Fbot malware targets HiSilicon DVR/NVR Soc devices

Pierluigi Paganini February 24, 2019

Experts at 360Netlab observed the Fbot bot infecting a large number of HiSilicon DVR/NVR Soc devices.

Since February 16, 2019, security experts at 360Netlab observed a large number of HiSilicon DVR/NVR Soc devices were infected with an updated version of the Fbot bot.

The Fbot malware was first discovered by 360Netlab researchers, according to the experts, the root problem might be a specific OEM application running on top of the HiSilicon devices.

Scanning the Internet for the IP banner information the experts determined the models of devices that were infected that appear to belong to HiSilicon DVR/NVR Soc device family. The experts only observed a few different camera brands as a number of camera manufacturers OEM HiSilicon DVR/NVR Soc device.

The experts discovered a total of 24528 infected IP addresses worldwide.

Fbot malware infections

Below the list of infected camera’s CPU models:

   8262 bigfish
   3534 hi3520d
    383 godarm
    302 godnet
     78 hi3535
      8 Hisilicon Hi3536DV100 (Flattened Device Tree)

The Fbot implements a multiple stage infection process, experts were able to analyze Fbot samples and some payloads, but they annunced the capture of key Exploit Payload only while I was writing this post.

Experts pointed out the attackers exploited the weak security implementation of DVRIP protocol made by the vendor. The attackers set up telnet backdoor and inject Fbot botnet on the target devices.

Fbot malware infections 2

“First, the device that is infected with Fbot scans  TCP: 80, 81, 88, 8000, 8080 ports by issuing basic HTTP requests. When a target device returns the matching characteristics, Fbot will report the IP and port to its Reporter (185.61. 138.13:6565).” reads the analysis published by 360Netlab.

After that, Fbot Loader ( logs in to the target device web port through the device default password “admin/empty password”. If the target device responses, Fbot Loader uses the device default password “admin/tlJwpbo6” to log in to the dvrip port. (TCP: 34567).”

Performing Fuzz Testing, the researchers were able to obtain the Fbot Downloader sample and the Fbot download URL.

The downloader sample is delivered on the 9000 port through command line (echo –ne XXXXXX > downloader), downloads and execute it through the HTTP protocol.

The bot uses two different layers of encryption and decryption codes to prevent the code from being analyzed.

The experts explained that there are five DDoD attack vectors of this Fbot variant.

Further details, including IoCs are reported in the analysis published by

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment