Analysts have captured a total of 3 versions of EwDoor, with version 0.16.0 as a blueprint, analysts can characterize EwDoor as, a botnet that sends C2 down through BT tracker, uses TLS to protect traffic, and mainly profits by means of DDoS attacks and sensitive data theft, which currently propagates through the Nday vulnerability CVE-2017-6079, mainly targeting EdgeMarc Enterprise Session Border Controller devices.
Currently supports 6 major functions.
Self updating
Port scanning
File management
DDoS attack
Reverse SHELL
Execute arbitrary commands
By grabbing the author’s unregistered CC domain name, analysts were able to measure the size of this Botnet for a little while, when the active Bot IP was around 5.7k. The AS numbers of the infected device IPs were all AS7018|AT&T_Services,_Inc. (AT&T, an American telecom company).
By back-checking the SSl certificates used by these devices, analysts found that there were about 100k IPs using the same SSl certificate.
Analysts are not sure how many devices corresponding to these IPs could be infected, but analysts can speculate that as they belong to the same class of devices the possible impact is real.
EwDoor’s SHELL script is quite long.
t can be seen that the main functions of the SHELL script are
Download and execute EwDoor samples
Set up Crontab for persistence
It is also worth mentioning that EwDoor samples are stored in the form of gzip on the download server, which to a certain extent escapes the security detection for binary files; the authors of earlier versions made the sample files into Linux rev 1.0 ext2 filesystem files and then used mount to mount the files on the system, which is probably another trick to protect itself.
Ewdoor uses dynamic linking, and although it adopts some anti-reverse techniques, there is not much difficulty in reversing it.
In general, the function is relatively simple. When it runs on the infected device, it first collects device information, them performs soem common things such as single instance, persistence and other functions; then decrypts the bt tracker and obtains C2 by accessing the bt tracker; finally reports the collected device information to C2 and executes the commands issued by C2.
TLS protocol is used at the network level to prevent communication from being intercepted.
Sensitive resources are encrypted to make it more difficult to reverse
C2 has moved from local to “cloud” and sent by BT tracker to prevent direct extraction by IOC system.
Modify the “ABIFLAGS” PHT in ELF to counter qemu-user and some high kernel versions of the linux sandbox.
This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices.
When Ewdoor runs, it will check the file name and parameters.
When the file name is “/var/tmp/.mnt/ewupdate”, it means that this is an update operation, and then it will copy itself to ewstat by the command cp -f /var/tmp/.mnt/ewupdate /var/tmp/.mnt/ewstat and then start the execution; when there are no start parameters, or the first start is not script, then the /etc/config/ew.conf script is executed via bash; only when the first boot data is script, the processing logic below is executed, which is in a way also a countermeasure to the sandbox/simulator.
Ewdoor implements single instance by means of a file lock.
It’s possible to use /proc/locks to observe the process and corresponding lock files, and then execute the EwDoor, analysts can see that no new processes are created.
Ewdoor collects the hostname, NIC address, etc. of the compromised device for use later in the registration process.
Ewdoor periodically terminates the netflash process in the system with the following code. netflash command is a maintenance command used to update the system remotely.
EwDoor achieves persistence by blocking the maintenance channel and then working with the crontab in the SHELL script.
Ewdoor stores the encrypted network related sensitive resources, such as registration information, C2, ports, etc. in the sample.
Therefore, when bots want to communicate with C2, they have to decrypt this part of the resources first, then get the C2 either directly or indirectly, and then finally establish communication with the C2 and wait for the execution of the commands issued by the C2.
Ewdoor uses 3 tables to describe the encrypted resources, one is the ciphertext table, one is the ciphertext length table and one is the combination table. The ciphertext & ciphertext length table are used to describe the encrypted resource itself, while the combination table is used to describe how the resource is used in combination.
The cipher table and cipher length table can decrypt BT domain, BT port and other information, while the combination table can combine BT domain & port into BT tracker.