New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits

Pierluigi Paganini June 16, 2019

Operators behind the Echobot botnet added new exploits to infect IoT devices, and also enterprise apps Oracle WebLogic and VMware SD-Wan.

Recently a new botnet, tracked Echobot, appeared in the threat landscape its operators are adding new exploits to infect a broad range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.

The Echobot botnet was first detected by experts at PaloAlto Networks early this month, the botnet is based on the dreaded Mirai botnet. At the time of its discovery, operators added 8 new exploits, but currently, it includes 26 exploits.

The popular expert Larry Cashdollar, from Akamai’s Security Intelligence Response Team (SIRT), spotted a new version of the Echobot botnet that counts 26 different exploits.

“I recently came across an updated version of the Echobot binary that had some interesting additions. The first binary I found was compiled for ARM and still had the debugging information intact, which made it a little easier to analyze. While examining that binary, I discovered the system hosting the binaries and downloaded an x86 version that also still had the debugging symbols intact.” wrote the expert.

“I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices.”

Cashdollar published a table comparing the two versions of Echobot and the exploits they use.

Echobot targets

The latest Echobot variant targets routers, network-attached storage devices (NAS), network video recorders (NVR), IP cameras, wireless presentation systems, and VoIP phones.

The experts pointed out that was not simple to determine the vulnerabilities that were being exploited by the botnet because some of them had no CVE numbers assigned.  

After the contacted MITRE, the organizations assigned them identification numbers.

Below the list of the exploits included in the Echobot variant discovered by the expert, some of the flaws triggered by the bot are decade-old vulnerabilities:


The most interesting aspect of this new botnet is the fact that it also includes exploits for Oracle WebLogic Server and for networking software VMware SD-WAN.

“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware.” added the expert.

“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities.”

Botnet operators continue to implement new methods to make their malware more aggressive and to infect the larger number of systems as possible. The latest Echobot variant targets flaws in IoT devices and in enterprise systems as well.

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten.” concluded the expert.

“This is an interesting tactic as these systems if found have remained vulnerable for years and will probably remain vulnerable for many more. Also, there are not just new exploitation vectors to examine but attack vectors as well. New weaknesses in popular protocols and services that can be leveraged to amplify and reflect attacks will be discovered.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Echobot botnet, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment