Malware Getting Branded — GUCCI IoT Bot Discovered Targeting Devices in the European Region

Report by Aditya K Sood and RB.

Note: We would like to thank MalwareMustDie for providing additional inputs regarding reverse engineering of binaries.

Media Coverage

Analysis

SecNiche Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods. The discovery came to exist during our reconnaissance and intelligence collection process.

The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2: Gucci Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”. This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

Listing 1: MD5 Hashes of the Gucci Bit Binaries

The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the remote IP on the TCP port “5555” and transmitting the data accordingly. Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555 using telnet client on remote IP, the successful connection acceptance resulted in requirement of credentials.

Compromising C&C

Without authentication credential, it was not possible to access the service. Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:

Additional Details: Attribution

MalwareMustDie researcher provided additional details on the state of binaries. It was highlighted that the GUCCI bot showed traces of Mirai code also. Figure 4 highlighted the same

Figure 4 : Decrypted GUCCI x86 Binary

Figure 5 highlighted the where the (1) IP address is defined and (2) where the port number is set.

Figure 5: GUCCI x86 Binary: IP Address and Port Number

It was noticed that Gucci bot was in early stages of deployment. It was also analyzed that the botnet operator was monitoring all the access connections to the Gucci C&C. As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed additional set of operations to hide indicators and artefacts. The binaries were distributed from the location as provided in Figure 6

Figure 6: Gucci Bot — Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly. The botnet operator was found to be very proactive. The whole analysis and obtaining C&C access was like an arms race. The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

Authors

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com

RB is a Principal Security Researcher at SecNiche Security Labs.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store