Malware

Fbot malware targets HiSilicon DVR/NVR Soc devices

Experts at 360Netlab observed the Fbot bot infecting a large number of HiSilicon DVR/NVR Soc devices.

Since February 16, 2019, security experts at 360Netlab observed a large number of HiSilicon DVR/NVR Soc devices were infected with an updated version of the Fbot bot.

The Fbot malware was first discovered by 360Netlab researchers, according to the experts, the root problem might be a specific OEM application running on top of the HiSilicon devices.

Scanning the Internet for the IP banner information the experts determined the models of devices that were infected that appear to belong to HiSilicon DVR/NVR Soc device family. The experts only observed a few different camera brands as a number of camera manufacturers OEM HiSilicon DVR/NVR Soc device.

The experts discovered a total of 24528 infected IP addresses worldwide.

Below the list of infected camera’s CPU models:

   8262 bigfish
   3534 hi3520d
    383 godarm
    302 godnet
     78 hi3535
      8 Hisilicon Hi3536DV100 (Flattened Device Tree)

The Fbot implements a multiple stage infection process, experts were able to analyze Fbot samples and some payloads, but they annunced the capture of key Exploit Payload only while I was writing this post.

Experts pointed out the attackers exploited the weak security implementation of DVRIP protocol made by the vendor. The attackers set up telnet backdoor and inject Fbot botnet on the target devices.

“First, the device that is infected with Fbot scans  TCP: 80, 81, 88, 8000, 8080 ports by issuing basic HTTP requests. When a target device returns the matching characteristics, Fbot will report the IP and port to its Reporter (185.61. 138.13:6565).” reads the analysis published by 360Netlab.

After that, Fbot Loader (185.61.138.13) logs in to the target device web port through the device default password “admin/empty password”. If the target device responses, Fbot Loader uses the device default password “admin/tlJwpbo6” to log in to the dvrip port. (TCP: 34567).”

Performing Fuzz Testing, the researchers were able to obtain the Fbot Downloader sample and the Fbot download URL.

http://185.61.138.13:8080/fbot.arm5.u
http://185.61.138.13:8080/fbot.arm7.u

The downloader sample is delivered on the 9000 port through command line (echo –ne XXXXXX > downloader), downloads and execute it through the HTTP protocol.

The bot uses two different layers of encryption and decryption codes to prevent the code from being analyzed.

The experts explained that there are five DDoD attack vectors of this Fbot variant.

Further details, including IoCs are reported in the analysis published by
360Netlab.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 hour ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

13 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

17 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.