Rewterz Threat Alert – Echobot Botnet Acquiring Unauthorized System Access

Severity

Medium

Analysis Summary

New Mirai level Botnet Echobot using 26 different exploits for the infection vectors that leveraging the vulnerabilities in Oracle, D-Link, Dell, LINKSYS, REALTEK, Vmware applications and take control of it. Most of the exploits that were being used for this campaign leverages the command execution vulnerabilities that affected various network devices.

• Echobot uses command execution vulnerabilities.
• 26 different exploits for infection vectors in the new variant to spread this botnet.
• Targets legacy hardware and software from 2009 through 2019.
• Echobot’s loader system is a virtual server hosted in Bulgaria on Neterra’s cloud network.
• Attack code derived from the Mirai botnet.

Impact

Unauthorized System Access

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

• 13d3b4545b18f41cf89ad9d278434b3fb60a702edebdde605ced745db47ce58d
• 25e959a071e631088816ed87991482b8776a81377f0fa7a8f53eca9a7af3afe1
• 2ad284d6297420e9cdb3a2bd9f0824c3122c861f37b58ea17675e0f5799f029e
• 22e33a16b03c2ca6b1e98b9c6fe1f1cc18d84eef4bb79247642ccf37960aaad8
• 36b1391b84f48a0f3b20b3831250b681dfa4a5aeb7a26816da723a06991d5029
• 73fe0ed1e85d547d19acd720b1d67fb94059a007a35f685b3bd16627879d4c47
• 7d9af41abec8cc93a9185dfdb256b864fa5c9e67e16192f718d7faa0e18177e8
• 95c7516abf8c738423cd18f0c905baa65d38ba5259b6853777550505019ba8cd
• b73add38713b70ca529c8387275fca0bbf5f5488f2be5ebc17c4f1f34b06bd26
• ed4d920cd54b87167d0ad2256bf996c8fdac3ac3bd5dd5ccb0b6c2d551226184
• f02e2443c250e78877f9b184ab94693f4e8dba8c2191c9d03857664e71987976
• f9ee7e0a4deac908e6fbacf7baa4f1d3bb138ebe2a3f9236a61f5d764181df0a
• 228ca519054dd62aadfa360fcf8f74e3072a4f6ffde521e47db233a604320a16
• 2f21e8ed1dce77c2cd0080c529043cff1c1ff5f22ba39dcd1a2220e17f273ba5
• 68e62724530401400724a75dd2fe07dc0db6a8373be7861d65896b33039c632f
• 9eebd384fa6d4d45648a74dfe0aad8fe2b9bc9b907e6f3b474ca77e83bbf63bb
• dbf70f849e09441af668245f3ba7491be227447c36e7244bbbf2787e503599a7
• 2dd89d8214c76b3ce7b6a301ad8256fba5ac9f3e4c0b3e10e14c6075764f0e4d
• 5091da1a1fa51f77ac64f75ab9c23da88469160f040a189ec1e6a0e952a26720
• 563afb05bb5a68c8b235143dde081c44e06ed2674681629c60116ce1b92a7cee
• 6cdce7758468685f8c125bff2c3c1f196fe43f30e10c7fb643a67b7d5e2ae2f2
• 83841e5f965cb7e03bf5f0c5da217a22b307ddd138a3b8b8ec5dc8f111f26165
• 8ba26e98710f3e55677a7eaea19a656e3ef7136e94f81ecb5b05cfdc96586d65
• 9476bfe1eb99b00c02a3a6c539d1a060b87e4c53617fa5b2949cdd44c1cbc92b
• b4443e1bbd27062c8eb2bfd791483a777ac003ce8d47a9ce43f2861f0ad70f94
• c2440a1e19ae8f527061a666fa59eb457f3c1c8f6d5b981f9c1f5bf8a4c62f61
• f64cad4ce4af8debf1951d4deca0dd86acd3a83409140cb0544ea27d155e04ab
• 046a077bd3ded83b9066350862d204afb04dfe04b71827de8f60929e2f7d4e44
• 0639e8111253133a617cd0f119c1ef70560de0f044add084c0200a1a4fd6952e
• 098c7f9c8c8c63d8d79387274f0fe5416702abcb650b983426e116f193b82e61
• 121e6d208522e1abccacd51f82f03a9178680c222eff5336b84b6f86a770a453
• 7ffb658d09c5c55c04ac1cef4e1e3c428c0363130381e0aef8c769ea11c64370
• 87195d5262c205b3356cfe815d60d41a11a8f563b4cd4abd75da73128e02f86c
• 9dc3e2fc27e138a588e6a25dc5432d78f0930046286fc64b9c65246beda19a45
• b3e5726e56f604656a322fc6c62585e73f594d053d6891c3fa94c3fff41f30cb
• b4a370ff3d59d43924ace6c8ef34df55b6e45b4dcff2f0f2db36bbb40e6c203e
• 22ff3cc031c9ae43757030a1cb1a8fc09171f370469b79770faaca3eb5dbbfef
• 385d26249622f65692423312846feed6eba96cea5d6e0bfbfa755307985cb8cd
• 621e17811228b8ea559a2f6905235fcbcc59e7c06b9c380962aca3fcac15600c
• 729d3b3363bd69b2cc60b9600ea91223361021f75b6f7484a49ead95a325b60c
• 970783c2e358b1238f8e571989caf696f6af585dccad64dd21bf1703835b80d1
• be7f56a58a908125ce2066fb0691d9f9eef868509a5d53f08e8362f21542b76c
• cb8b4d3d24607731cdffa7015eb6299373870c53a854b4a23657f8ede53113c6
• e8df1d766fc3763ffa79663920f47f158ec55605fdbf8bf5a55fcdcfe61be78d
• e94482b0382aa7907c41c329772085c288e55dd4b8ffd28277131d9ca9b2e9d2

Remediation

Members who find they have either hardware or software vulnerable to Echobot should apply patches.