Full Report
The Reaper IoT botnet includes about 10-20 thousand infected devices, with some of these devices possibly being used by industrial enterprises, hospitals, railway terminals and airports
Analysis Summary
Based on the information regarding the **Reaper** (also known as IoTroop) botnet, here is a summary of the tool and its associated techniques.
# Tool/Technique: Reaper (IoTroop)
## Overview
Reaper is a sophisticated IoT botnet that emerged as an evolution of the Mirai source code. Unlike its predecessor, which primarily relied on brute-forcing default credentials, Reaper integrates a set of active exploits to target vulnerabilities in various IoT devices, including routers, network cameras, and storage servers.
## Technical Details
- **Type:** Malware Family (Botnet / Worm)
- **Platform:** Linux (embedded IoT devices: MIPS, ARM, x86)
- **Capabilities:** Vulnerability exploitation, Lua-based scripting engine, C2 communication, DDoS potential.
- **First Seen:** September 2017
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0007 - Discovery**
- T1046 - Network Service Scanning
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- T1573 - Encrypted Channel
## Functionality
### Core Capabilities
- **Active Scanning:** Automatically scans the internet for specific IoT device models.
- **Vulnerability Integration:** Uses a library of known exploits (e.g., D-Link, Netgear, Linksys, Vacron, GoAhead) rather than just password guessing.
- **Modular Design:** Uses a Lua-based execution environment, allowing the operators to update the bot's functionality and add new exploits on the fly.
### Advanced Features
- **Delayed Execution:** Built-in sleep functions and staggered scanning to avoid detection by traditional network-based IDS.
- **Automated Propagation:** Once a device is compromised, it can participate in the scanning process to find new victims.
## Indicators of Compromise
*Note: Indicators vary by variant. The following represent known samples from the initial campaign.*
- **File Hashes (SHA256):**
- `728271e860172e616c3104332906e537e296998d8955fc186414fd7bf6e499d6`
- `871a25bd82f802f06720fc699b6f52796dc64971489e8bad28784d6501f11270`
- **Network Indicators:**
- hxxp[://]27[.]102[.]101[.]121/ (C2 Server)
- hxxp[://]31[.]210[.]20[.]181/
- DNS queries for: `e[.]dr0p[.]me`, `f[.]dr0p[.]me`
- **Behavioral Indicators:**
- Outbound traffic on ports 80, 8080, and 81 targeting specific HTTP paths related to known IoT vulnerabilities (e.g., `/setup.cgi`, `/apply.cgi`).
## Associated Threat Actors
- **Unknown:** While the code reflects Mirai influence, no specific state-sponsored group has been definitively linked; it is often attributed to sophisticated cybercrime actors.
## Detection Methods
- **Signature-based detection:** Identifying Lua command strings and known exploit payloads in network traffic.
- **Behavioral detection:** Monitoring for unusual spikes in outbound connections on ports 80/443/8080 from non-standard IoT hardware.
- **YARA Rule Snippet:**
yara
rule Reaper_Bot_Lua {
strings:
$lua_header = { 1B 4C 75 61 }
$s1 = "run_exploit"
$s2 = "bot_version"
condition:
all of them
}
## Mitigation Strategies
- **Patch Management:** Keeping IoT firmware updated is critical, as Reaper relies on publicly disclosed vulnerabilities.
- **Network Segmentation:** Place IoT devices (cameras, HVAC, industrial sensors) on isolated VLANs with no direct access to the public internet.
- **Disable Unnecessary Services:** Turn off UPnP and web management interfaces if they are not required for operation.
- **Default Port Blocking:** Restrict outbound traffic from IoT segments to only known-good management IPs.
## Related Tools/Techniques
- **Mirai:** The predecessor that provided the baseline code structure.
- **Persirai:** Another IoT botnet focusing on IP cameras.
- **Hajime:** A worm-based IoT botnet that also utilizes more advanced propagation techniques than Mirai.