EwDoor Botnet Is Attacking AT&T Customers

Analysts have captured a total of 3 versions of EwDoor, with version 0.16.0 as a blueprint, analysts can characterize EwDoor as, a botnet that sends C2 down through BT tracker, uses TLS to protect traffic, and mainly profits by means of DDoS attacks and sensitive data theft, which currently propagates through the Nday vulnerability CVE-2017-6079, mainly targeting EdgeMarc Enterprise Session Border Controller devices.

Currently supports 6 major functions.

Self updating
Port scanning
File management
DDoS attack
Reverse SHELL
Execute arbitrary commands

By grabbing the author’s unregistered CC domain name, analysts were able to measure the size of this Botnet for a little while, when the active Bot IP was around 5.7k. The AS numbers of the infected device IPs were all AS7018|AT&T_Services,_Inc. (AT&T, an American telecom company).
By back-checking the SSl certificates used by these devices, analysts found that there were about 100k IPs using the same SSl certificate.
Analysts are not sure how many devices corresponding to these IPs could be infected, but analysts can speculate that as they belong to the same class of devices the possible impact is real.

EwDoor’s SHELL script is quite long.
t can be seen that the main functions of the SHELL script are

Download and execute EwDoor samples
Set up Crontab for persistence
It is also worth mentioning that EwDoor samples are stored in the form of gzip on the download server, which to a certain extent escapes the security detection for binary files; the authors of earlier versions made the sample files into Linux rev 1.0 ext2 filesystem files and then used mount to mount the files on the system, which is probably another trick to protect itself.

Ewdoor uses dynamic linking, and although it adopts some anti-reverse techniques, there is not much difficulty in reversing it.
In general, the function is relatively simple. When it runs on the infected device, it first collects device information, them performs soem common things such as single instance, persistence and other functions; then decrypts the bt tracker and obtains C2 by accessing the bt tracker; finally reports the collected device information to C2 and executes the commands issued by C2.

TLS protocol is used at the network level to prevent communication from being intercepted.

Sensitive resources are encrypted to make it more difficult to reverse

C2 has moved from local to “cloud” and sent by BT tracker to prevent direct extraction by IOC system.

Modify the “ABIFLAGS” PHT in ELF to counter qemu-user and some high kernel versions of the linux sandbox.
This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices.
When Ewdoor runs, it will check the file name and parameters.
When the file name is “/var/tmp/.mnt/ewupdate”, it means that this is an update operation, and then it will copy itself to ewstat by the command cp -f /var/tmp/.mnt/ewupdate /var/tmp/.mnt/ewstat and then start the execution; when there are no start parameters, or the first start is not script, then the /etc/config/ew.conf script is executed via bash; only when the first boot data is script, the processing logic below is executed, which is in a way also a countermeasure to the sandbox/simulator.

Ewdoor implements single instance by means of a file lock.
It’s possible to use /proc/locks to observe the process and corresponding lock files, and then execute the EwDoor, analysts can see that no new processes are created.
Ewdoor collects the hostname, NIC address, etc. of the compromised device for use later in the registration process.
Ewdoor periodically terminates the netflash process in the system with the following code. netflash command is a maintenance command used to update the system remotely.
EwDoor achieves persistence by blocking the maintenance channel and then working with the crontab in the SHELL script.

Ewdoor stores the encrypted network related sensitive resources, such as registration information, C2, ports, etc. in the sample.
Therefore, when bots want to communicate with C2, they have to decrypt this part of the resources first, then get the C2 either directly or indirectly, and then finally establish communication with the C2 and wait for the execution of the commands issued by the C2.

Ewdoor uses 3 tables to describe the encrypted resources, one is the ciphertext table, one is the ciphertext length table and one is the combination table. The ciphertext & ciphertext length table are used to describe the encrypted resource itself, while the combination table is used to describe how the resource is used in combination.
The cipher table and cipher length table can decrypt BT domain, BT port and other information, while the combination table can combine BT domain & port into BT tracker.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 14, 2022

US Cert Alert – Zeppelin Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Aug 11, 2022

Cisco Talos shares insights related to recent...

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco...

Threats Icon

Aug 11, 2022

Andariel deploys DTrack and Maui ransomware

The CISA published an alert, entitled, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware To...

Threats Icon

Aug 09, 2022

Albanian Government Organizations Targeted By Possible Iranian...

Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government...

Threats Icon

Aug 08, 2022

BumbleBee Roasts Its Way to Domain Admin

Threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that...

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...