The code behind Satori malware which is a variant of infamous Mirai DDoS malware has been published online. According to NewSky Security’s principal researcher, Ankit Anubhav the code was posted on Pastebin over Christmas.
Satori
Initially, the code pushed Satori which means “awakening” in the Japanese and Brickerbot malware to hijack thousands of (Internet of Things) IoT devices on November 27, 2017, including Huawei routers and more than 280,000 different IP addresses.
Brickerbot was discovered in April last year conducting PDoS (Permanent Denial Of Service) and literally destroying IoT devices around the world. Now that the malware code behind Satori botnet has been leaked online it can allow hackers to cause havoc by conducting large-scale distributed denial-of-service (DDoS) attacks.
“The proof of concept code was not made public to prevent attackers from abusing it. However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters,” said Anubhav in a blog post.
A snippet of leaked working exploit code shared by NewSky Security.
In order to avoid misuse, NewSky Security has decided not to share the link to the leaked code.
Attacking Huawei devices
Satori was originally identified by Israeli endpoint security provider Checkpoint during a zero-day attack exploiting a vulnerability (CVE-2017–17215) in Huawei HG532 devices. The company reported the issue to Huawei who confirmed the presence of this vulnerability and stated in its security advisory that: “An authenticated attacker could send malicious packets to port 37215 to launch attacks. A successful exploit could lead to the remote execution of arbitrary code.”
Who is behind Satori?
Although the nationality of the culprit behind Satori is unclear Checkpoint researchers believe the botnet is highly sophisticated and found connections between Satori and a HackForum member Nexus Zeta whose last post on the forum was about Mirai malware.
Image credit: Checkpoint
Researchers also found command & control domain (nexusiotsolutions[.]net) of the malware that was registered on nexuszeta1337@gmail[.]com email address. Moreover, they found Nexus Zeta’s Twitter and Github accounts on which the member was once again talking about Mirai malware.
