Dissecting the evolution of malware gives researchers insights into the knowledge of, and development processes used by, malware authors. Dota3, active in the wild, offers a unique opportunity to examine a strain of malware during what appears to be an intermediate stage between major versions.
A brief history of IoT
Though the term Internet of Things(IoT) was not coined until around 1999, one of the first examples of a device connected to the internet/network was a soda machine at Carnegie Mellon University. It was a simple device to allow the programmers to check if the machine was stocked, prior to them leaving their desks to retrieve a beverage.
For how simple this device was, it was only a matter of time before computers became smaller and designers started incorporating these devices into more items as a matter of convenience. Like many innovations, ease of use, lower costs and convenience take precedence over security. In the last couple of decades, criminals have seized on this to make IoT devices work for their schemes.
Some of the first commercially available IoT devices were baby monitors and “nanny cams”. The horror stories of “hackers” screaming at children through these devices in the early 2010s caused many parents to completely swear off using devices connected to the internet -- for a period of time. Now, these devices have become so prevalent and accepted that they appear in many homes. Avast provided statistics that 66% of homes in the United States scanned have at least one IoT device.
IoT devices are so much more capable that attackers have evolved their tactics from simple acts of vandalism to botnet incorporation, cryptocurrency mining and back-door installs. The processors and memory available on devices is greater than what was required to run Windows 95 or 98 and considerably more than what was used to land Apollo astronauts on the moon.
Many IoT devices today come with processors that have Graphical Processing Units (GPUs) and/or dedicated cryptography hardware. Not because the IoT devices need them, but because they are simply a standard part of modern CPUs. This combination of advanced computational capability and the notoriously lax security of IoT devices makes them a prime target for cybercriminals, especially those that wish to remain undetected.
The Dota malware family
Among the families of malware that target IoT devices is Dota. Juniper Threat Labs monitors a number of devices, in order to keep an eye on the current state of malware, and here Dota quickly makes itself known.
Juniper Threat Labs’ SSH sensors, for example, consistently see attempts to load malware after an attacker has successfully compromised the root account. The Dota family of malware has used this attack vector in the past and continues to do so.
While these attacks are problematic for any target, SSH attacks directed at root accounts are a particular concern for IoT devices. This is because many IoT devices are either left with the default configuration or have been hard coded with a username and password that the user can not even change, if the user knew how or wanted to.
Dota, like any actively maintained software, continues to be developed and enhanced by its developers. On December 7, 2019, Juniper Threat Labs detected a small number of attacks from a newer variant of Dota. The malware authors generously labelled the eponymous file, which gave this malware its name “Dota3”, helping us to distinguish this version from its predecessors. While we did see Dota variants throughout the year, this was the first time Dota3 has been spotted by Juniper Threat Labs. The use of this variant has been steadily climbing since.
Despite the increase in Dota3 adoption, it has not completely replaced the Dota or Dota2 variants that were previously used. Looking through the scripts provided below, it would appear this version is a work in progress. The attacker has not cleaned up certain code and even included incomplete scripts into the download.
One interesting observation is the vast majority of the malware downloads have been originating from Ireland, with almost 70% of the top five countries being Ireland and dropping off rapidly after that. We do not know if this is a result of the origin of the bot being in Ireland or the majority of infected systems being in Ireland.
The attackers appear to be using AWS, in many of the malware caches. However, research thus far has not fully confirmed if these are compromised sites or sites that the attacker has prepositioned. Researching IPs that are not AWS suggested these are compromised sites since DigitalOcean, Deutche Telekom and 1&1 Internet AG service providers all show use as a malware cache. These IPs are generally linked to websites that are not fully developed or maintained.
Dota3 in detail
Dota3 appears to be based on a botnet, attacking weak SSH servers using default credentials or reused passwords. Some of the username/password combinations we have seen are root/Passwort@12, nproc/nproc, root/verso, testftp/testtfptestftp, noda/noda, root/solid, etc. It does not appear bruteforce, as these attacks are a scan across multiple IPs with the same password, suggesting there is a password list that the bot runs against. If the combination fails, we may not see the attacker again for hours or days.
Analysis of the malware IPs used by Dota revealed that both 184.108.40.206 and 220.127.116.11 were used. The primary communications between the malware client and its command and control server were seen occurring through an encrypted SSH tunnel to the .129 address.
Here is an example communication that made the connection from France with the username root and the password Vextrex. Vextrex is the default root password for a Vextrec router. Let this be a reminder to everyone to change the default passwords on every device!
login attempt [root/Vextrex] succeeded
December 20th 2019, 16:03:10.281
Juniper Threat Labs has observed significant commonality in the commands executed by the Dota3 malware infections. The commands below are a typical example of commands executed by the malware authors when a device is compromised, although, slight variants are known to occur. The commands are clearly scripted, as all commands are run within a tenth of a second from first to last.
cat /proc/cpuinfo | grep name | wc -l","message":"CMD: cat /proc/cpuinfo | grep name | wc -l
cat /proc/cpuinfo | grep model | grep name | wc -l
echo \"root castro\" > /tmp/up.txt
rm -rf /var/tmp/dota*
Once downloaded, the malware unpacks itself into the hidden directory .rsync/
The unpacked file “init” is a script. It does not have the !# header, which is common amongst bash scripts to indicate its purpose as a bash script. This file was designed to kill any previous installs and remove those files from the system.
File “init2” also does not have the !# header. Like init, init2 is designed to kill previous installs and remove them.
The file “initall”, however, does have #! and also specifies the /bin/sh shell in its header. This indicates that it is intended to run as a script and may indicate that “init” and “init2” are intended to be notes or are script fragments that are yet to be finished. As with init and init2, initall is designed to remove any old or previously installed versions of Dota and then initialize the current attacker’s version.
The file “a/anacron” is a compiled binary with SHAsum: 557642c34d62ad35da80486404e40d808f52452f and is an ELF 32-bit LSB shared object, reporting Intel 80386, version 1 (SYSV), dynamically linked, stripped.
File “cron” is a compiled binary with SHAsum: a7cd1e37de9b2e38d5dbaeac8124006e27d24281 and is an ELF 64-bit LSB shared object, reporting x86-64, version 1 (SYSV), dynamically linked, stripped.
File Init0 is a script for killing cryptominers in a Linux system. A detailed file analysis public report is available from Joe Sandbox.
File “a/run” is a script to detect if the device infected is 32bit or 64 bit and not significant.
File “a/stop” is a script to kill the cron process and there is nothing significant to show.
File “b/a” is a simple script to change permissions on the newly installed scripts required to run the cryptominer and not worth showing here.
File “b/run” is a script to install a key in the .ssh/authorized_keys file. The key has been redacted for brevity but would allow the attacker SSH access back into the system without use of the passwords.
File “c/tsm32” is a compiled binary and has not been reported previously on Virustotal. It is an ELF 32-bit LSB executable, reporting Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, missing section headers.
File “c/tsm64” is a compiled binary 64bit version of tsm32 with SHAsum: 28765b048c9afa942d5a21b8d3f395b20c723667. It is An ELF 64-bit LSB executable, reporting x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=a7ebfe59ae9df5cab9314bef58cce08f84afc511, stripped.
File “c/tsmv7” is a compiled binary for the ARM processor version of tsm32 with SHAsum: 9130b75efdfe5a73320feac5f9b800efb05e63c6. It is an ELF 32-bit LSB executable, reporting ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 3.2.0, BuildID[sha1]=3c7fbddc7901d960c977e6f205c2079b7e42661c, stripped.
Dota3 makes use of several common libraries. These are located in the c/lib/ folders.
Juniper’s SKY Advanced Threat Prevention Appliance detects the binary as version of Trojan:Linux
The evolution of the Dota malware family continues. While the current version of Dota3 looks unfinished, what we’ve seen so far indicates that it won’t be long before a final version of Dota3 emerges, adding more functionality to this rapidly growing IoT botnet’s capabilities.
Since this version's first sighting in December, it has steadily been climbing. Meanwhile, Dota2 has dropped off in usage, having seen no new Dota2 attacks in the same timeframe. The attackers are clearly improving their code and process.
We have numerous examples of incomplete code, deprecated code and versions of Dota3 that were uploaded packed, without all the functional code required. This perhaps shows there is more than one actor and, of those actors, some without the same skill set as those that had originally crafted the malware
Juniper Threat Labs discovered a family of Monero Miners that spreads through cloud storage providers such as OneDrive, Google Drive and Dropbox. It also has the ability to mutate or change itself to try to avoid detection.
Late in December 2019, someone I know received a notification from their credit card company stating a transaction for a purchase of substantial value was pending. Not recognizing the transaction, the person immediately contacted the credit card company to put a stop to the transaction which had not yet settled. A few minutes later, the card was blocked and a new card was being mailed to the person's home address.
For most people, that’s how the story ends. But being in the cybersecurity industry, I wanted to find out more. Where and when was their credit card data stolen? Were they victim to one of the breaches that took place months ago in major retail stores or credit issuing banks?
I decided to start by tracing their steps back to where they shopped online recently. Most of it was usual but one stood out because they had only made a purchase at that store once in recent times: focuscamera.com. The site was a popular -- a legitimate brick-and-mortar business that had been around for a long time -- and not in the news about any breach.
I started by adding an item to my shopping cart and proceeded to check out. At that point, a combination of Chrome’s developer tools and wireshark captures were the only tools I needed to identify any unusual connection that should not be happening.
FocusCamera.com Checkout Page
Card details submitted to C&C site
Going through the network connections, it didn’t take long to realize that credit card data was being submitted to two different sites, as shown in the screenshots below.
This first one is the legitimate focuscamera.com payment card processing site:
Credit Card Details being submitted to FocusCamera.com
The second POST request is the fraudulent one, submitted to a domain named zdsassets.com. Note the similarity with a legitimate ZenDesk domain named zdassets.com (no "s" between the "d" and the "a").
Credit Card Data Being Submitted to Exfiltration Domain
According to registration data provided by Domaintools.com, the domain zdsassets.com has been registered on November 11, 2019. As of this writing, it would mean the skimming operation under this domain has lasted less than two months. The domain is registered with Hosting Concepts B.V. d/b/a Openprovider, a hosting provider in the Netherlands. The site is hosted on a dedicated server at Vultr Holdings in New Jersey and the IP address 18.104.22.168 is provided by AS-Choopa (ASN AS20473).
Registration of Exfiltration Domain
Based on some DNS telemetry we have access to, this C&C domain has been resolved 905 times since it was created, which may be an indication of the number of victims of this card skimming operation. It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns - At this time, we don’t have any telemetry to prove it one way or the other.
DNS Resolution Cache Misses to Exfiltration Domain
Original Script Call on checkout page
Base64-encoded Skimming Code Appended to Existing Script
When base64 decoded, this script performs the malicious activity:
Decoded Credit Card Skimming Script
The process above is for customers who check out as a guest. We have not tested the checkout process for previously registered users to see if their credit cards would also be skimmed.
This attack has all the hallmarks of a Magecart attack, going after the client side skimming of payment card data. This is not any particular hacker group, but rather a consortium of threat actors using similar methods to compromise third party libraries in a supply chain attack, or simply hacking into the target website to implant malicious code. Amongst the well known victims are British Airways, TicketMaster, NewEgg and more.
As soon as we realized focuscamera.com was breached, Juniper Threat Labs immediately reached out to the site owners via an online contact form as well as left voice-mails. Unfortunately, week-ends and a time zone difference caused a couple days of delay in response, but we managed to have a live conversation with the domain admins. We shared all the information we had at the time and held a follow up call later in the day to share additional discoveries, based on our analysis of the site. By the end of the day, the malicious code was removed from the site.
Atlassian Confluence is a collaboration tool that is used by organizations to create and share various documents related to marketing, design specifications, project planning, etc. It can be licensed both as a SaaS (Confluence Cloud), as well as an on-premise enterprise software (Confluence Server).
Juniper Threat Labs is seeing a growing attack on Accept-Charset HTTP Header. This request header allows the client to indicate what character sets, i.e., ISO-8859-1 or utf-8, are available for response. Attackers are trying to exploit this header by passing a base64-encoded PHP code. During the course of our investigation, we have identified the vulnerable software to be a tampered version of phpStudy. At some point in time, hackers were able to hack into phpStudy and tamper on 2016 and 2018 versions of the software to make it vulnerable to this specific exploit.