Operators of a relatively new botnet called Echobot are adding new exploits to their arsenal to infect a wide range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.
The Echobot botnet is based on the Mirai malware and was first observed by PaloAlto Networks’ researchers at the beginning of June, 2019. At the time of its discovery, Echobot contained 18 exploits (8 of them are totally new to Mirai malware). But recently Akamai’s Security Intelligence Response Team (SIRT) has spotted a new version of botnet, which currently utilizes 26 different exploits to propagate.
According to Akamai Technologies expert Larry Cashdollar, in new version of Echobot its operators added exploits for AirOS, Asmax, DD-WRT, D-Link, Linksys, Seowon Intech, Yealink and Zeroshell products to the list of previously observed Echobot exploits for products from ADM, Asus, Belkin, Blackbot, Dell, Dreambox, Geutebruck, HooToo, Netgear, NUUO, Oracle, Realtek, SuperSign, UMotion, VeraLite, VMware, wePresent and WIFICAM. Most of the exploits is for well-known command execution vulnerabilities in various networked devices.
“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware,” wrote Cashdollar in the company blog.
The list of exploits includes not only recent vulnerabilities, but also decade-old ones that have remained unpatched by vendors. This approach shows that malware authors do not care about the age of the bug as long as there is a substantial amount of vulnerable devices.
Cashdollar also has found that the command and control servers are set for the domains akumaiotsolutions[.]pw and akuma[.]pw, although they do not resolve to an IP address.