By: Mark Vicente, Byron Galera, and Augusto Remillano (Threats Analysts)
We uncovered an updated Bashlite malware designed to add infected internet-of-things devices to a distributed-denial-of-service (DDoS) botnet. Trend Micro detects this malware as Backdoor.Linux.BASHLITE.SMJC4, Backdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. Based on the Metasploit module it exploits, the malware targets devices with the WeMo Universal Plug and Play (UPnP) application programming interface (API).
Bashlite (also known as Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser) gained notoriety for its use in large-scale DDoS attacks in 2014, but it has since crossed over to infecting IoT devices. In its previous iterations, Bashlite exploited Shellshock to gain a foothold into the vulnerable devices. An attacker can then remotely issue commands — particularly, to launch DDoS attacks similar to the way it was used in 2016 — and download other files to the compromised devices.
This updated iteration of Bashlite is notable. For one, its arrival method is unique in that it doesn’t rely on specific vulnerabilities (e.g., security flaws assigned with CVEs). It instead abuses a publicly available remote-code-execution (RCE) Metasploit module. It now also sports additional DDoS-related commands, and added new ones that gave the malware cryptocurrency mining and backdoor capabilities. It can also deliver malware that removes competing botnet malware.
The exploit used doesn’t have a list of targeted WeMo devices. It only needs to check if the device is enabled with the WeMo UPnP API. The impact could be significant. WeMo’s home automation products, for instance, range from internet-connected cameras, electrical plugs, and light switches and bulbs to motion sensors. It has a mobile application that uses the Wi-Fi network to wirelessly control IoT devices.
While we have not seen significant detections for these versions of Bashlite, it’s worth noting that it’s already in the wild, based on feedback from Trend Micro™ Smart Protection Network™. The detections, seen last March 21, were observed in Taiwan, United States, Thailand, Malaysia, Japan, and Canada.
We disclosed our findings to Belkin. The company has since released an official statement regarding the vulnerabilities that the malware targets. “Belkin is committed to product and customer security. The vulnerability described in this article was detected and remediated in 2015 for all affected devices. We strongly encourage customers to update their devices and mobile apps to obtain the latest security fixes.”
Figure 2. Snapshot of code showing a network indicator (via Trend Micro™ Deep Discovery Inspector™) of the attack targeting devices with WeMo API (top), which is also in the Metasploit module (bottom)
Some of the Bashlite samples we analyzed appear to differ depending on the architectures they infect. These recent Bashlite iterations use a Telnet scanner and brute force the device with these usernames and passwords: root, 9615-cdp, admin, admin123, huigu309, xc3511, vizxv, and Dvrdvs.
Bashlite uses the scanner to find possible machines to infect. It will then send a dropper binary (XORred, with key=0x54) to the vulnerable machine. Of note here is the way the binary dropper is supposed to retrieve and drop the Hakai botnet malware, whose code is based on Bashlite and was seen targeting routers last year. However, the URL from which Hakai is supposed to be downloaded is no longer accessible. There are multiple dropper binaries embedded in Bashlite, designed for different architectures. Figure 3 shows how the embedded binaries are retrieved and dumped.
As part of its command-and-control (C&C) communication, the binary dropper connects to 178[.]128[.]185[.]250/hakai[.]x86. It also connects to 185[.]244[.]25[.]213:3437 for Bashlite’s backdoor routines.
Backdoor and DDoS capabilities
The most notable of Bashlite’s backdoor commands include simultaneously launching multiple types of DDoS floods to a target as well as downloading and executing cryptocurrency-mining and bricking malware. It also has code designed to circumvent a DDoS mitigation service.
Here are some of Bashlite’s backdoor commands:
- PINGING: Similar to an internet relay chat (IRC) message; the malware replies with PONGING.
- ECHOSCAN: Toggles the Telnet scanner.
- OELINUX: Similar to ECHOSCAN but targets embedded systems.
- CFBYPASS: Used to bypass a DDoS mitigation service
Bashlite can launch several types of DDoS attacks using these commands:
- HOLD: Connects to an IP address and port, and sustained for a specified time.
- JUNK: Same as HOLD but also sends a randomly generated string to the IP address.
- UDP: Flood target with user datagram protocol (UDP) packets.
- ACK: Send acknowledgment (ACK) signals to disrupt network activity.
- VSE: An amplification attack used to consume the resources of a target (e.g., server).
- TCP: Send numerous transmission control protocol-based (TCP) requests.
- OVH: DDoS attack designed to bypass a DDoS mitigation service
- STD: Similar to UDP (flooding the target with UDP packets)
- GRENADE: Launch all the DDoS commands.
Bashlite has other notable commands. For example, BRICKER downloads and executes a bricker malware from a specified URL to presumably eliminate competing bots. MINER downloads and executes a cryptocurrency-mining malware on the infected machine, while PKILL terminates a specified process.
IoT security shouldn’t be an afterthought
While connected devices — from those used in smart homes to complex IoT environments — provide convenience and efficiency, they can also come with risks if improperly configured or left unsecured. Bashlite is just one of the many threats that could threaten the privacy, security, and even safety of users. We’ve seen some of these threats, for example, take advantage of exposed UPnP-enabled devices that don’t have patches for known vulnerabilities. Equipment designers and manufacturers must integrate security into the development life cycle of their products. Organizations that adopt BYOD policies for IoT device use in the workplace must balance the advantages of mobility and the need for security. Users should also adopt best practices.
Trend Micro Smart Home Network™ protects users from this threat via this intrusion prevention rule:
- 1135463 – WEB Belkin Wemo UPnP Remote Code Execution
- 2860 – Belkin Wemo UPnP Remote Code Execution
Indicators of compromise (IoCs):
Related hashes (SHA-256):
- 81cbb253ef6ad4803e3918883eed3ec6306ef12e7933c5723bd720d55d13a46a — Backdoor.Linux.BASHLITE.SMJC4
- 01570ee09d63579afc77a44295aeb06c1cc826ae6f0aa9423915ea4ecfd9899f — Trojan.SH.BASHDLOD.AMF
Detected as Backdoor.Linux.BASHLITE.AMF (SHA-256):
Related malicious URLs:
With additional insights and analysis by Chizuru Toyama and Jakub Urbanec