New EwDoor Botnet is targeting AT&T customers

360 Netlab experts spotted a new botnet dubbed EwDoor that infects unpatched AT&T enterprise network edge devices.

Experts from Qihoo 360’s Network Security Research Lab discovered a new botnet, dubbed EwDoor, that targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) edge devices that are publicly exposed to the Internet.

The attackers are targeting Edgewater Networks’ devices by exploiting the CVE-2017-6079 vulnerability with a relatively unique mount file system command.

“On October 27, 2021, our Botmon system ided an attacker attacking Edgewater Networks’ devices via CVE-2017-6079 with a relatively unique mount file system command in its payload, which had our attention, and after analysis, we confirmed that this was a brand new botnet, and based on it’s targeting of Edgewater producers and its Backdoor feature, we named it EwDoor.” reads the analysis published by Qihoo 360 .

For a limited period of time, the researchers were able to determine the dimension of the botnet through sinkholing, the experts noticed that the EwDoor use a backup mechanism for its C2 and registered a backup command-and-control (C2) domain (iunno[.]se) to analyze the connections from the infected devices.

Later EwDoor operators changed the communication model and experts were no more able to analyze the requesters.

During a few hours of observation, the researchers discovered that the infected systems were EdgeMarc Enterprise Session Border Controller used by AT&T. The experts identified 5,700 infected systems located in the US.

“By back-checking the SSl certificates used by these devices [infected devices that the C2 during sinkholing], we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.” continues the report.

Researchers have identified 3 versions of the malware, the bot was mainly used to launch DDoS attacks ad to establish a backdoor on infected devices to gather sensitive information, such as call logs.

The bot supports the following functions:

• Self updating
• Port scanning
• File management
• DDoS attack
• Reverse SHELL
• Execute arbitrary commands

The botnet implements a series of safeguards to prevent analysis from security experts such as the use of TLS protocol to prevent communication from being intercepted, the encryption of sensitive resources to make it hard reverse engineering and moved C2 to cloud and it is sent by BT tracker to prevent direct extraction by IOC system.

“Modify the “ABIFLAGS” PHT in ELF to counter qemu-user and some high kernel versions of the linux sandbox. This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices.” continues the report.

The experts provide additional technical details on the EwDoor botnet in the report and shared indicators of compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, EwDoor)

[adrotate banner=”5″]

[adrotate banner=”13″]