SSH-backdoor Botnet With ‘Research’ Infection Technique


In a recent tweet, the malware researcher @0xrb shared a list containing URLs of recently captured IoT botnet samples. Among the links, there was an uncommon example, a URL behind a Discord CDN, which as pointed by the IoT malware researcher @_lubiedo, may be difficult to block.

Summary: The malware author claims to be doing these infections for ‘research purposes’, or in his words to test which servers would stay active with infection unnoticed for the longest period (by infection we refer to adding users for remote ssh access). The ‘no harm research purposes’ claim is backed by making the final stage of the infection a shell-script rather than a compiled binary which would require more time to reverse engineer. Also, stage 1 binary payload is not obfuscated/packed. This botnet malware backdoors Linux devices with SSH access by adding users.

Interesting bits:
network IDS / blacklist evasion -> Discord CDN for binary distribution over HTTPS rather than VPS boxes (the typical way)
Anti-sandbox and EDR / Antivirus evasion -> Use of timeouts, removes logs and bash history, echoed hex-strings as intermediate payload

Read more…