i><\/a><i>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/mirai-based-botnet-moobot-targets-hikvision-vulnerability\/_jcr_content\/root\/responsivegrid\/image.img.png\/1637648448180\/picture1.png\"\/><br \/>FortiGuard Labs analyzes how an attacker can leverage CVE-2021-36260 to create targets for Moobot which is a DDoS botnet based on Mirai. In this blog we explain how an attacker delivers this payload along with details of the botnet.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17986","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17986","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17986"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17986\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17986"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}