IoT Botnet Reaper Growing At A Massive Rate

The IoT Botnet, commonly known as Reaper, aka IoTroop has been observed growing at a fast pace. The botnet is estimated to have infected up to 2 million devices and it is suspected that a large number of businesses are already infected. Reaper continues to grow by approximately 10,000 devices daily.

Reaper has been designed to exploit vulnerabilities on IoT devices.

To date, a total of 9 known vulnerabilities have been observed as being targeted by the malware. Those vulnerabilities are:

• D-Link 850L Routers – This vulnerability enables Remote Command Execution, Remote Unauthorised Information Disclosure, and Unauthorised Remote Code Execution.
• Goahead – Wireless IP Camera (P2P) WIFICAM – Remote Command Execution
• JAWS – CCTV Recorders
• Netgear ReadyNAS Surveillance – Unauthenticated Remote Command Execution
• Vacron NVR – Remote Command Execution
• Netgear DGN devices – Unauthenticated Command Execution
• Linksys E1500/E2500 Routers – Multiple vulnerabilities
• D-Link DIR-600 / DIR-300
• Avtech devices

As the malware is in the development stage, there are new vulnerabilities being added.

The current primary focus appears to be on spreading the malware to as many vulnerable IoT devices as possible. Research indicates it has been designed to be less aggressive than Mirai in order to reduce detection rates and has a LUA execution environment designed to enable the botnet to support more complex attacks.

There has been no indication yet of what the intentions are for the botnet or the threat actor(s) behind the malware. While it remains in the development stages, precisely what the botnet will be ultimately used for remains unclear although this is likely to change once the spreading phase is over. The botnet has the capability for DDoS activity and the development of Reaper will continue to be monitored to identify if this is the intention for the botnet.

Observations of the infection rate have indicated the following:
One of the Command & Control Servers has over 2 million vulnerable devices waiting to be infected.
One Command & Control Server was seen to be controlling 20,000+ infected devices
Number of simultaneous on-line bots controlled by a single Command & Control server was 4,000+

Indicators of Compromise

Associated hosts:

• hxxp://cbk99[.]com:8080/run.lua
• hxxp://bbk80[.]com/api/api.php
• hxxp://103.1.221[.]40/63ae01/39xjsda.php
• hxxp://162.211.183[.]192/down/server.armel
• hxxp://162.211.183[.]192/sa
• hxxp://162.211.183[.]192/sa5
• hxxp://162.211.183[.]192/server.armel
• hxxp://162.211.183[.]192/sm
• hxxp://162.211.183[.]192/xget
• hxxp://198.44.241[.]220:8080/run.lua
• hxxp://23.234.51[.]91/control-ARM-LSB
• hxxp://23.234.51[.]91/control-MIPS32-MSB
• hxxp://23.234.51[.]91/htam5le
• hxxp://23.234.51[.]91/htmpbe
• hxxp://27.102.101[.]121/down/1506753086
• hxxp://27.102.101[.]121/down/1506851514

File hashes (MD5):

• 3182a132ee9ed2280ce02144e974220a
• 3d680273377b67e6491051abe17759db
• 41ef6a5c5b2fde1b367685c7b8b3c154
• 4406bace3030446371df53ebbdc17785
• 4e2f58ba9a8a2bf47bdc24ee74956c73
• 596b3167fe0d13e3a0cfea6a53209be4
• 6587173d571d2a587c144525195daec9
• 6f91694106bb6d5aaa7a7eac841141d9
• 704098c8a8a6641a04d25af7406088e1
• 726d0626f66d5cacfeff36ed954dad70
• 76be3db77c7eb56825fe60009de2a8f2
• 95b448bdf6b6c97a33e1d1dbe41678eb
• 9ad8473148e994981454b3b04370d1ec
• 9f8e8b62b5adaf9c4b5bdbce6b2b95d1
• a3401685d8d9c7977180a5c6df2f646a
• abe79b8e66c623c771acf9e21c162f44
• b2d4a77244cd4f704b65037baf82d897
• ca92a3b74a65ce06035fcc280740daf6
• e9a03dbde09c6b0a83eefc9c295711d7
• f9ec2427377cbc6afb4a7ff011e0de77
• fb7c00afe00eeefb5d8a24d524f99370

Your organisation can help to protect themselves in the event of a DDoS incident by considering the following recommendations:

• The use of a third party DDoS mitigation tool.
• Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
• Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.