Gr1N – a new malware that also targets IoT devices?

Gr1N – a new malware that also targets IoT devices?

While doing some investigations for one of our clients, we came across a (new) malware strain. After some quick investigations, we found out 2 sources (both in C++, a client and a server). They are signed with:

// Client.c Made By @Gr1n1337 –
// DeepWeb Fourms User Name – Gr1n –
// This Client Only Has UDP TCP HTML –
//———————————

and

// Gr1n Server.c
// Made By Gr1n 02.1.2017

The malware has been caught trying to attack an IoT device, via telnet, with some default user+password combinations:

{« root », « 1234 », »12345″, «  », « 123456 », « admin », « toor », « Administrator », « admin », « guest », « realtek », « vizxv », « telnet », « ubnt »}

Seems like first it deploys itself as a downloader (via bins.sh or getbins.sh) and then downloads several executables for different CPU architectures:

apache2: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
cron: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
ftp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
ntpd: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
openssh: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
pftp: ELF 32-bit MSB executable, Motorola 68020, version 1 (SYSV), statically linked, not stripped
sh: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
sshd: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
tftp: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, not stripped
wget: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
_: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped

The MD5(s) of the executables are:

7d41d1d042742f45630fdd6c3d5fd7af apache2
11f6f1bb81a837fab5b578352150a7be bash
394081246130f5e972ace4abff4cf1c7 cron
2a630c80e4e3855e39d60202d04c3528 ftp
68a6a77cebccacc7b2dcae0c54015a1c ntpd
fbb1ce1fb04e89291b6e8520600d9f55 openssh
934b33f703e0d54a354503cbe5ed3a56 pftp
3fe93bfacb70067116a1c5f921c7b79f sh
34b5e0dd9f102a1d8bd6c87e40d0d14b sshd
47c30c7524b056e999f78514dc4d0214 tftp
c9b36bf7ebe29f99ddcf6b76881998cc wget
cf86d8535b9f84b82a8ec79fd0b42e34 _

It also seems to be a fork of Poole Botnet

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *