This post is also available in: 日本語 (Japanese)

Executive Summary

Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.

Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet spots of IoT vulnerabilities, targeting either legacy devices that are still in use but probably too old to update due to compatibility issues and newer vulnerabilities that are too recent for owners to have patched.

The newly incorporated exploits target a range of devices from the usually expected routers, firewalls, IP cameras and server management utilities, to more rarely seen targets like a PLC, an online payment system and even a yacht control web application.

This version first surfaced on October 28th, 2019 for a couple of hours, after which it was taken down. It then resurfaced on the 3rd of December, switching payload IPs and finally adding 2 more exploits that weren’t in the samples from October. While details on this version were recently published, this post shares CVE numbers (where available) for the vulnerabilities targeted, as well as IOCs for this version I have been tracking since October.

The following section also explains the discrepancy in the exploit count used here in comparison to other publications.

Exploits

This latest variant contains a total of 71 unique exploits, 13 of these vulnerabilities haven’t been previously seen exploited in the wild prior to this version. Exploits targeting the same vulnerability in different devices (potentially sharing firmware) or targeting different ports have been grouped together.

The exploits that are new to this version, and any previously seen Mirai variant for that matter, are listed in Table 1 below:

Vulnerability	Affected Devices	Port Scanned	Exploit Format
CVE-2019-17270	Yachtcontrol Webservers	8081
CVE-2019-18396 / CVE-2017-14127	Technicolor TD5130v2 and Technicolor TD5336 routers.	161
AVCON6 Remote Code Execution	AVCON6 video conferencing systems	8080
CVE-2019-16072	Enigma Network Management Systems v65.0.0	80
CVE-2019-14931	Mitsubishi Electric smartRTU & INEA ME-RTU	80
Sar2HTML Remote Code Execution	Sar2HTML plotting tool for Linux servers, v3.2.1	80
CVE-2017-16602	NetGain Systems Enterprise Manager	8081
CVE-2017-6316	Citrix NetScaler SD-WAN 9.1.2.26.561201 devices	443
CVE-2013-5912	Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995	80
ACTi ASOC2200 Remote Code Execution	ACTi ASOC 2200 Web Configurators versions 2.6 and prior.	80
3Com Office Connect Remote Code Execution	3Com OfficeConnect routers	80
CVE-2006-4000	Barracuda Spam Firewall versions 3.3.x	80
CCBill Remote Code Execution	CCBill Online Payment Systems	80

Table 1 Previously unexploited vulnerabilities in latest ECHOBOT version

Other exploits included in this version are listed in the Appendix.

Other Technical Details

Like its predecessors, this version of ECHOBOT also makes use of the key 0xDFDAACFD for XOR encryption of its strings.

The new default credentials brute forced by this variant are listed below :

• root/trendimsa1.0
• admin/fritzfonbox
• r00t/boza
• root/welc0me
• admin/welc0me
• root/bagabu
• welc0me/
• unknown/
• UNKNOWN/

Infrastructure

This version first surfaced on 28th October 2019 for a couple of hours, after which it was taken down. It then resurfaced on the 3rd of December, switching payload IPs and finally adding 2 more exploits that weren’t in the samples from October. Figure 1 shows the dropper script that was live at the IP 145.249.106[.]241 until the 12th of December.

Figure 1. Dropper script

Prior to this, samples of this version were briefly hosted at :

• 45.89.106[.]108 on 2019-10-28
• 80.82.67[.]184 on 2019-12-03
• 80.82.67[.]209 on 2019-12-04
• 145.249.106[.]241 on and after 2019-11-12

It makes use of the same domains for Command and Control as its predecessors.

IOCs for all activity mentioned in this post can be found at the Unit42 github.

Conclusion

The Mirai variant ECHOBOT differentiates itself from concurrent variants by the sheer volume of vulnerabilities targeted, as opposed to other variants that stick to certain vulnerabilities that have proven effective over time.

The exploits unique to this new version target vulnerabilities ranging from extremely old CVEs from as long back as 2003, to ones made public as recently as early December 2019. This choice of exploits could possibly imply its authors are targeting either legacy devices that are still in use but probably too old to update due to compatibility issues and newer vulnerabilities that are too recent for owners to have patched. We are unable to speculate at this point in time on the overall effectiveness of their approach - be it the use of a large number of exploits, or the choice of the exploits themselves.

Palo Alto Networks customers are protected by:

• WildFire which detects all related samples with malicious verdicts
• Threat Prevention and PANDB that block all exploits and IPs/URLs used by this variant.

AutoFocus customers can track these activities using individual exploit tags:

• CVE-2019-17270
• CVE-2019-18396
• AVCON6RCE
• CVE-2019-16072
• CVE-2019-14931
• Sar2HTMLRCE
• CVE-2017-16602
• CVE-2017-6316
• CVE-2013-5912
• ACTiASOC2200RCE
• 3ComOfficeConnectRCE
• CVE-2006-4000
• CCBillRCE

The malware family can be tracked in AutoFocus using the tag Mirai

Appendix

Other exploits embedded in this ECHOBOT version are listed below: