Reaper C2 Malware – What we know so far

Summary

First detected by Chinese security researchers Netlab 360 at 01:02:13 on September 13th 2017, a new botnet, dubbed “IoT_Reaper”, has the potential to cause more damage than last year’s Mirai.

The newly discovered botnet, also going by the name Reaper and Troop, has been growing rapidly for the last month. Reaper shares part of its source code with the notorious Mirai botnet, but has a more sophisticated infection mechanism. Mirai scanned for open web ports and attempted default passwords in an attempt to gain access to IoT (Internet of Things) devices, whereas Reaper uses a collection of nine publicly known vulnerabilities to target routers.

Affected devices include routers and IoT devices from the following manufacturers:

  • D-Link
  • TP-Link
  • Netgear
  • Linksys
  • GoAhead
  • JAWS
  • Vacron
  • AVTech
  • MikroTik

Mirai, which was capable of launching an attack made up of over 1TB of traffic, was used to take down a DNS service in October 2016, this is said to have been the largest DDoS attack in history, causing Internet outage for a number of major Internet services including Amazon, Netflix, PayPal and Twitter. However, it is speculated that the Reaper botnet is capable of causing even more damage, as according to Netlab, Reaper has already acquired at least two million devices, with an additional 10,000 new devices being added daily. Israeli cyber security company Check Point Software Technologies Ltd, who discovered Reaper around the same time as Netlab, estimate a more conservative one million organizations affected worldwide, either way such a large amount of infected devices should be considered a cause for concern.

A key feature of Reaper is that it in includes a software platform which allows for new modules to be installed. Since the botnet was first detected in September, its creator has included new exploits to aid Reaper in spreading further and infecting more devices. The ability to add new modules would also allow Reaper to evolve, resulting in weaponized devices that are capable of causing a major denial of service. So far Reaper has shown no sign of offensive activity, but DDoS attacks are the most likely attack to occur in the future, as they’re the most effective way a large IoT botnet can be utilized by an attacker to cause damage.

Mitigation

In many cases, patching devices to the latest available update will help prevent IoT devices from being exploited and added to the botnet. It is suggested that scans are performed, using well known Anti-Virus/Malware Protection suites, to discover any vulnerable or compromised Internet of Things devices that currently exist on a network.

Additionally, there are also steps that can be taken to mitigate the effects of being attacked by Reaper, if it were to execute a DDoS attack. Using what is currently known about Reaper and previous DDoS attacks such as Mirai, there ways of protecting or reducing the damage caused the by massive DDoS attack that Reaper could be used for. The most common way to protect against a DDoS attack is to use a DDoS mitigation service, the aim of such a service is to absorb the mass of malicious traffic targeting a website which would otherwise take it offline.

IoC’s (Indicators Of Compromise)

There are a number of known Indicators of Compromise that can be assimilated into IDS/IPS systems in order to mitigate/alert on the Reaper malware, which are:

IPv4 Address

Downloader:  162.211.183.192

Controller:  27.102.101.121

Reporter:  222.112.82.231

Loader:  119.82.26.157

URL

hxxp://cbk99.com:8080/run.lua

hxxp://bbk80.com/api/api.php

hxxp://103.1.221.40/63ae01/39xjsda.php

hxxp://162.211.183.192/down/server.armel

hxxp://162.211.183.192/sa

hxxp://162.211.183.192/sa5

hxxp://162.211.183.192/server.armel

hxxp://162.211.183.192/sm

hxxp://162.211.183.192/xget

hxxp://198.44.241.220:8080/run.lua

hxxp://23.234.51.91/control-ARM-LSB

hxxp://23.234.51.91/control-MIPS32-MSB

hxxp://23.234.51.91/htam5le

hxxp://23.234.51.91/htmpbe

hxxp://27.102.101.121/down/1506753086

hxxp://27.102.101.121/down/1506851514

hxxp://198.44.241.220:8080/http_client_ucl

Hash

4406bace3030446371df53ebbdc17785

6f91694106bb6d5aaa7a7eac841141d9

704098c8a8a6641a04d25af7406088e1

726d0626f66d5cacfeff36ed954dad70

95b448bdf6b6c97a33e1d1dbe41678eb

a3401685d8d9c7977180a5c6df2f646a

ca92a3b74a65ce06035fcc280740daf6

20a653d4325ee9a0b49a191c8bb0056d

If you are concerned that you may potentially be at risk of such malware or other cyber threats currently in circulation then please do not hesitate to contact us at: enquiry@zepko.com.

Related reading:

Mirai 2.0: https://news.zepko.com/mirai-2-0/

References:

https://itnews.com.au/news/new-mirai-copycat-iot-botnet-spreading-475936

https://arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/

http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

https://eteknix.com/theres-a-new-botnet-out-there-that-dwarfs-mirai/

https://siliconangle.com/blog/2017/10/22/new-reaper-botnet-malware-infects-two-million-iot-devices

https://research.checkpoint.com/new-iot-botnet-storm-coming/

http://ibtimes.com/reaper-botnet-more-2-million-internet-things-devices-compromised-2604299

https://bleepingcomputer.com/news/security/a-gigantic-iot-botnet-has-grown-in-the-shadows-in-the-past-month/