Posted on Leave a comment

AT&T Users Are Being Targeted By The New EwDoor Botnet.

Researchers from Qihoo 360’s Network Security Research Lab have uncovered a new botnet known as EwDoor that targets AT&T customers using publicly exposed EdgeMarc Enterprise Session Border Controller (ESBC) edge devices.

  • October 27, 2021, first capture of EwDoor, version number 0.12.0, main features are DDoS Attack, File Manager, Reverse Shell, Port Scan, etc.
  • November 8, 2021, EwDoor was updated to version number 0.15.0, moving C2 from local to cloud, using BT Trackers.
  • November 15, 2021, EwDoor updated to version 0.16.0, minor update, adding sandbox confrontation features.
  • November 20, 2021, EwDoor was updated version 0.16.0, minor update, adding more BT Trackers.

The researchers were able to assess the botnet’s size for a short amount of time using sinkholing. However, the experts noted that the EwDoor used a backup method for its C2 and registered a backup command-and-control (C2) domain (iunno[.]se) to evaluate the connections from infected devices.

They identified that the compromised computers were AT&T’s EdgeMarc Enterprise Session Border Controller after a few hours of observation. The specialists discovered 5,700 compromised systems in the United States.

The Report continues “We discovered that there were roughly 100k IPs utilising the same SSl certificate by back-checking the SSl certificates used by these devices [affected devices that the C2 utilised during sinkholing].” We don’t know how many devices associated with these IPs could be infected, but given that they belong to the same class of devices, the threat is genuine.”

The bot supports 6 major functions.

  • Self updating
  • Port scanning
  • File management
  • DDoS attack
  • Reverse SHELL
  • Execute arbitrary commands.

The botnet employs a number of safeguards to prevent security experts from analysing it, including the use of TLS protocol to prevent communication from being intercepted, encryption of sensitive resources to make reverse engineering difficult, and sending C2 to the cloud via BT tracker to avoid direct extraction by the IOC system.

Finally the researchers concluded that ,“To counter qemu-user and some high kernel versions of the linux sandbox, modify the “ABIFLAGS” PHT in ELF.” This is a relatively uncommon countermeasure, demonstrating that EwDoor’s programmer is well-versed on the Linux kernel, QEMU, and Edgewater devices.”.

Indicators Of Compromise

C2

185.10.68.20
rtmxvd.iunno.se
ekgmua.zapto.org
boatreviews.xpresit.net
a.rtmxvdio.net
a.hatbowlu3hf.ru
a.hatbowlrtx.su
45.141.157.217
rtmxvd.iunno.se
hhqnyy.zapto.org
besthatsite.mooo.com
b.rtmxvdio.net
b.hatbowlu3hf.ru
b.hatbowlrtx.su

port: 53, 443,13433

Downloader

http://185[.10.68.20:1234/ew-new.sh
http://185[.10.68.20:1234/ew.sh
http://185[.10.68.20:1234/prod/mips
http://185[.10.68.20:1234/prod/x86_64
http://185[.10.68.20:1234/ramdisk.img.gz
http://212[.193.30.209/61501e55/mips
http://212[.193.30.209/859b6cfa.sh

Sample MD5

007c28d9a0ccfb10c478689fd63e0de0
128331f1c808ee385375dd54d0609ebc
46c18a8e93a863053952985a39bd7d63
4f0841ac08a27d8b3d56cbd03fb68ad8
5c4390e1668856cc7f72499a72f935d6
62bc8899a353921ac685cabb63de97b3
67ccb3cf1f4f57f5a0ded4d20bc91d73
7d4937e27d0fd75dd6159ffe53ebb505
84b3df62ed45bea57d0dd85e80f0dc07
8794d23cad330de803294a2a1adb128b
abaed830fe09e92ee434236d3db01e08
b81ade4f18c2df58adef301f401e8a02
ca6eb890853434ab9a0f8cdbab0965ea
ddf96434bdb7b449ddcc925e6a5b3095
eef0035f971622cc5f48e164ca28a95f
fbbacfb20e487265c7fdb30817717f26

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply