EwDoor Botnet Emerges to Target AT&T Customers

EwDoor actively targets U.S. customers

• Discovered by Netlab researchers, the new version of EwDoor is an update to version 0.16.0 of the botnet that had first surfaced on November 15.
• The researchers have been tracking the botnet since late October, during which the malware went through at least three versions.
• However, the new version includes exploits for the n-day vulnerability affecting EdgeMarc Enterprise Session Border Controller devices from AT&T.
• Among its other features, the botnet is capable of launching DDoS attacks, pilfering sensitive data, executing arbitrary commands, updating itself, and launching reverse shells on compromised servers.
• According to Netlab’s telemetry, the botnet has so far affected all 5,700 AT&T users located in the U.S.

Evasion technique also improved

• The botnet uses TLS encryption to block network traffic interception attempts and encrypts resources to evade detection.
• The C2 has been moved from local to the cloud and sent by BT tracker to prevent direct extraction by the IoC system.
• The malware authors have also added a high kernel version of the Linux sandbox to bypass detection.

More details about the vulnerability

• The vulnerability in question is a blind command injection flaw (CVE-2017-6079), which is being widely exploited by hackers to hack into unpatched EdgeMarc servers.
• Internet-wide scan suggests that there are more than 100,000 devices with SSL certificates mounted on EdgeMarc VoIP servers, but it’s unclear how many of these devices are vulnerable to the flaw.

The takeaway for users