• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-18261 – ICS: Omron PLC CJ, CS and NJ Series Improper Limitation of suspicious failed logins
December 13, 2019
Rewterz Threat Alert – Cryptocurrency Miner Delivered via Hawkeye Keylogger
December 13, 2019

Rewterz Threat Alert – Echobot Variant Exploits 77 Remote Code Execution Flaws

December 13, 2019

Severity

High

Analysis Summary

Echobot has evolved with a new variant that uses 77 remote code execution exploits. The 77 exploits in the current version are for products ranging from routers, IP cameras, VoIP phones, presentation systems, smart home hubs, software, data analytics platforms, biometric scanners,network-attached storage systems, thermal cameras, etc. The latest campaign had Echobot delivered from 10 different devices that had been compromised, which sheds light on the propagation mechanism. The binaries, though, are hosted at a single IP address. The malware dropper is on an open server in a file called Richard.

The exploits integrate a list of over a decade’s security flaws in multiple products like IoT devices and enterprise apps, ranging from 2009 to 2019. Indicators of compromise are listed below.

Impact

  • Remote Code Execution 
  • Information Disclosure

Indicators of Compromise

MD5

  • ed581940bb7f2b71464aaad369287984
  • f2ea49f82e7ae974ffd35b2fe1734d03
  • 838b5b379c4397fe98ec42d0c0032e1b
  • 93f5dff8de6dd346551ca90d24f7a668
  • 9e60e4da9451ef63345866705347bdc9
  • 546004af0e64b6603bcb9d884044812d
  • 8e15730e51dd13b2adfbd2ef5959a27f
  • d5d5baf740648d3b1ee5108383176e4c
  • fdc326246c0df7c4e80d920866b2613e
  • 6592eae817483acd41a2a6d748b4cc7d
  • 0b3ca8d7cb83c400596cad8c3643b07c
  • 555371d7426a5cdc96d1f1bf9b1d1487
  • 501dd0cc90f289296033ecadaa62604f

SHA-256

  • a96515f745f07be9a512a2d0502c59b5ee2ef8d14ff0adaab3558e97d616c017
  • 6a58e30de7842d7c30398c24395ae02762b8b7e3598bb8d2915299ee6bee7b02
  • 9d0dc6705ca42183ebe0fa766d453ee90d68e38b6d6cf5745cf550ea5f2b372c
  • 4ccb9683182b2c8512b12ffa1dbdf22dbad8e5cbc3bb9efb85fe3c6f2b19cba3
  • 0e87d4a97b64beb7fe27e0b21d73eb0da353467d99710566dda8b07f953798ef
  • db4a5bf82bffa1a5c4444facbdbf4f1c6938a7e0227c9740b3780c8659802cc0
  • 1f23ddd77881a8cc95587b91c91fcf71175efafafd9b5b08c12a7e81c18ff378
  • c93f08a29512132ba8ac44092613fe6a8e9e192c8155cbbd62b28823b718f7e7
  • 23ff9c0f3baab717c9753604235a1069c15a5fd9b2f1a626889d7e56186dbe48
  • f7568d22f7cb83f5587ced9eac15c850ea9f0a552252fe40c38369e9b17d21b7
  • a88db9f571efca3adc9ca1f6958369ff41722148ac222ec47afe8bfba004988a
  • c8992488a49544762eababe5cfbf5304b770c48cd5e8ae47aa71d3a013c114af
  • ef5fcc5391f580ed91745b0678ee4c605e65bde3fad5e434f89372445f9a5a64

Source IP

145.249.106[.]241

URL

  • http[:]//145.249.106.241/ECHOBOT.mips
  • https[:]//145.249.106.241/
  • http[:]//145.249.106.241/riohard
  • http[:]//145.249.106.241/richard;%20curl%20-O%20
  • http[:]/145.249.106.241/richard;%20chmod%20+x%20richard;%20sh%20richard
  • http[:]//145.249.106.241/richard;%20chmod%20%20x%20richard;%20sh%20richard
  • http[:]//145.249.106.241/ECHOBOT.mpsl
  • http[:]//145.249.106.241/richard;chmod%20xrichard;shrichard
  • http[:]//145.249.106.241/richard;chmod%20xrichard;shrichard`
  • http[:]//145.249.106.241/ECHOBOT.arm
  • http[:]//145.249.106.241/ECHOBOT.i686
  • http[:]//145.249.106.241/ECHOBOT.m68k
  • http[:]//145.249.106.241/echobot.arm4
  • http[:]//145.249.106.241/echobot.arm
  • http[:]//145.249.106.241/echobot.mpsl
  • http[:]//145.249.106.241/ECHOBOT.spc

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all IoT devices, enterprise applications and other products updated against known security vulnerabilities.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.