In a few days back, the MalwareMustDie team’s security researcher unixfreaxjp has published a new Linux malware analysis of Fbot that has focused on the decryption of the last encryption logic used by its bot client.
This is not the first time Fbot analysis has been published, and also Fbot binaries have been actively infecting the IoT devices since way before 2018.
This article explains what we have learned about the
The background before Fbot Mirai variant
This wave is a significant timeline as a technology step-up for DDoS botnet and IoT malware development.
It is known in the underground that origin of Satori, the predecessor code of what is known as Fbot now, had been started to be developed after the leak of Mirai code, young botnet coders, who mostly also herders of Qbot (GafGyt) botnets. One of them who lives in the UK known under various nicknames of Vicious, ViciousAttack, Vi, Vamp, DustPan, NixFairy, HollySkye or RespectVicious, had allegedly been involved with this variant’s development too.
(Figure 1 – Vamp’s account on Twitter)
Vamp was among a number of suspects who had been arrested across the United Kingdom on the investigation of the TalkTalk cyber incident that happened in 2015, and he is also a suspect on the activity of Mirai botnet that made great damage in the several parts of the globe from 2016. Vamp, along with other “partners” (including Nexus Zeta, who has been indicted of a similar crime in the US), had his involvement with the original development of Satori botnet. After the legal matter had happened, Vamp was out of the grid and the recent news about him is the legal matter of lifting of his anonymity in 2018. As you can also see it in The Irish News published an article on 14 March, 2018, we quoted:
“With the criminal case now concluded, Mr Simpson said: ” ..this young man has now been dealt with, and he is now over 18 (years old). On that basis Mr Justice Maguire agreed to discharge the prohibition on identifying the teenager.”
The mystery of Fbot
What had happened now is the re-emerged
(Figure 2 – Fbot Scanning Activities with “SATORI” Keyword Detected)
The link between Fbot and Satori base is detected in its infection’s activity and executable file. For example, in the scanner log:
And also in the binary as hardcoded strings:
(Figure 3 – The Hardcoded “SATORI” Strings in Fbot Binary)
Would it be one of the “partners” during Satori development has renamed compiled binaries of the Satori project into Fbot? What are Vamp, NexusZeta doing nowadays? Or, would it b someone else uses the whole source code of the Satori project and re-use it for his own by naming the compiled binaries as Fbot?
This is the mystery that comes to our mind after reading the
To make things more mysterious is, right now, the Fbot infected devices are detected to still performing infection to other IoT devices, but the payload is not being dropped from the C2 server.
The latest detection can be seen in the post of MalwareMustDie latest post too:
(Figure 4 – Recent Record of Fbot Infection Log In the Analysis Article)
Although it has been confirmed by the researchers that since the analysis has been posted by in MalwareMustDie post, the C2 for Fbot is not dropping new payloads for the further infection activity.
Would it mean that the coder of
Whoever the herder is, we all hope that the coder will stop his malicious activity for good.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]
Share On
