Event Description

Recently, Qi Anxin Threat Intelligence Center discovered a new variant of Dark.IoT botnet during daily threat operations. In the latest sample, a new C2 domain “raw.pastebin.com” was added. At first, it was thought to be for obfuscation purposes, but it was found that the sample can communicate normally with the domain using the zombie network protocol. Although pastebin.com is often used for malicious code hosting, using it as a C2 server is unconventional.

We noticed that when the sample resolves the domain “raw.pastebin.com,” the obtained A record is not consistent with that of a normal machine. It can be speculated that the problem should be with the DNS server. Analysis of the sample revealed that the selected DNS servers all point to a service provider —— ClouDNS.

ClouDNS is a DNS hosting service provider that allows users to arbitrarily set DNS resolution records for the domain name in their custom domain space. Although ClouDNS has imposed some restrictions on custom domains, most white domains can still be exploited.

By specifying the IP given by ClouDNS as the name server, any IP address can be bound to the white domain, thereby forging the effect of communication with the white domain.

When setting up DNS records using ClouDNS, it seems that only subdomain records can be set from the panel, and the raw.pastebin.com used by Dark.IoT seems to prove this point. However, after testing, it was found that DNS records for TPD can also be set when the subdomain is left blank.

In fact, Dark.IoT has always had a habit of using ClouDNS. Its C2 address “babaroga[.]lib” even does not belong to the top-level domain name in ICANN. We speculate that the Dark.IoT author may have recently discovered that ClouDNS can be used to resolve white domains because DNS requests for white domains are far less suspicious than those of illegal TLD structured domains.

Family Introduction

Dark.IoT botnet was first disclosed in September 2021. It initially spread through the Realtek SDK vulnerability (CVE-2021-35395), which was only disclosed for five days. Later, in August 2022, it had its second active peak through CVE-2022-26134 vulnerability. After a period of silence, it updated its third version of the sample in 2023 and has recently spread a new version.

The activity of Dark.IoT samples is as follows:

The activity of Dark.IoT scanner is as follows:

It can be seen that after spreading the new version of the sample, although the activity has increased, the effect is not significant due to the low resource investment of the scanner and the use of some old vulnerabilities for propagation.

Sample Details

Dark.IoT is based on the Mirai code and changes the encryption method of the configuration table in the new version, using the chacha20 algorithm combined with XOR for encryption.

Compared with the original Mirai, C2 instructions mainly add command execution and exit functions and support IPIP protocol DDOS attack types.

When the bot performs the online operation, it checks its own running parameters, which represent the propagation path of this bot. Currently, the main propagation paths (parameters) are as follows:

Summary

After a period of silence, Dark.IoT has started a new round of updates and propagation, including abusing DNS hosting service providers to communicate with white domains for C2. Currently, the group’s spread of Dark.IoT samples is showing a trend of gradual expansion, and we will continue to monitor the family in the future.

IOC

C&C:

babaroga.lib @ns41.cloudns.net

dragon.lib @ns41.cloudns.net

blacknurse.lib @ns41.cloudns.net

tempest.lib @ns41.cloudns.net

raw.pastebin.com @ns41.cloudns.net

hoz.1337.c

MD5:

3D4433C578D19E29DF52FD4D59A7DDFB

AB7D9E6F28DF5AEF65C665B819440BB6

D0AC70EF5D7317AEE275DD7C34EADB47