Malware Getting Branded — GUCCI IoT Bot Discovered Targeting Devices in the European Region

Report by Aditya K Sood and RB.

Note: We would like to thank MalwareMustDie for providing additional inputs regarding reverse engineering of binaries.

Media Coverage

New Gucci Botnet Capable of Launching Multiple Types of DDoS Attacks — https://securityintelligence.com/news/new-gucci-botnet-capable-of-launching-multiple-types-of-ddos-attacks/

New ‘Gucci’ IoT Botnet Targets Europe — https://www.securityweek.com/new-gucci-iot-botnet-targets-europe

Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.
https://securityaffairs.co/wordpress/91942/malware/gucci-iot-bot.html

Waspada, Varian Botnet Gucci Targetkan Perangkat IoT — https://cyberthreat.id/read/3132/Waspada-Varian-Botnet-Gucci-Targetkan-Perangkat-IoT

Analysis

SecNiche Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods. The discovery came to exist during our reconnaissance and intelligence collection process.

The name “GUCCI” was extracted from the compromised C&C panel which showed that botnet operator used the “GUCCI” to name C&C panel.

The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2: Gucci Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”. This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8b
MD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2
MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951
MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0ae
MD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6
MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311ad
MD5 (mpsl) = ee26f791f724f92c02d976b0c774290d
MD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677
MD5 (sh4) = a70d246e911fe52638595ea97ed07342
MD5 (spc) = d1b719ab9b7be08ea418b47492108dfa
MD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a

Listing 1: MD5 Hashes of the Gucci Bit Binaries

The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the remote IP on the TCP port “5555” and transmitting the data accordingly. Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555 using telnet client on remote IP, the successful connection acceptance resulted in requirement of credentials.

Compromising C&C

Without authentication credential, it was not possible to access the service. Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:

HTTP null scan
UDP flood
Syn flood
ACK flood
UDP flood with less protocol options
GRE IP flood
Value Source Engine specific flood

Additional Details: Attribution

MalwareMustDie researcher provided additional details on the state of binaries. It was highlighted that the GUCCI bot showed traces of Mirai code also. Figure 4 highlighted the same

Figure 4 : Decrypted GUCCI x86 Binary

Figure 5 highlighted the where the (1) IP address is defined and (2) where the port number is set.

Figure 5: GUCCI x86 Binary: IP Address and Port Number

It was noticed that Gucci bot was in early stages of deployment. It was also analyzed that the botnet operator was monitoring all the access connections to the Gucci C&C. As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed additional set of operations to hide indicators and artefacts. The binaries were distributed from the location as provided in Figure 6

Figure 6: Gucci Bot — Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly. The botnet operator was found to be very proactive. The whole analysis and obtaining C&C access was like an arms race. The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

Authors

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com

RB is a Principal Security Researcher at SecNiche Security Labs.