Malware /jffs/updater script.

[ColinTaylor]

IProyal is a third-party proxy service, the service itself does not do bad things, it is just a tool, but if someone using this service on your network without your knowledge can transmit data over your Internet, use your network as a proxy for hackers, use your network to attack other websites, etc.

In this case: the download.iproyal.com does nothing bad, it just downloads prebuilt binaries suitable for arm from this 3rd party platform.

proton.me is a widely used anonymous mailbox. And webupdate@proton.me is the login account of this malware author in IPRoyal
My suggestion is to contact IPRoyal and tell them that someone is abusing their service.

In addition, IPRoyal is currently renamed as Pawns.app.

Read more about how to use IPRoyal here: https://peppe8o.com/pawns-raspberry-pi-passive-income/

We've said all that earlier in this thread.

 

[Yota]

We've said all that earlier in this thread.

Sorry, I started reading from #1. I hadn't seen the later post when replying.

 

[Yota]

There are a lot of unknown vulnerabilities like Zero-Day attack.

This is not Malware but Exploit. Exploit can bypass any security stuff if the device has Vulnerability.

Evidence of the fact that this vulnerability is being exploited by a very rudimentary hacker (running a legitimate software that earns less than $3 a month) suggests that this vulnerability has been widely exploited.
And the point is that we don't know what this vulnerability is, but we are discussing whether IPRoyal is malware.

I feel like most of the people in this thread don't realize the threat.

IMHO, resetting the router is bad advice, especially without professional investigation, which makes ignorant people even more ignorant.

 

[ATLga]

Evidence of the fact that this vulnerability is being exploited by a very rudimentary hacker (running a legitimate software that earns less than $3 a month) suggests that this vulnerability has been widely exploited.
And the point is that we don't know what this vulnerability is, but we are discussing whether IPRoyal is malware.

I feel like most of the people in this thread don't realize the threat.

IMHO, resetting the router is bad advice, especially without professional investigation, which makes ignorant people even more ignorant.

I had the same thought yesterday. You know what they say about hindsight. When this first happened the first thought was to nuke it and get if off and usually the best advice is to do that. Looking back, if the OP could have taken the router out of service and swapped in another router to use, then a proper post mortem could have been done on the offending device since this is such a strange issue. There are still a lot of unknowns here that I'm not sure will be figured out unless it crops up again on someone else's device. I would notify the company you've mentioned in addition to Trend Micro (aiProtect was on and didn't catch it) and maybe Asus too. Definitely something going on.

 

[Yota]

What we should do is look for possible clues on the restored router.

Including asking the OP to tell us what features were enabled, what third-party scripts were used.

The OP is also required to assist in troubleshooting potential internal network threats.

But all this will be very difficult.

Hopefully next time something like this happens, instead of asking people to just reset their routers, we provide a real solution (dumping the router image via the dd command and backup nvram+jffs). Because most of the furniture on this forum will only let people reset to factory settings when they encounter problems, and then help troubleshoot when they encounter problems for the second time.

 

[ATLga]

What we should do is look for possible clues on the restored router.

Including asking the OP to tell us what features were enabled, what third-party scripts were used.

The OP is also required to assist in troubleshooting potential internal network threats.

But all this will be very difficult.

Hopefully next time something like this happens, instead of asking people to just reset their routers, we provide a real solution (dumping the router image via the dd command and backup nvram+jffs). Because most of the furniture on this forum will only let people reset to factory settings when they encounter problems, and then help troubleshoot when they encounter problems for the second time.

Most of these things were answered starting on page 2 of the thread starting with post #34

 

[Yota]

Most of these things were answered starting on page 2 of the thread starting with post #34

Thanks, I missed so much lol.

There are multiple routers in the OP's signature, and I don't know which router the OP originally discovered it on, since those are different platforms.

 

[ColinTaylor]

IMHO, resetting the router is bad advice, especially without professional investigation, which makes ignorant people even more ignorant.

I have a feeling that Asus knows exactly what the exploit being used is, but they're certainly not going to publicly disclose it. In the meantime asd is doing it's job to neuter the malware.

 

[Yota]

I've pushed v7.4.2 for Skynet which should detect and remove this malware (or cripple it at least).

I think you're doing something wrong, the malicious script has an explicit kill switch.

if ls /jffs/p32
then
    exit
fi

You should not delete the /jffs/p32 directory in skeynet, because the malicious script will run when the /jffs/p32 directory does not exist. Instead for protection, you should create the /jffs/p32 directory on the router until we find the vulnerability and patch it.

 

[Yota]

I have a feeling that Asus knows exactly what the exploit being used is, but they're certainly not going to publicly disclose it. In the meantime asd is doing it's job to neuter the malware.

I don't want to speculate on unverified things because that's a waste of time.

The known thing is, we don't know who our adversary is, maybe you can email the malware author and ask them, who are you.

their email is there webupdate@proton.me.

 

[ColinTaylor]

I don't want to speculate on unverified things because that's a waste of time.

The known thing is, we don't know who our adversary is, maybe you can email the malware author and ask them, who are you.

their email is there webupdate@proton.me.

I know what their email address is, and I know who they are.... they're "a bad person". Knowing that doesn't really help us. Maybe I should ask them to explain what vulnerability they're using.

 

[heysoundude]

I think you're doing something wrong, the malicious script has an explicit kill switch.

if ls /jffs/p32
then
    exit
fi

You should not delete the /jffs/p32 directory in skeynet, because the malicious script will run when the /jffs/p32 directory does not exist. Instead for protection, you should create the /jffs/p32 directory on the router until we find the vulnerability and patch it.

once /jffs/p32 is created, reboot the router?

 

[Yota]

I know what their email address is, and I know who they are.... they're "a bad person". Knowing that doesn't really help us. Maybe I should ask them to explain what vulnerability they're using.

Of course not, I mean guessing is as waste of time as emailing hackers.

once /jffs/p32 is created, reboot the router?

Things you need to know:

1) This kill switch will not protect routers that are not infected, they will still be infected until the vulnerability is discovered and patched, Skynet cannot provide this protection either.

2) This kill switch does ensure that routers that already have this malicious script don't run it.

3) Since the kill switch comes from the malware developer, this kill switch is not for ordinary people to turn off the malware, but to let the behavior of the malware be completely controlled by the malware developer, including turning off the malware when necessary, so this means that malware developers can easily modify the condition of the kill switch to make it invalid, or even not provide a kill switch in future variants.

4) The malicious script provided by the OP is just the tip of the malware iceberg as all it does is create an openvpn server accessible from the outside and use a 3rd party platform to make the router act as a proxy without even explaining what it does next. So this kill switch is only for the malicious script provided by the OP, if there are other malware out there, I don't know if they have a kill switch and share the same kill logic as this script.

5) Everyone in this thread should focus more on finding the vulnerability itself, because everything, including the mitigations provided by skynet, can be easily bypassed, skynet just deletes those known filenames, and malware authors can modify filenames at any time to bypass skynet matching.

 

[follower]

Evidence of the fact that this vulnerability is being exploited by a very rudimentary hacker (running a legitimate software that earns less than $3 a month) suggests that this vulnerability has been widely exploited.
And the point is that we don't know what this vulnerability is, but we are discussing whether IPRoyal is malware.

I feel like most of the people in this thread don't realize the threat.

IMHO, resetting the router is bad advice, especially without professional investigation, which makes ignorant people even more ignorant.

This exploit is well known for a long time. The base code is same. This exploit has been using for crypto mining, proxy, paid manipulating HW ID something like that.

 

[follower]

basically correct.

IPRoyal (pawns.app) is a company based in the UAE that provides a global shared network. Its products aim to build a global sharing network, users join the sharing network, share their idle bandwidth, and then earn income, while IPRoyal makes money by selling these bandwidths to third parties

At least they promise not to use the bandwidth for illegal purposes, but I can't verify this. But according to their website, most of the traffic is sold to small CDN companies

It's also worth mentioning that IPRoyal requires their clients to verify their real identities, which means it's possible that the authors of this malware provided their identities, or fake ones.

Assuming IPRoyal's traffic isn't doing bad things, I think hackers are stupid, they found a bug that could run any program for the router, but they chose this platform and only earn $3 per month, they could have sold the infected routers to more professional hacker networks or the black market for more money.

For most people, I think the most important thing is to find the loopholes for hackers to enter.

Because IPRoyal is legitimate software, it won't automatically install to your router, and if a hacker can run a legitimate tool, they can run any software they want.

And the OP said they didn't have any external services turned on (SSH/web access/openvpn server) which makes investigating this case even more tricky because it shows that there is already a very obvious vulnerability in the firmware and can be exploited by such a rudimentary hacker.

I suggest the OP (@Swistheater ) provide a list of installed 3rd party scripts for investigation and provide more information about the devices on their network (phone/computer/system version/antimalware version).

Lastly, the OP doesn't seem to be telling us in this thread what firmware version they are using.

There are a lot of injected files and scripts have been removed already by an attacker. Yes, he removed the trace. Nobody can investigate unless Forensic his HW in the real life.

 

[follower]

This thread should be closed. It's meaningless.

 

[heysoundude]

Of course not, I mean guessing is as waste of time as emailing hackers.

Things you need to know:

1) This kill switch will not protect routers that are not infected, they will still be infected until the vulnerability is discovered and patched, Skynet cannot provide this protection either.

2) This kill switch does ensure that routers that already have this malicious script don't run it.

3) Since the kill switch comes from the malware developer, this kill switch is not for ordinary people to turn off the malware, but to let the behavior of the malware be completely controlled by the malware developer, including turning off the malware when necessary, so this means that malware developers can easily modify the condition of the kill switch to make it invalid, or even not provide a kill switch in future variants.

4) The malicious script provided by the OP is just the tip of the malware iceberg as all it does is create an openvpn server accessible from the outside and use a 3rd party platform to make the router act as a proxy without even explaining what it does next. So this kill switch is only for the malicious script provided by the OP, if there are other malware out there, I don't know if they have a kill switch and share the same kill logic as this script.

5) Everyone in this thread should focus more on finding the vulnerability itself, because everything, including the mitigations provided by skynet, can be easily bypassed, skynet just deletes those known filenames, and malware authors can modify filenames at any time to bypass skynet matching.

<facepalm> you didn't answer my question, @Yota - mkdir and then reboot or not necessary?
but yes, you're absolutely correct: the vulnerability needs finding and patching. I also suspect you're one of few here who has the knowledge and skills to make headway on that, should you be so inclined.

 

[Yota]

I also suspect you're one of few here who has the knowledge and skills to make headway on that, should you be so inclined.

No, I'm not a professional developer, and while my colleagues do do software development, it's not my job. I just did a 5 minute google about IPRoyal and then read the code. then spend another 30 minutes reading the replies to this thread.

mkdir and then reboot or not necessary?

Yes, I recommend creating that directory until asus updates their GPL, as that's the only effective countermeasure against the malicious script presented in this thread, but the author can change the script behavior at any time, if they can update it.

 

[Rob Q]

Sorry for the dumb question but how would I know if I have this malware? I'm using AiProtect and Diversion. Am I affected?

 

[Viktor Jaep]

Sorry for the dumb question but how would I know if I have this malware? I'm using AiProtect and Diversion. Am I affected?
View attachment 50502

You would have possibly seen a file called "updater" under your /jffs folder... looks like you're clean.