Published: 2022-12-06

Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers.

[This is a guest post submitted by Brock Perry [LinkedIn], one of our sans.edu undergraduate interns]

Since 2014, self-replicating variants of DDoS attacks against routers and Linux-based IoT devices have been rampant. Gafgyt botnets target vulnerable IoT devices and use them to launch large-scale distributed denial-of-service attacks. SOHO and IoT devices are ubiquitous, less likely to have secure configurations or routine patches, and more likely to be at the internet edge. Attacks against these devices are less likely to be identified by enterprise monitoring techniques, and compromise may go unnoticed. Unwitting users then become part of attack propagation.

An attack on Sept 19th, 2022, followed this familiar pattern, seeking to exploit known vulnerabilities in devices from multiple vendors - including D-Link, eir, Huawei, Netgear, TP-Link, and routers using Realtek SDK.


An attacker or compromised device made numerous attempts to connect to the target with weak ssh credentials before eventually authenticating.

Payload Drop

Upon authenticating, the attack downloads and executes the xd.86 payload.


The xd.86 botnet component searches out new targets. In the first 15 seconds, 1018 connection attempts are made to 115 unique addresses from an otherwise quiet system.

Outbound Connection Attempts

Unique Destinations

Destination ports reveal connections to standard HTTP ports and well-known ports used by Huawei (32715) and Oracle (7574).


Eleven attacks are apparent based on the strings from xd.86. When vulnerable devices are discovered, and authentication is successful, one of these 11 actions is carried out to propagate the attack further.


[1] - Attack Source - VirusTotal
[2] - Payload Source - Virus Total
[3] - Main Payload Reputation - Virus Total - d47eaac87456ac5929363eee7cffc57540f6130539967dd5cdaf0ddca04e1e94
[4] - Secondary Payloads
lol.sh - f0d12efb246fac3a93f2cab32924e202eddbe92e7d80ba8be3219f5aadf0551e
xd.mips - 19e9baefa16cef3bede1d8b58992fe2e3d857c4fd38a102bf06c577a25502d60
xd.arm7 - 9069ff0e1c75cae1f7b2db10c244004c84791f4f81eb4c11ee53b7b07fa06f96
[5] - Bot with Strings in Common

































































































































Published: 2022-12-05

VLC's Check For Updates: No Updates?

When Johannes mentioned a VLC update (version 3.0.18) on Thursday's Stormcast, I started VLC and let it check for updates: it reported that I had the latest version. But I knew I didn't.

Saturday I checked again, still no updates. So I started Wireshark, let VLC do an update check, and saw this:

An HTTP request is made to host update.videolan.org path /vlc/status-win-x64. The reply says 3.0.16 is the latest version.

That's why I get no updates when VLC does the check.

The same is true for 32-bit VLC.

I informed the Videolan team.

Update: the version files are updated:

Didier Stevens
Senior handler
Microsoft MVP


Published: 2022-12-04

Finger.exe LOLBin

Guy's diary entry "Linux LOLBins Applications Available in Windows" reminded me of another Linux tool that is available on Windows: the ancient finger command.

Here is an example with weather info for the North Pole:

Communication takes place over TCP. Destination port is 79.

The finger.exe command sends the string before the @ sign to the host specified after the @ sign.

finger.exe is not proxy aware, and port 79 is hardcoded inside the finger.exe executable. Not as a number, but as a protocol name (finger) that is defined in the services list (%SystemRoot%\system32\drivers\etc\services);


Didier Stevens
Senior handler
Microsoft MVP


Published: 2022-12-03

Linux LOLBins Applications Available in Windows

Some useful Linux applications that are now part of default installation in Windows 10, Windows Server 2019/2022 (LOLBins - Living Off the Land Binaries). 




The first one is curl which can be very useful for scripting to download or upload files and/or use with a username/password (curl --help) and save the output either to a new filename or the same:


C:\Users\guy\Downloads>curl https://handlers.sans.edu/gbruneau/scripts/Example.csv -o Example.csv
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  230k  100  230k    0     0  1443k      0 --:--:-- --:--:-- --:--:-- 1461k




The next application is tar (tar --help) is used to store, extract and manipulate archive files. Let’s take the previous file Example.csv, archive and compress it and then review the result. Using the same options as Linux will use gzip compression and create the file Example.tgz:


-c Create  -r Add/Replace  -t List  -u Update  -x Extract
-f <filename>  Location of archive
-v Verbose
-z, -j, -J, --lzma  Compress archive with gzip/bzip2/xz/lzma

C:\Users\guy\Downloads>tar zcvf example.tgz Example.csv
C:\Users\guy\Downloads>dir Example.*
 Volume in drive C is Starbase
 Volume Serial Number is EEB2-C010

 Directory of C:\Users\guy\Downloads

12/03/2022  01:39 PM           236,526 Example.csv
12/03/2022  01:46 PM            38,247 example.tgz

To extract the file(s), using the following command:

C:\Users\guy\Downloads>tar xvf example.tgz
x Example.csv


To view the content of the archive:


c:\Users\guy\Downloads>tar ztvf Example.tgz
-rw-rw-rw-  0 0      0      236526 Dec 03 13:39 Example.csv




This tool is a Windows original which I think is worth mentionning again. I wrote a diary in May 2020 [1] on how to use PktMON to capture packets using this tool in Windows 10. The resulting packet capture can be converted into a pcapng format to be read later with Wireshark.




The last one that is always useful is ssh/scp/sftp which is using the OpenSSH. The location of the OpenSSH binaries is: C:\Windows\System32\OpenSSH




First lest create some public/private keys using the default user home directory:


Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\guy/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\guy/.ssh/id_rsa.
Your public key has been saved in C:\Users\guy/.ssh/id_rsa.pub.
C:\Users\guy>cd .ssh

 Volume in drive C is Starbase
 Volume Serial Number is EEB2-C010

 Directory of C:\Users\guy\.ssh

12/03/2022  02:10 PM    <DIR>          .
12/03/2022  02:10 PM    <DIR>          ..
12/03/2022  02:10 PM             2,655 id_rsa
12/03/2022  02:10 PM               567 id_rsa.pub
11/10/2022  01:49 PM               545 known_hosts


Now ssh/scp/sftp is ready to use with a public key to a remote server. By default OpenSSH doesn't run the SSH listener service but it can be configured using the information posted here in a Microsoft article.


[1] https://isc.sans.edu/diary/Windows+10+Builtin+Packet+Sniffer+PktMon/26186
[2] https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview
[3] https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


Published: 2022-12-02

obama224 distribution Qakbot tries .vhd (virtual hard disk) images


Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years.  During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader.

Metadata tags in the malware code are tied to a specific distribution campaign.  The "obama" series distribution tag includes a 3-digit suffix, and it currently represents thread-hijacked emails with attachments for HTML smuggling.  When opened, the attached HTML file presents a password-protected zip archive to download, and the web page displays the password.

In recent months, password-protected zip archives for Qakbot have contained disk images using the .iso file extension.  However, on Thursday 2022-12-01, zip archives for obama224 Qakbot contained images using the .vhd file extension.

VHD files have been used by other criminal groups to distribute malware, but this is the first I remember seeing them for obama-series Qakbot.

In Microsoft Windows, ISO files can easily be mounted by any normal user account.  However, VHD images require an administrative Windows account.  Because of this, normal user accounts in an Active Directory (AD) environment cannot mount VHD files on a Windows client without administrative login credentials.  VHD images can easily mount on stand-alone Windows 10 or 11 hosts that use administrative accounts.

Shown above:  Chain of events for obama224 distribution Qakbot activity.

Qakbot infections occasionally lead to VNC activity.  Qakbot also leads to Cobalt Strike if the infected host is part of an AD environment.  This was the case as recently as Monday 2022-11-28 with a BB08 distribution Qakbot infection.

Let's review an infection in my lab environment, using screenshots from each step of the process.

Step by Step Screenshots

Shown above:  Thread-hijacked email with an attachment for HTML smuggling opened in Thunderbird.

Shown above:  The same email in Microsoft Outlook can open the HTML attachment in Microsoft Edge.

Shown above:  Opening the HTML attachment Microsoft Edge presents a password-protected zip archive and shows u1515 as its password.

Shown above:  Using the password to click our way to the VHD image.

Shown above:  In an AD environment, you need administrative permissions to mount the VHD image.

Shown above:  Contents of the VHD image.

I used the domain administrator login credentials to mount the VHD image.  It mounted as the next available drive letter, using DOCFOLDER as the newly-mounted disk's name.  Double-clicking the visible Windows shortcut runs a hidden Qakbot DLL.  The shortcut uses a command prompt (cmd.exe) to run rundll32.exe [filename],DrawThemeIcon as its target.

While Qakbot is quite dangerous, this type of infection requires a victim with administrative access willing to click through various notifications and warnings before an infection occurs.

Shown above:  The last warning I clicked through to infect my lab host.

Final Words

While this campaign is clever, it uses VHD images that require administrative access to successfully infect a Windows host.  How effective this is in an AD environment?  How many organizations allow administrative privileges for all user accounts?  Unfortunately, poor security practices can overcome some of the most effective security measures.  Human nature is why malware like Qakbot remains successful, despite the increased security of default Windows settings.

13 examples of malspam from Thursday 2022-12-01, along with the associated HTML files, VHD images, and Qakbot DLL files are available here.

Brad Duncan
brad [at] malware-traffic-analysis.net


Published: 2022-12-01

What's the deal with these router vulnerabilities?

Earlier today, I was browser recently made public vulnerabilities for tomorrow's version of our @Risk newsletter. What stuck out was a set of about twenty vulnerabilities in Netgear and DLink routers:

%%CVE:2022-44186%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_pri.
%%CVE:2022-44187%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via wan_dns1_pri.
%%CVE:2022-44188%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter enable_band_steering.
%%CVE:2022-44190%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter enable_band_steering.
%%CVE:2022-44191%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameters KEY1 and KEY2.
%%CVE:2022-44193%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameters: starthour, startminute , endhour, and endminute.
%%CVE:2022-44194%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameters apmode_dns1_pri and apmode_dns1_sec.
%%CVE:2022-44196%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_push1.
%%CVE:2022-44197%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.
%%CVE:2022-44198%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_push1.
%%CVE:2022-44199%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.
%%CVE:2022-44200%% -  Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow via parameters: stamode_dns1_pri and stamode_dns1_sec.
%%CVE:2022-44184%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_sec.
%%CVE:2022-44201%% -  D-Link DIR823G 1.02B05 is vulnerable to Commad Injection.
%%CVE:2022-44202%% -  D-Link DIR878 1.02B04 and 1.02B05 are vulnerable to Buffer Overflow.
%%CVE:2022-44801%% -  D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control.
%%CVE:2022-44804%% -  D-Link DIR-882 1.10B02 and1.20B06 is vulnerable to Buffer Overflow via the websRedirect function.
%%CVE:2022-44806%% -  D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow.
%%CVE:2022-44807%% -  D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow via webGetVarString.

Interestingly, both the Netgear and the D-Link security pages are silent about it. The D-Link.

The Netgear page lists another vulnerability for today. D-Link's page appears to have yet to be updated. The last D-Link vulnerability seems to have been patched about two years ago.

All vulnerability point to the same GitHub repo for exploit code, but the link in the NVD database isn't working. The repository, however, exists with various IoT vulnerabilities and exploits. It is hard to match up the vulnerabilities with specific exploits.

So what does this all mean:

  1. Vendors aren't going to save you.
  2. Your router is probably vulnerable.
  3. If you still have the admin interface exposed (and that is what appears to be targeted here): Consider yourself lucky. Someone else will probably upgrade the router for you to prevent others from taking hold of it.
  4. Use a non-default password and a non-default network address scheme internally to make attacks via the browser (SSRF, CSRF...) more difficult.
  5. Use a "proper" open-source router. (OPNSense, PFSense...) . At least you will not have paid a vendor for software they stopped supporting during beta testing, and I find them MUCH easier to keep up to date.

Sorry for the rant.

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu