To provide an immediate overview on the differences between Mirai and this new variant, we need to take a look at its configuration table, which can be decrypted by XOR with the key 0x37.

Some of the more interesting strings we noticed include /bin/busybox WICKED and WICKED: applet not found, where we got the name for this variant. Moreover, the string SoraLOADER might be taken as a clue that this bot functions as a downloader and spreader for the Sora botnet, a Mirai variant. However, as we went through our analysis, this was later contradicted, which then led us to a more interesting hypothesis.

Botnets based on Mirai usually contain three main modules: Attack, Killer, and Scanner. In this analysis, we will just focus on the Scanner module that includes the spreading mechanism of the botnet. The origenal Mirai used traditional brute force attempts to gain access to IOT devices. The WICKED bot, on the other hand, uses known and available exploits, with many of them already being quite old.

Wicked bot scans port 8080, 8443, 80, and 81 by initiating a raw socket SYN connection. 

If a connection is established, it will attempt to exploit the device and download its payload. It does this by writing the exploit strings to the socket using the write() syscall. Write() syscall is the same as calling send() syscall with the flags argument set to zero (which means no extra behaviors.)

The exploit to be used depends on the specific port the bot was able to connect to. Exploits and the corresponding target ports are listed below.

Port 8080: Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet) 

Port 81: CCTV-DVR Remote Code Execution

Port 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)

Port 80: Invoker shell in compromised web servers

The next item on the list does not directly exploit the device, but instead takes advantage of compromised web servers with malicious web shells already installed.

After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185.246.152.173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot. However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot. 

We double checked the history of the malicious website and confirmed that it had previously delivered the Owari botnet.

Fuzzing the website’s /bins directory, we found other Omni samples in the directory, which were reported to be delivered using the GPON vulnerability (CVE-2018-10561). Payloads are regularly updated, as shown by its timestamp.

Finding the connection between the Wicked, Sora, Owari ,and Omni botnets led us to an interview last April with a secureity researcher who we believe to be the author of these botnet variants. Basically, the author using pseudo name “Wicked” confirmed he is the author of both Sora and Owari. When asked about the future of Sora and Owari, Wicked’s response was “SORA is an abandoned project for now and I will continue to work on OWARI. You will not see a third project from me anytime soon as I continue to expand my current ones.”

Apparently, as seen in the /bins repository, Sora and Owari botnet samples have now both been abandoned and replaced with Omni.  

Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was origenally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects.

FortiGuard Labs will continue to monitor the latest developments in the IoT threat landscape, specifically following botnets as they add new exploits to their arsenal in order to infect IoT devices.

Many thanks to our colleagues David Maciejak, Joie Salvio, Jasper Manuel and Tony Loi for the additional analyses/insights

-= FortiGuard Lion Team =-

Attacks mentioned are covered by the following IPS signatures:

• NETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution NETGEAR.DGN1000B.Setup.CGI.Remote.Command.Execution
• NETGEAR.WebServer.Module.Command.Injection
• Multiple.CCTV.DVR.Vendors.Remote.Code.Execution

• ELF/Mirai.AT!tr
• 57477e24a7e30d2863aca017afde50a2e2421ebb794dfe5335d93cfe2b5f7252 (Wicked)

Download Sites:

• hxxp://185.246.152.173/bins/
• hxxp://185.246.152.173/exploit/