Another new IoT botnet malware targets on the IoT devices called REAPER (detected by Trend Micro as ELF_IOTREAPER.A) were found recently, and it would be more sophisticated and damaging than MIRAI which caused vast Internet outage (Denial of Service) a year ago.
Unlike MIRAI, REAPER majorly employs exploits which target on disclosed vulnerabilities in IoT devices, currently many popular router brands as well as IP cameras, Network Attached Storage devices are affected.
Infection Chain
Behavior
- Existing bot node found possible new nodes on the internet via disclosed vulnerabilities, and then feedback those information to report server
- Loader based on the information collected by report server to exploit target devices and plant malware from the downloader
- Once malware was plant into victim, it callbacks to C2 server and becomes a part of botnet
- Bot master can send commands and trigger attacks (e.g. ) to attack targets on the Internet
Trend Micro products have the ability to block all known related threats with this campaign. Below are the available Trend Micro product solutions to help protect against the REAPER.
Smart Scan and Conventional Scan
The following file hashes related to the REAPER can be detected using Trend Micro’s Smart Scan and Conventional patterns (13.737.00)
Please noticed samples we collected can be only executed on the ARM-based hosts or simulator.
| Pattern Detection | SHA1 |
|---|---|
| ELF_IOTREAPER.A | 94444086dcf63a13f82823e157a581f02b746cc8 |
| ELF_IOTREAPER.A | 8ced1523990e6c885ac5153b95600c0e8da05a38 |
| ELF_IOTREAPER.A | f141fe827d53150d98910201275f64ba7cd852a5 |
| ELF_IOTREAPER.A | bccdbe601b0b12183d55d8622c806f6dff181078 |
| ELF_IOTREAPER.A | 955dd87b3eee817f87df2a0cac654746f40329c0 |
| ELF_IOTREAPER.A | 694ab441edcd6da67312df7f006a9ab1951a5c24 |
Web Reputation Services (WRS)
Trend Micro’s Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.
The following C & C servers are already identified and marked as dangerous by Trend Micro’s Web Reputation Services:
- hxxp://27[.]102[.]101[.]121/rx/hx.php
- hxxp://bbk80[.]com/api/api.php
- hxxp://162[.]211[.]183[.]192/sa
Deep Discovery Inspector (DDI)
Trend Micro Deep Discovery Inspector is helpful in identifying malicious traffic and impacted machines on the network, and it has the following detection rules for detecting phone home behavior from malware:
- WRS, Dangerous URL in Web Reputation Services database - HTTP (Request)
- Rule 2393- IP Camera Authentication Bypass - HTTP (Request)
- Rule 2452 - Wget Commandline Injection
- Rule 2536 - Netgear ReadyNAS RCE Exploit - HTTP (Request)
- Rule 2540: REAPER - HTTP (Request)
- Rule 2541: REAPER - HTTP (Request) - Variant 2
- Rule 2539: AVTECH Authentication ByPass Exploit- HTTP (Request)
- Rule 2543: VACRON Remote Code Execution Exploit- HTTP (Request)
- Rule 2544: JAWS Remote Code Execution Exploit - HTTP (Request)
- Rule 2546: DLINK Directory Traversal Exploit - HTTP
- Rule 2547: NETGEAR DGN1000/DGN2200 Remote Code Execution - HTTP (Request)
- Rule 2548: LINKSYS Remote Code Execution - HTTP (Request)
- Rule 2549: Possible LINKSYS Remote Code Execution - HTTP (Request)