1/14 carbreal Hubnr Botnet github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet Today, april 3rd of 2021, I found the following sample in my honeypot: At first sight, it seems like a Mirai variant but has some interesting stuff. First, it doesn't encode the strings with an XOR function. It has two functions that do the job: util_encrypt() and util_decrypt() and they just apply a 3 character rotation to the strings. arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped hash: fe7fb996b997877216d782a7adbcbe6a37bc585d459c6d0d452a346b078157c6 2/14 In the main function, we see the first util_decrypt() call. It decodes the variable proc_name, that returns "/dev/hubnr". Then, it runs the two main functions: hakka_con() and parse_buf(). hakka_con() connects to the server and runs scanner_init(). In order to get the master IP, it calls again util_decrypt() with the variable bot_host. This sample connects to the IP: 194.113.107.243 3/14 scanner_init() is the function that propagates itself. I don't fully understand the entire logic behind this huge function, but I'd say that it works like a state machine. It has a for loop that iterates through a variable and a switch-case function that goes through each state. 4/14 It has a state that runs a telnet scan and performs a bruteforce with a few stored credentials: 5/14 6/14 7/14 8/14 Then, if the login is successful, it runs some recon commands and depending on the output it gets the appropiate binary for the architecture. It has a few ways of getting the binary into the victim's machine: with a wget, a tftp or echoing it into the machine. Basically, this are the commands used in the different states: It has 5 different droppers embedded targeting 5 different architectures. It has a payloads variable that points to the memory direction of each dropper and it's used in the get_retrieve_binary() function inside the state. 9/14 The dropper is a very small binary that only retrieves the sample from the master. 10/14 The other main function is parse_buf(). This one gets the command from the master. At the moment, it has 4 different options. A PING option, that just updates the master with the alive bots. "killproc" that kills the process. And two different attack capabilities: "udpflood" and "tcpflood". 11/14 It's very interesting that it has also a http_send()+http_attack() function with 5 different user-agent in memory and the HTTP request is also stored. It's used in the http_attack() function and it uses 4 different variables that are empty at the moment. I asume that when the new 12/14 functionality is implemented, the master will be able to select different payloads but it's not possible yet. 13/14 14/14