Rewterz Threat Advisory – QNAP Releases Security Updates for QNAP Helpdesk
October 9, 2020Rewterz Threat Alert – Agent Tesla and IcedID banking Trojan Malspam Campaigns
October 9, 2020Severity
Medium
Analysis Summary
An attacker is detected using two Tenda router 0-day vulnerabilities to spread a Remote Access Trojan (RAT) based on Mirai code. Mirai is known for using multiple exploits to target routers and other devices. The conventional Mirai variants normally focus on DDoS, but this variant is different. In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands. In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2.
The vulnerabilities CVE-2018-14558 & CVE-2020-10987 have been used to spread Ttint samples. Mirai’s earlier variants have exploited vulnerabilities in attacks in July and August as well. When running, Ttint deletes its own files, manipulates the watchdog, and prevents the device from restarting, it runs as a single instance by binding the port; then modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2, reporting device information, waiting for C2 to issue instructions, and execute corresponding attacks or custom functions. It retains a large number of mirai features, such as single instance, random process name, sensitive configuration information encryption, integration of a large number of attack vectors, etc. Ttint Bot supports 22 kinds of C2 commands, the 10 DDoS commands are from Mirai , and the rest 12 are new.
| ID | INSTRUCTION |
|---|---|
| 0 | attack_udp_generic |
| 1 | attack_udp_vse |
| 2 | attack_udp_dns |
| 9 | attack_udp_plain |
| 3 | attack_tcp_flag |
| 4 | attack_tcp_pack |
| 5 | attack_tcp_xmas |
| 6 | attack_grep_ip |
| 7 | attack_grep_eth |
| 10 | attack_app_http |
| 12 | run “nc” command |
| 13 | run “ls” command |
| 15 | Execute system commands |
| 16 | Tampering with router DNS |
| 18 | Report device information |
| 14 | Config iptables |
| 11 | run “ifconfig” command |
| 17 | Self-exit |
| 19 | Open Socks5 proxy |
| 20 | Close Socks5 proxy |
| 21 | Self-upgrade |
| 22 | Reverse shell |
Impact
- Unauthorized Remote Access
- DDoS
- Data Exfiltration
Indicators of Compromise
Domain Name
- cnc[.]notepod2[.]com
- back[.]notepod2[.]com
- q9uvveypiB[.]notepod2[.]com
- uhyg8v[.]notepod2[.]com
Source IP
- 34[.]92[.]85[.]21
- 34[.]92[.]139[.]186
- 43[.]249[.]29[.]56
- 45[.]249[.]92[.]60
- 45[.]249[.]92[.]72
- 103[.]60[.]220[.]48
- 103[.]108[.]142[.]92
- 103[.]243[.]183[.]248
URL
- http[:]//45[.]112[.]205[.]60/td[.]sh
- http[:]//45[.]112[.]205[.]60/ttint[.]i686
- http[:]//45[.]112[.]205[.]60/ttint[.]arm5el
- http[:]//45[.]112[.]205[.]60/ttint[.]mipsel
- http[:]//34[.]92[.]139[.]186[:]5001/bot/get[.]sh
- http[:]//34[.]92[.]139[.]186[:]5001/bot/ttint[.]mipsel
- http[:]//34[.]92[.]139[.]186[:]5001/bot/ttint[.]x86_64
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems, devices and software updated to latest patched versions.