Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

New rapidly-growing IoT Botnet - REAPER

    • Updated:
    • 4 Dec 2017
    • Product/Version:
    • Deep Discovery Inspector 3.6
    • Deep Discovery Inspector 3.7
    • Deep Discovery Inspector 3.8
    • Deep Discovery Inspector 5.0
    • Platform:
    • N/A N/A
Summary

Another new IoT botnet malware targets on the IoT devices called REAPER (detected by Trend Micro as ELF_IOTREAPER.A) were found recently, and it would be more sophisticated and damaging than MIRAI which caused vast Internet outage (Denial of Service) a year ago.

Unlike MIRAI, REAPER majorly employs exploits which target on disclosed vulnerabilities in IoT devices, currently many popular router brands as well as IP cameras, Network Attached Storage devices are affected.

Details
Public

Another new IoT botnet malware targets on the IoT devices called REAPER (detected by Trend Micro as ELF_IOTREAPER.A) were found recently, and it would be more sophisticated and damaging than MIRAI which caused vast Internet outage (Denial of Service) a year ago.

Unlike MIRAI, REAPER majorly employs exploits which target on disclosed vulnerabilities in IoT devices, currently many popular router brands as well as IP cameras, Network Attached Storage devices are affected.

Infection Chain

Reaper Infection Chain

Behavior

  1. Existing bot node found possible new nodes on the internet via disclosed vulnerabilities, and then feedback those information to report server
  2. Loader based on the information collected by report server to exploit target devices and plant malware from the downloader
  3. Once malware was plant into victim, it callbacks to C2 server and becomes a part of botnet
  4. Bot master can send commands and trigger attacks (e.g. ) to attack targets on the Internet

Trend Micro products have the ability to block all known related threats with this campaign. Below are the available Trend Micro product solutions to help protect against the REAPER.

Smart Scan and Conventional Scan

The following file hashes related to the REAPER can be detected using Trend Micro’s Smart Scan and Conventional patterns (13.737.00)

Please noticed samples we collected can be only executed on the ARM-based hosts or simulator.

Pattern DetectionSHA1
ELF_IOTREAPER.A94444086dcf63a13f82823e157a581f02b746cc8
ELF_IOTREAPER.A8ced1523990e6c885ac5153b95600c0e8da05a38
ELF_IOTREAPER.Af141fe827d53150d98910201275f64ba7cd852a5
ELF_IOTREAPER.Abccdbe601b0b12183d55d8622c806f6dff181078
ELF_IOTREAPER.A955dd87b3eee817f87df2a0cac654746f40329c0
ELF_IOTREAPER.A694ab441edcd6da67312df7f006a9ab1951a5c24

Web Reputation Services (WRS)

Trend Micro’s Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

The following C & C servers are already identified and marked as dangerous by Trend Micro’s Web Reputation Services:

  • hxxp://27[.]102[.]101[.]121/rx/hx.php
  • hxxp://bbk80[.]com/api/api.php
  • hxxp://162[.]211[.]183[.]192/sa

Deep Discovery Inspector (DDI)

Trend Micro Deep Discovery Inspector is helpful in identifying malicious traffic and impacted machines on the network, and it has the following detection rules for detecting phone home behavior from malware:

  • WRS, Dangerous URL in Web Reputation Services database - HTTP (Request)
  • Rule 2393- IP Camera Authentication Bypass - HTTP (Request)
  • Rule 2452 - Wget Commandline Injection
  • Rule 2536 - Netgear ReadyNAS RCE Exploit - HTTP (Request)
  • Rule 2540: REAPER - HTTP (Request)
  • Rule 2541: REAPER - HTTP (Request) - Variant 2
  • Rule 2539: AVTECH Authentication ByPass Exploit- HTTP (Request)
  • Rule 2543: VACRON Remote Code Execution Exploit- HTTP (Request)
  • Rule 2544: JAWS Remote Code Execution Exploit - HTTP (Request)
  • Rule 2546: DLINK Directory Traversal Exploit - HTTP
  • Rule 2547: NETGEAR DGN1000/DGN2200 Remote Code Execution - HTTP (Request)
  • Rule 2548: LINKSYS Remote Code Execution - HTTP (Request)
  • Rule 2549: Possible LINKSYS Remote Code Execution - HTTP (Request)
Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118928
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.