Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.

Analysis

The discovery came to exist during our reconnaissance and intelligence collection process.  The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2:  Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”.  This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a

Listing 1: MD5 Hashes of the Gucci Bit
Binaries
The binaries were found to be obfuscated in nature. On further
analysis, it was analyzed that the Gucci bot was connecting to the  remote IP on the  TCP port “5555” and transmitting the data
accordingly.  Digging deeper, we found
that the remote host running a custom telnet service on TCP port 5555 and
exchanging commands with Gucci bots regularly. When a test connection was
initiated on TCP port 5555  using telnet
client on remote IP,  the successful
connection acceptance resulted in requirement of credentials.

Compromising
C&C

Without authentication credential, it was not possible to access the
service.  Considering all scenarios,
automated brute force and account cracking attempts were performed. The account
credentials were successfully cracked and connection was initiated and accepted
as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.                                                                                                                     

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS)
attack types supported by the Gucci bot. The support scans are:

HTTP null scanUDP floodSyn floodACK floodUDP flood with less protocol options GRE IP floodValue Source Engine specific floodIt was noticed that Gucci bot was in early stages of deployment.  It was also analyzed that  the botnet operator was monitoring all the access connections to the Gucci C&C.  As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed an additional set of operations to hide indicators and artefacts.  The binaries were distributed from the location as provided in Figure 4

Figure 4: Gucci Bot – Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly.  The botnet operator was found to be very proactive. The whole analysis and obtaining C&C  access was like an arms race.  The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

About the authors:

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;

Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – malware, botnet)

The post Gucci IOT Bot Discovered TargetingEuropean Region appeared first on Security Affairs.