Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT
botnet is named after an Italian luxury brand of fashion and leather goods.
The discovery came to exist during our reconnaissance and intelligence collection process. The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures
Figure 1: GUCCI Bot Binaries
All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.
Figure 2: Bot: compiled Binaries
As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”. This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.
|MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a|
Listing 1: MD5 Hashes of the Gucci Bit
The binaries were found to be obfuscated in nature. On further
analysis, it was analyzed that the Gucci bot was connecting to the remote IP on the TCP port “5555” and transmitting the data
accordingly. Digging deeper, we found
that the remote host running a custom telnet service on TCP port 5555 and
exchanging commands with Gucci bots regularly. When a test connection was
initiated on TCP port 5555 using telnet
client on remote IP, the successful
connection acceptance resulted in requirement of credentials.
Without authentication credential, it was not possible to access the
service. Considering all scenarios,
automated brute force and account cracking attempts were performed. The account
credentials were successfully cracked and connection was initiated and accepted
as credentials are accepted.
Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.
Figure 3: Gucci C&C Bot Panel
The C&C listed out the different type of Denial of Service (DoS)
attack types supported by the Gucci bot. The support scans are:
- HTTP null scan
- UDP flood
- Syn flood
- ACK flood
- UDP flood with less protocol options
- GRE IP flood
- Value Source Engine specific flood
It was noticed that Gucci bot was in
Figure 4: Gucci Bot – Source of Distribution
A new IOT bot Gucci has been discovered and analyzed accordingly. The
About the authors:
Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;
Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs
The post Gucci IOT Bot Discovered Targeting European Region appeared first on Security Affairs.