EwDoor Botnet Is Attacking AT&T Customers

Analysts have captured a total of 3 versions of EwDoor, with version 0.16.0 as a blueprint, analysts can characterize EwDoor as, a botnet that sends C2 down through BT tracker, uses TLS to protect traffic, and mainly profits by means of DDoS attacks and sensitive data theft, which currently propagates through the Nday vulnerability CVE-2017-6079, mainly targeting EdgeMarc Enterprise Session Border Controller devices.

Currently supports 6 major functions.

Self updating
Port scanning
File management
DDoS attack
Reverse SHELL
Execute arbitrary commands

By grabbing the author’s unregistered CC domain name, analysts were able to measure the size of this Botnet for a little while, when the active Bot IP was around 5.7k. The AS numbers of the infected device IPs were all AS7018|AT&T_Services,_Inc. (AT&T, an American telecom company).
By back-checking the SSl certificates used by these devices, analysts found that there were about 100k IPs using the same SSl certificate.
Analysts are not sure how many devices corresponding to these IPs could be infected, but analysts can speculate that as they belong to the same class of devices the possible impact is real.

EwDoor’s SHELL script is quite long.
t can be seen that the main functions of the SHELL script are

Download and execute EwDoor samples
Set up Crontab for persistence
It is also worth mentioning that EwDoor samples are stored in the form of gzip on the download server, which to a certain extent escapes the security detection for binary files; the authors of earlier versions made the sample files into Linux rev 1.0 ext2 filesystem files and then used mount to mount the files on the system, which is probably another trick to protect itself.

Ewdoor uses dynamic linking, and although it adopts some anti-reverse techniques, there is not much difficulty in reversing it.
In general, the function is relatively simple. When it runs on the infected device, it first collects device information, them performs soem common things such as single instance, persistence and other functions; then decrypts the bt tracker and obtains C2 by accessing the bt tracker; finally reports the collected device information to C2 and executes the commands issued by C2.

TLS protocol is used at the network level to prevent communication from being intercepted.

Sensitive resources are encrypted to make it more difficult to reverse

C2 has moved from local to “cloud” and sent by BT tracker to prevent direct extraction by IOC system.

Modify the “ABIFLAGS” PHT in ELF to counter qemu-user and some high kernel versions of the linux sandbox.
This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices.
When Ewdoor runs, it will check the file name and parameters.
When the file name is “/var/tmp/.mnt/ewupdate”, it means that this is an update operation, and then it will copy itself to ewstat by the command cp -f /var/tmp/.mnt/ewupdate /var/tmp/.mnt/ewstat and then start the execution; when there are no start parameters, or the first start is not script, then the /etc/config/ew.conf script is executed via bash; only when the first boot data is script, the processing logic below is executed, which is in a way also a countermeasure to the sandbox/simulator.

Ewdoor implements single instance by means of a file lock.
It’s possible to use /proc/locks to observe the process and corresponding lock files, and then execute the EwDoor, analysts can see that no new processes are created.
Ewdoor collects the hostname, NIC address, etc. of the compromised device for use later in the registration process.
Ewdoor periodically terminates the netflash process in the system with the following code. netflash command is a maintenance command used to update the system remotely.
EwDoor achieves persistence by blocking the maintenance channel and then working with the crontab in the SHELL script.

Ewdoor stores the encrypted network related sensitive resources, such as registration information, C2, ports, etc. in the sample.
Therefore, when bots want to communicate with C2, they have to decrypt this part of the resources first, then get the C2 either directly or indirectly, and then finally establish communication with the C2 and wait for the execution of the commands issued by the C2.

Ewdoor uses 3 tables to describe the encrypted resources, one is the ciphertext table, one is the ciphertext length table and one is the combination table. The ciphertext & ciphertext length table are used to describe the encrypted resource itself, while the combination table is used to describe how the resource is used in combination.
The cipher table and cipher length table can decrypt BT domain, BT port and other information, while the combination table can combine BT domain & port into BT tracker.

Sign Up For Threat Alerts

Threats Icon

Dec 08, 2022

Trigona (._locked) ransomware virus

Trigona is ransomware that encrypts files and appends the "._locked" extension to filenames. Also, it...

Threats Icon

Dec 08, 2022

Threat Actors Target Exposed Remote Desktop Protocol...

Threat actors were discovered targeting open Remote Desktop Protocol (RDP) ports with variants from a...

Threats Icon

Dec 07, 2022

Redigo Backdoor Malware Targets Redis Servers

The Redigo backdoor is written in the Go programming language and targets Redis servers vulnerable...

Threats Icon

Dec 06, 2022

DuckLogs MaaS (Malware-as-a-Service) Provides Sophisticated Features

DuckLogs is MaaS (Malware-as-a-Service) advertised on cybercrime forums with a range of features including remote...

Threats Icon

Dec 05, 2022

WannaRen Returns As Life Ransomware

WannaRen ransomware appeared on the threat landscape in 2020 and reemerged in 2022 as Life...

Threats Icon

Dec 04, 2022

Alert (AA22-335A) Cuba Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Dec 01, 2022

UNC4191 Threat Group Targets Entities In The...

The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...

Threats Icon

Nov 30, 2022

Emotet Leads To Quantum Ransomware Infection

Threat actors were observed using Emotet to gain access to the victim's network and deploy...

Threats Icon

Nov 29, 2022

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...

Threats Icon

Nov 29, 2022

Ransomware Roundup: Cryptonite Ransomware

FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...

Threats Icon

Nov 28, 2022

Operation Typhoon: The Cyber Sea Lotus Coveting...

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...

Threats Icon

Nov 27, 2022

IL-Cert Alert – Active phishing campaign in...

There is a new phishing campaign in Israel. The malware relies upon user execution. The...

Threats Icon

Nov 27, 2022

Emotets Vacation Is Over: No Rest For...

Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...

Threats Icon

Nov 24, 2022

Aurora: A Rising Stealer Flying Under The...

Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...

Threats Icon

Nov 23, 2022

Analysis Of The ViperSoftX And VenomSoftX Information...

Torrents and software-sharing sites are being used to target victims across the globe with variants...