{"id":11194,"date":"2017-02-08T20:01:10","date_gmt":"2017-02-08T20:01:10","guid":{"rendered":"https:\/\/evosec.eu\/?p=11194"},"modified":"2017-02-08T20:23:10","modified_gmt":"2017-02-08T20:23:10","slug":"gr1n-new-malware-also-targets-iot-devices","status":"publish","type":"post","link":"https:\/\/evosec.eu\/pl\/gr1n-new-malware-also-targets-iot-devices\/","title":{"rendered":"Gr1N – a new malware that also targets IoT devices?"},"content":{"rendered":"

While doing some investigations for one of our clients, we came across a (new) malware strain. After some quick investigations, we found out 2 sources (both in C++, a client and a server). They are signed with:<\/p>\n

\n

\n\/\/ Client.c Made By @Gr1n1337 –
\n\/\/ DeepWeb Fourms User Name – Gr1n –
\n\/\/ This Client Only Has UDP TCP HTML –
\n\/\/———————————\n<\/p>\n<\/blockquote>\n

and<\/p>\n

\n

\n\/\/ Gr1n Server.c
\n\/\/ Made By Gr1n 02.1.2017\n<\/p>\n<\/blockquote>\n

The malware has been caught trying to attack an IoT device, via telnet, with some default user+password combinations:<\/p>\n

\n

{„root”, „1234”,”12345″, „”, „123456”, „admin”, „toor”, „Administrator”, „admin”, „guest”, „realtek”, „vizxv”, „telnet”, „ubnt”}<\/p>\n<\/blockquote>\n

Seems like first it deploys itself as a downloader (via bins.sh or getbins.sh) and then downloads several executables for different CPU architectures:<\/p>\n

\n

\napache2: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
\nbash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
\ncron: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
\nftp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
\nntpd: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
\nopenssh: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
\npftp: ELF 32-bit MSB executable, Motorola 68020, version 1 (SYSV), statically linked, not stripped
\nsh: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
\nsshd: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
\ntftp: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, not stripped
\nwget: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
\n_: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped\n<\/p>\n<\/blockquote>\n

The MD5(s) of the executables are:<\/p>\n

\n

\n7d41d1d042742f45630fdd6c3d5fd7af apache2
\n11f6f1bb81a837fab5b578352150a7be bash
\n394081246130f5e972ace4abff4cf1c7 cron
\n2a630c80e4e3855e39d60202d04c3528 ftp
\n68a6a77cebccacc7b2dcae0c54015a1c ntpd
\nfbb1ce1fb04e89291b6e8520600d9f55 openssh
\n934b33f703e0d54a354503cbe5ed3a56 pftp
\n3fe93bfacb70067116a1c5f921c7b79f sh
\n34b5e0dd9f102a1d8bd6c87e40d0d14b sshd
\n47c30c7524b056e999f78514dc4d0214 tftp
\nc9b36bf7ebe29f99ddcf6b76881998cc wget
\ncf86d8535b9f84b82a8ec79fd0b42e34 _\n<\/p>\n<\/blockquote>\n

It also seems to be a fork of Poole Botnet<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

While doing some investigations for one of our clients, we came across a (new) malware strain. After some quick investigations, we found out 2 sources (both in C++, a client and a server). They are signed with: \/\/ Client.c Made By @Gr1n1337 – \/\/ DeepWeb Fourms User Name – Gr1n …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[935,932,947,99],"tags":[97,74,985],"class_list":["post-11194","post","type-post","status-publish","format-standard","hentry","category-iot-devicessecurity","category-iot-security","category-it-security","category-it-security-newsupdates","tag-botnet","tag-iot","tag-telnet"],"translation":{"provider":"WPGlobus","version":"3.0.2","language":"pl","enabled_languages":["en","da","de","es","fi","fr","it","hu","nl","no","pl","pt","ru","sv"],"languages":{"en":{"title":true,"content":true,"excerpt":false},"da":{"title":false,"content":false,"excerpt":false},"de":{"title":false,"content":false,"excerpt":false},"es":{"title":false,"content":false,"excerpt":false},"fi":{"title":false,"content":false,"excerpt":false},"fr":{"title":false,"content":false,"excerpt":false},"it":{"title":false,"content":false,"excerpt":false},"hu":{"title":false,"content":false,"excerpt":false},"nl":{"title":false,"content":false,"excerpt":false},"no":{"title":false,"content":false,"excerpt":false},"pl":{"title":false,"content":false,"excerpt":false},"pt":{"title":false,"content":false,"excerpt":false},"ru":{"title":false,"content":false,"excerpt":false},"sv":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/posts\/11194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/comments?post=11194"}],"version-history":[{"count":2,"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/posts\/11194\/revisions"}],"predecessor-version":[{"id":11197,"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/posts\/11194\/revisions\/11197"}],"wp:attachment":[{"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/media?parent=11194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/categories?post=11194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/evosec.eu\/pl\/wp-json\/wp\/v2\/tags?post=11194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}