While doing some investigations for one of our clients, we came across a (new) malware strain. After some quick investigations, we found out 2 sources (both in C++, a client and a server). They are signed with:
// Client.c Made By @Gr1n1337 –
// DeepWeb Fourms User Name – Gr1n –
// This Client Only Has UDP TCP HTML –
//———————————
and
// Gr1n Server.c
// Made By Gr1n 02.1.2017
The malware has been caught trying to attack an IoT device, via telnet, with some default user+password combinations:
{„root”, „1234”,”12345″, „”, „123456”, „admin”, „toor”, „Administrator”, „admin”, „guest”, „realtek”, „vizxv”, „telnet”, „ubnt”}
Seems like first it deploys itself as a downloader (via bins.sh or getbins.sh) and then downloads several executables for different CPU architectures:
apache2: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
cron: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
ftp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
ntpd: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
openssh: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
pftp: ELF 32-bit MSB executable, Motorola 68020, version 1 (SYSV), statically linked, not stripped
sh: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
sshd: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
tftp: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, not stripped
wget: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
_: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
The MD5(s) of the executables are:
7d41d1d042742f45630fdd6c3d5fd7af apache2
11f6f1bb81a837fab5b578352150a7be bash
394081246130f5e972ace4abff4cf1c7 cron
2a630c80e4e3855e39d60202d04c3528 ftp
68a6a77cebccacc7b2dcae0c54015a1c ntpd
fbb1ce1fb04e89291b6e8520600d9f55 openssh
934b33f703e0d54a354503cbe5ed3a56 pftp
3fe93bfacb70067116a1c5f921c7b79f sh
34b5e0dd9f102a1d8bd6c87e40d0d14b sshd
47c30c7524b056e999f78514dc4d0214 tftp
c9b36bf7ebe29f99ddcf6b76881998cc wget
cf86d8535b9f84b82a8ec79fd0b42e34 _
It also seems to be a fork of Poole Botnet