Rewterz Threat Alert – New Mirai Variants could enable DDoS Attacks

August 13, 2019

Severity

Medium

Analysis Summary

Within a span of three weeks, three notable malware variants of Neko, Mirai, and Bashlite were observed. Upon analyzing Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.

Neko

A botnet sample, x86.neko (detected by Trend Micro as Backdoor.Linux.NEKO.AB), that brute-forces weak credentials. It then issues the following commands:

The Neko botnet is capable of executing several backdoor commands: it can execute shell commands as well as launch user datagram protocol or UDP and UPD-HEX flood attacks, inundating a router’s ability to properly process and respond to information.

It is also capable of killing processes (the “killer” function is found in its body). Neko also holds within it an extensive kill list of other malware-related processes that it will terminate.

Mirai variant “Asher”

A Mirai variant (detected by Trend Micro as Backdoor.Linux.MIRAI.VWIRC). Typical of Mirai, this variant infects devices with a BusyBox, which is a software suite for devices with limited resources. It first checks for BusyBox presence by executing the “/bin/busybox {any string}” command. If the device’s system responds with “{any string} applet not found,” the bot will proceed with its operation. The malware variant’s authors used the {any string} part to “name” the malware; in this case, they used “Asher.”

Bashlite variant “Ayedz”

A Bashlite variant that seems to refer to itself as “Ayedz” (detected by Trend Micro as Backdoor.Linux.BASHLITE.SMJC, Backdoor.Linux.BASHLITE.SMJC8, and Backdoor.Linux.BASHLITE.SMJC4), based on this malware’s file name. Upon execution, Ayedz will send the following information about the infected device back to the host IP address 167[.]71[.]7[.]231 via port 46216:

Impact

Distributed denial of service (DDoS)
Credential theft

Indicators of Compromise

URLs

http[:]//185[.]244[.]25[.]200/bins
http[:]//185[.]244[.]25[.]200/bins/x86[.]neko

Malware Hash (MD5/SHA1/SH256)

2efae6727d3f5a4a2e7b88ef1e657f6a6e2e6e1c08af0746205dc3c7afe4094d
8e592655cef0dc4a1a209b6f8909a95e2bbf421ecf8312a3b4d07960fb906a5f
754285c82042ca8326be39988fceb39882d301fbcd3533ce31704027c445f72c
c3626284fb68b6bf76d212441d88a5a30ae5d98b13a63b9e7358efc8c1c42215
ebc2bb1901112c9f957855b25091c21f55a4c7d5f95b3d918f85c1924c8d31b0
86aa444a10c9c0c33a8f94ad71fd9d2b985e2e624872cd1c351aeaa7a4d6645f
416dada9ab2ae2f160363965540d5776dc2fb4e086064d97d95a11c4a90c67cd
c81cbf35dbbe2502b32ce02cc55c307b6036d9d10f7d7a0a6da127592caeaf0a
5df2af777ba958b7180b71fc365595141582d8604eba7c70f635a38139503439
abea038f41b83f00e61e829df39c4b85453335cb9a70619702a6b9834bc7d591
b3434897b35c52551329a2f8e322d1fc1be618959794d6f4bff299c7e1ce2324
8cbcc1af312511ebaaba24a075333835e0ac4c4754072233bccadbb996d84048
329f507ceb4ed9d6a6cb5ba5e9bc6a863ef2fd12235f6ed5d46fe3ebc04cf337
6df1610476044ab8c3e615ddaf66e51cfe5f4a3436f37ad15fa4f6583e83fe63
b382dce55bbc08b0f5ac7bbb231e55bb65f07e795cd6d382d9bb01b293ef2233
86717399a76d07b72733abb2c88cefe2d2a8c3c451d758f7c8b5249ab21b9e26
355df8452d6853cbf3ed44f82967d353b709b4bd04afb96de4c4a51471c0771d
16ebe7836ce650db686ca62d62901b771788d8ef78b7ba0a10aa73e68a710dd5
30d429d048a4f6ec86f48b4cd0955e0003b832213694cfa121b95e4c429d7980
f1571b3c47ab0aeff1e8094f2e1a1da604c6867409b8509ef90333ca1e9775e1
a2c8e598e340cc7cc27b4c045129abd9b04ddd3a592c0c41ae5c82f777b59b30
55355482d12b60136fde3f5d76b2686337e4bab5248e79cf3a6b2d652a290240
7ca9af2d71719134aa7cf8ca37d9fe35f4b20f2e5d6721e1d57f6e570e845669
a9a5262048664843edf9e2bc405f06949cb9354ab20f5efb23dd2800c0dd4681

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the link/attachments sent by unknown senders.