Satori, a Mirai based IoT bot, has been one of the most actively updated exploits in recent months. It is believed that the hacker behind this bot is also the author of other Mirai variants, known as Okiru, and Masuta.
FortiGuard Labs researchers recently observed a new Satori version that had added a known exploit chain (one which had been used in the past by the Persirai bot) to enable it to spread to vulnerable devices, particularly, wireless IP cameras that run a vulnerable custom version of the GoAhead web server. This exploit chain targets two vulnerabilities. One, discovered by Istvan Toth and which was detailed in this report, allows someone to view the credentials required for accessing the device, and the other allows them to perform a command injection. This second exploit was discovered last 2017-03-08 and detailed by researcher Pierre Kim (@PierreKimSec). In this paper we will take a detailed look at Satori’s code, the exploits that are being used, and the timeline of its developments.
NOTE - Hash used for analysis:
IDA Pro and GDB debugger were used for analysis.
Satori begins by comparing its filename to “aIRGuiCx09”, and exits if it is not found. This function can also work as an anti-debugging technique and be used to make sure that the payload was executed by the downloader.
Fig 01. Filename check
The number of scanned IPs generated at a time depends on the configuration: 500 if equal to 1 and 1000 if otherwise. As with the original Mirai code, it’s good to note that these IP addresses are randomly generated.
As can be seen below, the bot generates a random number from 1 to 4, which determines the exploit/exploit chain to be used for the generated IPs. This also means that this is the exploit/exploit chain that will be also used throughout its execution.
Fig 02. Port to scan is randomly selected
December 05, 2017
Not long ago, Satori added its first pair of exploits, which work on ports 52869 and 37215. We have a detailed report on these vulnerabilities that are linked to exploits CVE-2014-8361, that targets Realtek SDK-based devices, and CVE-2017-17215, that targets Huawei routers.
January 08, 2018
This is the first time Satori scans at port 3333 and targets vulnerable ETH mining rigs. The botnet scans mining rigs typically hosted in Microsoft Windows OS, searches for the Claymore Miner software, and then replaces the wallet address on the hosts with its own.
Fig 03. Exploiting Claymore Miner
Interestingly there is no change in the used ETH wallet 0xB15A5332eB7cD2DD7a4Ec7f96749E769A371572d and pool eth-us2.dwarfpool.com:8008.
As of January 30, pay-out for this exploit has reached 3.336721 ETH, or approximately USD $3,800.00.
January 18, 2018
A known exploit chain has been added to the list to abuse two vulnerabilities found in the unpatched Wireless IP Camera (P2P) WIFICAM.
The bot begins by scanning port 81 of the generated IPs.
Fig 04. Scanning at port 81
To be able to get the credentials required to access the device, this variant sends a malformed request to the server on port 81. According to the vulnerability report, a normal request contains a leading “/” (ex. GET /login.cgi), and a request without it bypasses HTTP basic authentication and, even worse, responds with credentials in clear text.
Fig 05. Vulnerability in HTTP basic authentication
Once the bot gets hold of the credentials, it uses them for authentication for the second exploit in the chain that allows it to perform a command injection. This command injection vulnerability was initially found in the FTP parameter script that allowed certain commands to be passed in the username (“user”) and password (“pwd”) parameters using the bash command evaluation string $(). Apparently, in the case of this Satori version, commands can also be passed to the ftp service address (“svr”) parameter.
Three commands are being passed to the set_ftp.cgi script to propagate Satori to the device. The first creates a script named /tmp/.c containing code to download another script file. The second runs the script and saves the downloaded file as /tmp/.f. And the third runs the downloaded script.
Fig 06. First command injection
Fig 07. Second command injection
Fig 08. Third command injection
Taking a look at the downloaded script, we can see that it uses the same IP 126.96.36.199 to download the next stage of the infection. It supports three possible architectures mips, mipsel, and arm7. And as mentioned previosuly, the filename “aIRGuiCx09” is used to execute the payload.
Fig 09. Downloader
With these recent developments we believe that the authors are actively researching new and disclosed vulnerabilities to slave more IoT devices. If this trend continues, we expect to see new Satori variants targeting a wider range of IoT devices.
FortiGuard Labs will continue monitoring the latest developments of Satori and the IoT threat landscape.
Thanks to our colleague Tony Loi for additional insights.
-= FortiGuard Lion Team =-
Attacks mentioned are covered by the following IPS signatures:
a96f8ad62c01b243178ab68c01144063c5e849474343edaf574efb8924595dcb - Linux/Mirai.AD!tr
34b007f26ebb844579d712bd5020af4bf7fd9e401bdfa81d957f8de7f6ea3a2b - Bash/Shell_Agent.P!tr.dldr
38430a093f10e833816881394b9a42cfca7459b277454d38155839d0b81b9f5c - Linux/Satori.IP!tr
09eb5bdd87d3289d5e83cfc7cd76750811cf39c6addc559c90e70f2772dcfa99 - Linux/Satori.MIPS!tr
f943dedb573abb4540d97a4d366e34047b91acf848291a5aab955d8274561950 - Linux/Satori.MIPSL!tr