{ "id": "19610861-b13c-44cd-92bf-e37b352dd2b3", "created_at": "2026-04-06T00:08:34.511965Z", "updated_at": "2026-04-10T03:38:06.542796Z", "deleted_at": null, "sha1_hash": "ef0c44b38249428ade25c057863ed7256dc9c751", "title": "A Wicked Family of Bots", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 301306, "plain_text": "A Wicked Family of Bots\r\nPublished: 2018-05-17 · Archived: 2026-04-05 18:35:11 UTC\r\nAs we continue to keep track of the latest IoT botnets, the FortiGuard Labs team has seen an increasing number of\r\nMirai variants, thanks to the source code being made public two years ago. Since then, threat actors have been\r\nadding their own flavours to the original recipe.\r\nSome made significant modifications, such as adding the capability to turn infected devices into swarms of\r\nmalware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and\r\nunknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call\r\nWICKED.\r\nThis new variant has added at least three exploits to its arsenal to target unpatched IoT devices. In this article, we\r\nwill take a look at how it works, the primary purpose of this bot, and how it relates to other known botnets.\r\nInside the Bot\r\nTo provide an immediate overview on the differences between Mirai and this new variant, we need to take a look\r\nat its configuration table, which can be decrypted by XOR with the key 0x37.\r\nSome of the more interesting strings we noticed include /bin/busybox WICKED and WICKED: applet not found,\r\nwhere we got the name for this variant. Moreover, the string SoraLOADER might be taken as a clue that this bot\r\nfunctions as a downloader and spreader for the Sora botnet, a Mirai variant. However, as we went through our\r\nanalysis, this was later contradicted, which then led us to a more interesting hypothesis.\r\nhttps://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html\r\nPage 1 of 6\n\nFig 1. Decrypted configuration table\r\nBotnets based on Mirai usually contain three main modules: Attack, Killer, and Scanner. In this analysis, we will\r\njust focus on the Scanner module that includes the spreading mechanism of the botnet. The original Mirai used\r\ntraditional brute force attempts to gain access to IOT devices. The WICKED bot, on the other hand, uses known\r\nand available exploits, with many of them already being quite old.\r\nWicked bot scans port 8080, 8443, 80, and 81 by initiating a raw socket SYN connection. \r\nFig 2. Socket file descriptor\r\nIf a connection is established, it will attempt to exploit the device and download its payload. It does this by writing\r\nthe exploit strings to the socket using the write() syscall. Write() syscall is the same as calling send() syscall with\r\nthe flags argument set to zero (which means no extra behaviors.)\r\nFig 3. Sending a request by writing to a socket\r\nDevices Targeted by Wicked\r\nThe exploit to be used depends on the specific port the bot was able to connect to. Exploits and the corresponding\r\ntarget ports are listed below.\r\nPort 8080: Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet) \r\nFig 4. Netgear exploit\r\nhttps://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html\r\nPage 2 of 6\n\nFig 5. CCTV-DVR RCE exploit\r\nPort 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)\r\nFig 6. CVE-2016-6277 exploit\r\nPort 80: Invoker shell in compromised web servers\r\nThe next item on the list does not directly exploit the device, but instead takes advantage of compromised web\r\nservers with malicious web shells already installed.\r\nFig 7. Invoke shell\r\nAfter a successful exploit, this bot then downloads its payload from a malicious web site, in this case,\r\nhxxp://185.246.152.173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot,\r\nanother Mirai variant, instead of the previously hinted at Sora bot. However, at the time of analysis, the Owari bot\r\nsamples could no longer be found in the website directory. In another turn of events, it turns out that they have\r\nbeen replaced by the samples shown below, which were later found to be the Omni bot. \r\nFig 8. Exploit repository of Omni botnet\r\nhttps://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html\r\nPage 3 of 6\n\nWe double checked the history of the malicious website and confirmed that it had previously delivered the Owari\r\nbotnet.\r\nFuzzing the website’s /bins directory, we found other Omni samples in the directory, which were reported to be\r\ndelivered using the GPON vulnerability (CVE-2018-10561). Payloads are regularly updated, as shown by its\r\ntimestamp.\r\nFig 9. Bins repository of Omni botnet\r\nConnecting the Dots\r\nFinding the connection between the Wicked, Sora, Owari ,and Omni botnets led us to an interview last April with\r\na security researcher who we believe to be the author of these botnet variants. Basically, the author using pseudo\r\nname “Wicked” confirmed he is the author of both Sora and Owari. When asked about the future of Sora and\r\nhttps://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html\r\nPage 4 of 6\n\nOwari, Wicked’s response was “SORA is an abandoned project for now and I will continue to work on OWARI.\r\nYou will not see a third project from me anytime soon as I continue to expand my current ones.”\r\nApparently, as seen in the /bins repository, Sora and Owari botnet samples have now both been abandoned and\r\nreplaced with Omni.  \r\nConclusion\r\nBased on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the\r\nsame host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and\r\nthe same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora\r\nbotnet, it was later repurposed to serve the author’s succeeding projects.\r\nFortiGuard Labs will continue to monitor the latest developments in the IoT threat landscape, specifically\r\nfollowing botnets as they add new exploits to their arsenal in order to infect IoT devices.\r\nMany thanks to our colleagues David Maciejak, Joie Salvio, Jasper Manuel and Tony Loi for the additional\r\nanalyses/insights\r\n-= FortiGuard Lion Team =-\r\nAttacks mentioned are covered by the following IPS signatures:\r\nNETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution\r\nNETGEAR.DGN1000B.Setup.CGI.Remote.Command.Execution\r\nNETGEAR.WebServer.Module.Command.Injection\r\nMultiple.CCTV.DVR.Vendors.Remote.Code.Execution\r\nIOC\r\nSha256:\r\nELF/Mirai.AT!tr\r\n57477e24a7e30d2863aca017afde50a2e2421ebb794dfe5335d93cfe2b5f7252 (Wicked)\r\nDownload Sites:\r\nhxxp://185.246.152.173/bins/\r\nhxxp://185.246.152.173/exploit/\r\nhttps://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html\r\nPage 5 of 6\n\nCheck out our latest Quarterly Threat Landscape Report for more details about recent threats.\r\nSign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html\r\nhttps://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html\r\nPage 6 of 6\n\n https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html \nCheck out our latest Quarterly Threat Landscape Report for more details about recent threats.\nSign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.\nSource: https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html \n Page 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html" ], "report_names": [ "a-wicked-family-of-bots.html" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef0c44b38249428ade25c057863ed7256dc9c751.pdf", "text": "https://archive.orkl.eu/ef0c44b38249428ade25c057863ed7256dc9c751.txt", "img": "https://archive.orkl.eu/ef0c44b38249428ade25c057863ed7256dc9c751.jpg" } }