A new botnet, called EwDoor, was detected in the wild while performing DDoS attacks. The attacks were targeting an unpatched 4-year-old flaw (CVE-2017-6079) in Ribbon Communications EgdgeMarc appliances that belong to telecom providers AT&T. EwDoor was first detected on Ocboter 27 by Qihoo 360’s Netlab researchers.
EwDoor Botnet Targets CVE-2017-6079
According to the report, on October 27, 2021, Qihoo’s systems identified “an attacker attacking Edgewater Networks’ devices via CVE-2017-6079 with a relatively unique mount file system command in its payload, which had our attention, and after analysis, we confirmed that this was a brand new botnet, and based on it’s targeting of Edgewater producers and its Backdoor feature, we named it EwDoor.”
EwDoor has been through 3 versions of updates. Its main functions can be grouped into 2 categories – DDoS and backdoor. It seems that the main purpose of the botnet is DDoS, as well as harvesting sensitive information including call logs.
Currently, the malware supports the following functions:
- Capable of self-updating;
- Capable of port scanning;
- File management;
- Carrying out DDoS attack;
- Reverse SHELL
- Execution of arbitrary commands.
The researchers also discovered that EwDoor samples are stored in the form of gzip on the download server, which can help evade the security detection for binary files. “The authors of earlier versions made the sample files into Linux rev 1.0 ext2 filesystem files and then used mount to mount the files on the system, which is probably another trick to protect itself,” the report said.
Furthermore, EwDoor employs dynamic linking. Despite adopting some anti-reverse techniques, it is still possible to reverse-engineer it.
How does EwDoor work on an infected device? When it runs on the compromised device, its first mission is to collect information. Then it proceeds with achieving persistence and other functions. Finally, it reports the collected device information to the command-and-control server and executes the commands issued by it.
You can obtain a full technical overview of the botnet from the original report.
In September 2021, a botnet of a new kind was detected in the wild. Called Meris, the malware is reminiscent of Mirai, even though the relation couldn’t be definitely confirmed.