The IoT Reaper botnet – Quiet before another storm


You may still remember the Mirai botnet and the record breaking DDoS on Dyn at the end of last year. There is now a new IoT botnet spreading in the wild – IoT Reaper. SonicWall Capture Labs Threat Research team has analyzed this threat. Please see IoT Reaper attack diagram below.

Comparing to the Mirai, the IoT Reaper malware has an upgraded spreading ability. It’s a well-collected exploit kit itself: 9 existing exploits targeting devices from popular IoT vendors such as Linksys and Dlink are integrated. And the author is still actively adding new exploit supports. Also, a LUA execution environment is integrated for a stronger development potential. Below is one example of the embedded LUA code:

According to the code in the malware, Lua 5.3.3 is used to execute either the hard-coded or newly downloaded Lua codes. There are also multiple features from Lua have been used such as SMTP, FTP and HTTP/HTTPS.

Due to wide spread of IoT reaper, we have noticed an elevated level of IoT targeted exploit activity. Below is the latest two months statistics of IoT device attacks observed in SonicWall Capture Threat Network, where we can see an obvious increase in such activity.

Also, 100+ DNS open resolvers were integrated in this malware, which may be used as reflector in real dns amplification attacks.

SonicWall Capture Labs Threat Research team has analyzed the malware and vulnerabilities associated with IoT Reaper and developed the following signatures:

  • IPS:13029 “D-Link 850L Admin Password Exposure”
    “Arbitrary files upload and command injection vulnerability in D-Link’s admin interface.”
  • IPS:13030 “WIFICAM Remote Code Execution”
    “Pre-auth RCE vulnerability in Wireless IP Camera (P2P) WIFICAM cameras”
  • IPS:13031 “Web Application Remote Code Execution 76”
    “Authentication bypass on Shodan DVRs”
  • IPS:13032 “NETGEAR ReadyNAS Surveillance Remote Command Execution”
    “RCE on network video recording (NVR)’s web interface”
  • IPS:13033 “Vacron NVR Remote Command Execution”
    “RCE on network video recording (NVR)’s web interface”
  • IPS:13034 “NETGEAR DGN Devices Remote Command Execution”
    “Authentication bypass on DGN’s admin web interface”
  • IPS:9804 “Linksys E1500/E2500 Remote Command Execution”
    “OS Command Injection on admin URLs”
  • IPS:2020 “D-Link DIR-300 Remote Command Execution 1”
    “OS Command Injection (unauthenticated) on admin URLs”
  • IPS:13035 “AVTECH Devices Remote Command Execution”
    “Unauthenticated command injection in admin URLs”
  • GAV: Reaper.A (Trojan)
  • GAV: Reaper.B (Trojan)
  • GAV: Reaper.C (Trojan)
  • GAV: Reaper.D (Trojan)
  • GAV: Reaper.E (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.