Pierluigi Paganini January 21, 2020

In a few days back, the MalwareMustDie team’s security researcher unixfreaxjp has published a new Linux malware analysis of Fbot that has focused on the decryption of the last encryption logic used by its bot client.

This is not the first time Fbot analysis has been published, and also Fbot binaries have been actively infecting the IoT devices since way before 2018.

This article explains what we have learned about the Fbot traced back from the year of 2014. And will discuss the mysteries that can be seen after Fbot has been detected.

The background before Fbot Mirai variant

Fbot is one of the Mirai’s variants, and Mirai is the Linux malware that originally has been detected in August 2016 by the same team who wrote the last analysis mentioned above. On the boom of Mirai source code leaks by its malware coder (nickname: AnnaSenpai), followed by the sharing of its source code openly in the Github within only a month after the analysis report has been published, a lot of young hackers involved in the “DDoS criminal ecosystem”, who had been actively using IoT devices for the DDoS purpose before Mirai malware was born, were racing in a big wave to learn how to install, adapt and transform Mirai to their DDoS botnet platforms, which most of them were built on Kaiten, STD, GafGyt (known also as Qbot or Torlus or Bashlite), or Perlbot malware source code, since Mirai had been proven to be more recently coded, powerful flood, is having anti-reverse-engineered tricks.

This wave is a significant timeline as a technology step-up for DDoS botnet and IoT malware development.

It is known in the underground that origin of Satori, the predecessor code of what is known as Fbot now, had been started to be developed after the leak of Mirai code, young botnet coders, who mostly also herders of Qbot (GafGyt) botnets. One of them who lives in the UK known under various nicknames of Vicious, ViciousAttack, Vi, Vamp, DustPan, NixFairy, HollySkye or RespectVicious, had allegedly been involved with this variant’s development too.

(Figure 1 – Vamp’s account on Twitter)

Vamp was among a number of suspects who had been arrested across the United Kingdom on the investigation of the TalkTalk cyber incident that happened in 2015, and he is also a suspect on the activity of Mirai botnet that made great damage in the several parts of the globe from 2016. Vamp, along with other “partners” (including Nexus Zeta, who has been indicted of a similar crime in the US), had his involvement with the original development of Satori botnet. After the legal matter had happened, Vamp was out of the grid and the recent news about him is the legal matter of lifting of his anonymity in 2018. As you can also see it in The Irish News published an article on 14 March, 2018, we quoted:

“With the criminal case now concluded, Mr Simpson said: ” ..this young man has now been dealt with, and he is now over 18 (years old). On that basis Mr Justice Maguire agreed to discharge the prohibition on identifying the teenager.”

The mystery of Fbot

What had happened now is the re-emerged of the SATORI Mirai variant basis with the payload called Fbot.[.supported_architecture], which has been detected since September 2018 on several honeypot logs and has been reported also in the analysis we mentioned here.

(Figure 2 – Fbot Scanning Activities with “SATORI” Keyword Detected)

The link between Fbot and Satori base is detected in its infection’s activity and executable file. For example, in the scanner log:

And also in the binary as hardcoded strings:

(Figure 3 – The Hardcoded “SATORI” Strings in Fbot Binary)

Would it be one of the “partners” during Satori development has renamed compiled binaries of the Satori project into Fbot? What are Vamp, NexusZeta doing nowadays? Or, would it b someone else uses the whole source code of the Satori project and re-use it for his own by naming the compiled binaries as Fbot?

This is the mystery that comes to our mind after reading the complete report published in MalwareMustDie last report.

To make things more mysterious is, right now, the Fbot infected devices are detected to still performing infection to other IoT devices, but the payload is not being dropped from the C2 server.

The latest detection can be seen in the post of MalwareMustDie latest post too:

(Figure 4 – Recent Record of Fbot Infection Log In the Analysis Article)

Although it has been confirmed by the researchers that since the analysis has been posted by in MalwareMustDie post, the C2 for Fbot is not dropping new payloads for the further infection activity.

Would it mean that the coder of Fbot is abandoning his botnet after all of this time?

Whoever the herder is, we all hope that the coder will stop his malicious activity for good.

Pierluigi Paganini

(SecurityAffairs – Fbot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]