LAS VEGAS--A new version of the Echobot malware, which is tied to the Mirai IoT botnet, has surfaced and includes exploits for eight more vulnerabilities than previous versions, some of which may be unpatched by the affected vendors. The new variant also strays from the path of older versions by targeting not just embedded devices, but also enterprise applications.
Echobot is part of the extended Mirai universe and is one of the pieces of malware that’s used to compromise a wide range of embedded and IoT devices. Mirai first hit the web in 2016 and was used by its controllers to compromise hundreds of thousands of vulnerable devices, often through the use of known default credentials. Later, they graduated to the use of exploits for known vulnerabilities in target devices, usually things such as IP cameras, home routers, DVRs, and other IoT gear. The botnet comprised of those infected devices then was used in a number of large-scale distributed denial-of-service attacks over the course of the next few months before law enforcement was able to identify and arrest the Mirai controllers.
The source code for Mirai has been available online for more than two years and in that time many different versions of the malware have emerged. Last week, researchers at Palo Alto Networks identified a version of Echobot that contained exploits for 18 vulnerabilities, eight of which hadn’t been seen in Mirai-related malware before. Larry Cashdollar, a senior security researcher at Akamai, had been following the same path as the Palo Alto team and discovered an even newer Echobot binary in one of his honeypots that has 26 exploits, including several for vulnerabilities that had never had CVE identifiers assigned and were not widely known. Cashdollar found both x86 and ARM versions of the Echobot malware that were hosted on a virtual server and said that the malware is now targeting enterprise applications as well as IoT devices, perhaps in an effort to broaden the reach of the botnet.
“They’re pretty much looking for any command or code-execution vulnerability they can find that doesn’t require authentication,” he said.
The newest Echobot variant includes some of the same code as the original Mirai malware and Cashdollar said he believes the actors who are using it are probably planning DDoS attacks in the future. He added that the two recent Echobot variants are likely the work of the same actors.
“I think it’s going to snowball. They may take some exploits out and add others as time goes on."
Although Mirai began by targeting consumer devices, many of which used default credentials or none at all, the actors who are employing the newer versions have expanded their horizons and now are using exploits for enterprise apps. Both the Echobot variant Cashdollar discovered and the one Palo Alto found include exploits for flaws in Oracle’s WebLogic server and VMware’s NSX SD-WAN product, along with exploits for bugs in the usual array of consumer routers.
“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities,” Cashdollar said in his research report.
That doesn’t mean that Echobot and Mirai actors are abandoning the fertile ground of consumer devices, though. Cashdollar’s honeypot is designed to look like a DVR system and is hosted on a consumer-level connection rather than a business class network in order to make it more attractive to the malware scanning the Internet for vulnerable devices. It’s been a fruitful strategy, and Cashdollar said the Echobot and Mirai malware can be selective about its targeting.
“User IP spaces are targeted much more often than VPS (virtual private server) IP spaces are,” he said. “They’re looking for easier targets.”
The recent evolution of Echobot has been a quick one, and Cashdollar expects that to continue.
“I think it’s going to snowball. They may take some exploits out and add others as time goes on,” he said.