The discovery came to exist during our reconnaissance and intelligence collection process. The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures
Figure 1: GUCCI Bot Binaries
All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.
Figure 2: Bot: compiled Binaries
As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”. This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.
|MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a|
|Listing 1: MD5 Hashes of the Gucci Bit Binaries|
The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the remote IP on the TCP port “5555” and transmitting the data accordingly. Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555 using telnet client on remote IP, the successful connection acceptance resulted in requirement of credentials.
Without authentication credential, it was not possible to access the service. Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.
Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.
Figure 3: Gucci C&C Bot Panel
The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:
It was noticed that Gucci bot was in
Figure 4: Gucci Bot – Source of Distribution
A new IOT bot Gucci has been discovered and analyzed accordingly. The
About the authors:
Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;
Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs