A known vulnerability dubbed ThinkPHP, which was disclosed and fixed in December last year, has been exploited for botnet propagation by a new Mirai variant, Yowai, a variant of Gafgyt known as Hakai. The discovery comes from Trend Micro, and the Mirai botnet variation has been detected as BACKDOOR.LINUX.YOWAI.A.
Apparently, hackers are using websites created with the PHP framework to breach web servers via dictionary attacks on default credentials. This helps them gain control of affected routers in DDoS attacks. Trend Micro’s telemetry indicates that the two botnets, Yowai and Hakai, triggered an unexpected increase in attacks and infection attempts in the period between January 11 and January 17.
Technical Overview of the Yowai Botnet
The Yowai botnet appears to have a configuration table which is similar to other Mirai variants. This means that the table can be decrypted using the same procedures. The ThinkPHP vulnerability is chained with other known flaws.
Yowai listens on port 6 to receive commands from the command and control (C&C) server. After it infects a router, it uses dictionary attack in an attempt to infect other devices. The affected router now becomes part of a botnet that enables its operator to use the affected devices for launching DDoS attacks, Trend Micro said in their report.
In addition, several exploits are deployed to carry out the dictionary attacks. A message on the user’s console is displayed following the attack. The botnet also references a kill list of competing botnets and it aims to eradicate them from the targeted system. As already mentioned, the ThinkPHP vulnerability is not the only one used in these attacks. The sample the researchers analyzed exploited the following flaws: CVE-2014-8361, a Linksys RCE, CVE-2018-10561, CCTV-DVR RCE.
Technical Overview of the Hakai Botnet
Hakai, the Gafgyt variant, has been previously detected to rely on router vulnerabilities in attacks targeting IoT devices. The sample analyzed by TrendMicro is using security flaws that are likely unpatched, and it also utilized vulnerabilities in ThinkPHP, D-Link DSL-2750B router vuln, CVE-2015-2051, CVE-2014-8361, and CVE-2017-17215 to propagate and perform various DDoS attacks.
It is noteworthy that the Hakai sample contained codes copied from Mirai, such as the code for encrypting the configuration table.
However, the functions we’ve identified are not operational, we suspect that the codes for telnet dictionary attack were intentionally removed to make this Hakai variant stealthier.
Since Mirai variants typically kill competing botnets, it may be advantageous for this Hakai variant to avoid targeting IoT devices that use default credentials. The approach of solely using exploits for propagation is harder to detect compared to telnet bruteforcing, which likely explains the spike we observed in attack attempts from our detection and blocking technology, the report noted.