From Ripples to Waves: The Swift Evolution of the “Boat” Botnet

From Ripples to Waves: The Swift Evolution of the “Boat” Botnet

agosto 18, 2023 | NSFOCUS

The botnet family “Boat” was first discovered by NSFOCUS Security Labs in June 2022. Its name comes from the fact that malicious samples in its early versions propagate with the file name “boat”. At the same time, since some malicious samples in later versions of this family retain symbolic information and there are a large number of functions named after “ripper_*”, it is also called the botnet family “Ripper”.

In August 2023, the NSFOCUS’s global threat hunting system detected that the Boat family has accelerated its version upgrades and its activity has also significantly increased. It has grown into a non-negligible threat source. After more than one-year growth, the functions of Boat family tend to be perfect and many variants have been derived. Many attempts of Boat family in enhancing concealment and its possible independent propagation modules have attracted our attention again. In this article, we will sort out the changes in the Boat family over the past year.

Evolution of Boat

1. Propagation

We analyzed the newly captured attacker assets and found that the controllers of the Boat family had a large number of propagation scripts with different names.

“Arsenals” of Boat controller

The naming of those scripts in the Boat family seems to reveal information about potential attack targets, such as “android” and “ruckus”. Commonly used script names are as follows:

androidlboa
CCTVicam
athdfaith
drillaruckus
Wapsexplot.*

It is worth noting that the attacker has a large number of propagation scripts named “exploit.*”, and we presumed that the attacker has tried to spread malware by exploiting vulnerabilities, but there is no built-in vulnerability exploitation module in Trojans. The known propagation methods of this family are mainly weak password brute force. All clues seem to imply that the controller of Boat also has an independent propagation module.

In fact, in recent years we have detected an increasingly obvious trend that the botnet Trojan separates the propagation module from the Trojan body. Independent propagation modules not only improve the controllability of propagation but also help hide attacker resources and prevent important information such as 0-day vulnerabilities from being intercepted.

2. Scanning

In the early version of Boat family, C&C will issue weak password pairs during online interaction. The later version has revised the overall design and directly used weak password pairs in scanning modules, which is more reasonable than the original version.

Weak password issued by the Boat controller

Generally, the botnet controller is accustomed to embedding weak password pairs in malicious samples or storing them in special cipherbooks. This method of directly issuing weak passwords through C&C communication traffic is rare.

Boat scanning module

3. Communication Protocol

The Boat family has been experimenting with different ways of communicating over the last year. The most common version is based on TCP protocol, followed by versions communicating with the C&C server with UDP protocol.

Boat communication module

The Boat family has also attempted to communicate using a tor proxy, but this was abandoned in subsequent releases.

Attempt of Boat communication based on Tor

In recent years, botnet operators have been making various attempts to enhance the camouflage of botnet communication. Either choose a more invisible tor proxy for communication or design complex interaction logic. To some extent, the attacker is more willing to devote more resources than the defender, which deserves our attention.

4. Versions

There are many variants of the Boat family, showing that multiple versions are active at the same time. The more active versions are as follows:

Rev.Capture timeChange
V1Boat May to June 2022The sample is propagated in the name of “boat + architecture name”, and the weak password pairs issued appear in online interaction traffic.
V1Boat_jKira Mid of July 2022Apply a weak password to the scanning module. The sample name is jKira+ architecture name, and the function named “ripper_*” begins to appear.
V1Boat_tor Mid of  October 2022Attempt to communicate via Tor proxy
V2  Boat_Ripper-v1 Captured April 2023 Increased activity in AugustModify the online package, and run the output “Komorebi” string
V2 Boat_Ripper-v2 Captured April 2023 Increased activity in AugustUDP communication, DDoS attack instructions and functions are added.
V2 Boat_Ripper-3 June-July 2023Obfuscate the instruction receiving module code; online parameters are sample startup parameters; enable local socks5 proxy and DNS resolution service; sample name is loki+ architecture name.
V3  End of July 2023The DDoS attack module has changed greatly, running the output “[botpkt] Committing Suicid”.

Version change of Boat family

Up to now, the malicious samples of this family cover almost all common IoT architectures, including:

X86Armv7
X86_64Mpsl
ArmMips
Arm5Ppc
Arm6Sh4

We have noticed that the source code of Mirai family is into each version of Boat family to varying degrees. Attackers will use some codes of known families when building new botnet families, which not only facilitates code reuse, but also deceives antivirus engines in this way and reduces the probability of being filtered out for manual analysis. This approach is less noticeable than constructing an entirely new family without any detection history.

Conclusion

In the past year, Boat family controllers have attached great importance to the invisibility of Trojans. They deliberately added signature codes of botnet families such as Mirai to deceive antivirus software engines and reduce the probability of manual analysis. In addition, it has also tried to achieve better concealment through Tor and Socks. Boat controllers are also likely to have separate propagation modules that protect their resources from disclosure. The versions of the Boat family change very fast, multiple versions spread at the same time, with a wide range of activities and high originality. There are professional attack gangs behind it. NSFOCUS security researchers will continue to keep a close eye on Boat family and their controllers.

IoC

0bd4197fedbf6b3141427067f548d1acd65c5924f906ff3246602e8258e62b72
117d63cd098e29467fabf02345075a31c4cd735a18119e9206943f43e0e105ad
1233ae9e89ffb77b247aeb998e453a83bc96496aa171e0fde8322199f779cbc8
141ab6882632101808a6338e0a5cfd7b031cc2b3f6e152b700afd2653298bb5e
d4f9b424a1639bc3c46726e4f72c259bf6b9ca33af7377490b1bb292867603e7
A0FFF5A783E05DDC95A6951F3DD9E31E88CD2E0591605F0543D0F7186B83B11D
9a86408d4f16a39f61889f61713eecd68ff8e8a246df7f2a0d04c02a672d5fc9
e97f19050259ff7207e09241b55c98bebc8eb4ac3b94b1251beb07bb60e00061
9230ce12254f7a0960ec9c8add482c2db6ed7cf863439cab65390145586ad07e
9a86408d4f16a39f61889f61713eecd68ff8e8a246df7f2a0d04c02a672d5fc9
df5655ee4f33d8597fd9bd174042880cd3600a44b5dff69df996841d0c0db18e
aff3e8167b01998037b2eb04703d5c7007e3ac6d6ffb1de5a193b201a0802693
6b60da1f062d5ac0a1834e7ca0ad4bda
6e11f805db7c9acf6d1784796235aea3
8591f0616e7e0051e949e8dad960fcad
38214ee8a8add498e4fb6e497b5d24a2
190587c78ce2bcad72f0bd1198617746
a151900e43f3a9adad7a31de8f7e49e3
d18ef9ad1cbbc56046e93e388cc5d2c9

172.245.186.189
46.249.32.102
162.33.23.74
85.217.144.191
194.55.224.126
194.55.224.182
87.120.88.117
87.120.88.118
149.57.171.148