Rewterz Threat Advisory – CVE-2020-7334 – McAfee Application and Change Control (MACC) security bypass
October 19, 2020Rewterz Threat Alert – IAmTheKing and the SlothfulMedia Malware – IoCs
October 19, 2020Rewterz Threat Advisory – CVE-2020-7334 – McAfee Application and Change Control (MACC) security bypass
October 19, 2020Rewterz Threat Alert – IAmTheKing and the SlothfulMedia Malware – IoCs
October 19, 2020Severity
Medium
Analysis Summary
IPStorm propagates by attacking Unix-based systems (Linux, Android and Darwin) that run Internet facing SSH servers with weak credentials or unsecured ADB servers. Its capabilities include backdooring the device (running shell commands) and generating malicious traffic (scanning the Internet and infecting other devices). The main purpose of the botnet is turning infected devices into proxies as part of a for-profit scheme. The bot herders are posing as a legitimate proxy service on the Clearnet. Earlier this month, IPStorm introduced a new variant for Linux.
Analysis indicates the authors of the botnet are proficient using Golang as well as development and concealment nodes. The complex infrastructure is designed to seek and compromise targets, update to newer versions, run commands on infected machines, and communicate with C2 servers which uses a web API. Specialized nodes are included within the management structure which provide the checking of node availability, proxy connection, web API hosting, signing authorized messages, and testing the malware. At present there are approximately 9,000 devices making up the botnet. Most of these victims are running an Android OS and Linux. A tiny number of Windows devices are also infected, however, these victims are using older versions of the malware. Targeting has been mostly focused on Asia, however some other countries have been observed such as: Brazil, Ukraine, the US, Sweden, and Canada. The botnet uses a multi-tier subscription-based pricing model. To date, there have been more than 100 code revisions. Interestingly, the malware examines the victim machine in an effort to locate competing malware and, if found, disable it.
Impact
- Unauthorized Access
- Device Compromise
- Data Exfiltration
- Code Execution
Indicators of Compromise
MD5
- 6ea7f841cc5716004096fa80beb4239c
- af91346509748f038726bbf3c1a6dcef
- becad26802d775c09bc46a07f31ddf47
- 5703ac56ccfc43a02438121f350f6fa5
- f07b80e10ecf08bdb8e0515d18da27c8
- 5f5edc19c2760588a8c846b349925b33
SHA-256
- ba1e8d25cc380fdbbf4b5878a31e5ed692cfd2523f00ca41022e61f76654dd4f
- 50406ec7fa22c78e9b14da4ccc127a899db21f7a23b1916ba432900716e0db3d
- 4cd7c5ee322e55b1c1ae49f152629bfbdc2f395e9d8c57ce65dbb5d901f61ac1
- 56c08693fdf92648bf203f5ff11b10b9dcfedb7c0513b55b8e2c0f03b209ec98
- 16bcb323bfb464f7b1fcfb7530ecb06948305d8de658868d9c3c3c31f63146d4
- d6086cc29061f596c782214cb7fdb4ccd4b0c3b2f4b9dec28542c093fe22e8ca
SHA1
- f7b008c30f5555f892211aeaa054d00ba8c093b7
- 71e7bb56899c7860729119734053409b6e8502f9
- dc917a8aa6e8061623163967629db945099062a9
- c442c0a74ec5eddd713e80ea1cb07c8863a4816b
- 98c80465c1caf0b59462013875a99b23a43ce73f
- ea665844b69815d6543cf4c8e6351d0129d7c669
- 7ae71c05a3dea0165b88ed1a8caa8666b74c03e3
- f74c6e810450a31184503e211484f944dda005b3
- 90d0ecb2489b4d958d1480e9e7d527f0c659c004
- 9cc0273d83f0c950c5adfb5e374a55d7503679a5
- aee0848450b28bbe1f24ee0287e83c3329955a40
- db2d7d829e305feea947073973335a914117ec2a
- 0546c9b436a87e029480687d6df7b63a19fa87de
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from untrusted sources.
- Maintain a strong password policy and implement multi-factor authentication where possible.