Creator of Satori uses Vulnerability in D-Link to organize a new Botnet
By Prempal Singh
Creator of Satori uses Vulnerability in D-Link to organize a new Botnet –
The researchers found two new variants of Mirai – Masuta and PureMasuta.
The malware developer Satori (also known as Mirai Okiru) and the creator of the eponymous botnet once again set to work, this time attacking the D-Link routers with the goal of creating a new bot network.Researchers from the company NewSky Security discovered two new variants of Mirai – Masuta and PureMasuta, author of which, apparently, is the creator of Satori.
Last month, experts in the field of cybersecurity managed to identify the organizer of attacks on Huawei routers, during which the vulnerability CVE-2017-17215 was exploited to install Satori, due to the incorrect implementation of the TR-064 protocol used in automation devices for Huawei HG532 devices.They turned out to be someone under the pseudonym Nexus Zeta.Then Nexus Zeta was considered a hacker-novice, but judging by the new versions of malware developed by him, the attacker significantly improved his skills.
The first option, Masuta, relies on a standard search for IoT devices with default credentials.The second option, called PureMasuta, is more interesting, as it exploits an old vulnerability in the D-Link home network (HNAP), which was discovered in 2015.
(Cyberops, Cyberops Infosec, VAPT, Cyber Security, Ethical Hacking, Secured Application Development)
According to experts, the vulnerability used by malware allows to bypass authentication using a specially generated SOAP request – hxxp: //purenetworks.com/HNAP1/GetDeviceSettings.In addition, due to incorrect processing of the lines, it is possible to execute system commands (leading to arbitrary code execution).Thus, attackers can generate a SOAP request to bypass authorization and execute arbitrary code.
At the beginning of January, after a lull in the botnet, Satori resumed activity and was seen attacking equipment for the cryptocurrency with the Claymore software installed.A new version of the malware replaces the owner’s purse pool and address to the address and attacker’s pool.
HNAP is a network protocol developed by Pure Networks, later acquired by Cisco Systems.HNAP is based on Simple Object Access Protocol (SOAP) and is used to administer network devices.