Malware /jffs/updater script.

[heysoundude]

These hackers are going to be hugely disappointed if they're trying to turn our routers into bitcoin miners. LOL

there are other crypto options to mine this way. some of them may even be ridiculously profitable

 

[Viktor Jaep]

there are other crypto options to mine this way. some of them may even be ridiculously profitable

I would hope so... Because with a straight CPU like these, it might take about 43,092 years to mine a single coin.

 

[Tech9]

it might take about 43,092 years to mine a single coin

You have to think for the future generations.

 

[follower]

It's definitely malware. I decompiled the binary "https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli" in this link. It's a crypto miner.

It still sucks that it was on there, but having that on there is way better than a lot of alternatives. Below is a bit of the content from one of the files in the malware.

OMG. It's not a crypto miner. Jesus...............
It's just command line interface version of the 'IPRoyal Pawns app'. You don't know what pawns.app don't you? The attacker is just using
command line interface version of the 'IPRoyal Pawns app' for illegal Proxy Service for the money. Crypto miner? lol.
Go to here and read. I already linked about it with one of my posts. How many times do I have to talk about Proxyjacking? If you don't know about this area please just stay away.

Proxyjacking has Entered the Chat

Did you know that you can effortlessly make a small passive income by simply letting an application run on your...

sysdig.com

Update download page link · IPRoyal/pawns-cli@2fd756a

Contribute to IPRoyal/pawns-cli development by creating an account on GitHub.

github.com

Pawns.app with Raspberry PI: passive income by sharing internet bandwidth

Passive earnings with Pawns.app and Raspberry PI by sharing your internet bandwidth. How to configure it and make your privacy assured

peppe8o.com

I linked the evidence two times. Nobody understands the link for sure. OMG. I'll quit.

 

[ColinTaylor]

Crypto mining botnets perhaps?

It's not a crypto miner, it's a proxy.

 

[Viktor Jaep]

OMG. It's not a crypto miner. Jesus...............
It's just command line interface version of the 'IPRoyal Pawns app'. You don't know what pawns.app don't you? The attacker is just using
command line interface version of the 'IPRoyal Pawns app' for illegal Proxy Service for the money. Crypto miner? lol.
Go to here and read. I already linked about it with one of my posts. How many times do I have to talk about Proxyjacking? If you don't know about this area please just stay away.

Proxyjacking has Entered the Chat

Did you know that you can effortlessly make a small passive income by simply letting an application run on your...

sysdig.com

Update download page link · IPRoyal/pawns-cli@2fd756a

Contribute to IPRoyal/pawns-cli development by creating an account on GitHub.

github.com

Pawns.app with Raspberry PI: passive income by sharing internet bandwidth

Passive earnings with Pawns.app and Raspberry PI by sharing your internet bandwidth. How to configure it and make your privacy assured

peppe8o.com

I linked the evidence two times. Nobody understands the link for sure. OMG. I'll quit.

So... what you're telling me is.... ???

 

[follower]

So... what you're telling me is.... ???

I love you.

 

[Viktor Jaep]

I love you.

LOL

 

[drinkingbird]

As much as I would like to believe this is the case, that went out the window today as I turned on several workstations that haven't been used in months. I updated the virus security definitions and ran security scans. Not a trace of infection on any. Ran virus checks on mobile devices as well. No infections detected.

It is possible it could have been embedded infection that was "woke" by the firmware checks, but then most likely more people would be here reporting the issue as I suspect other people would have had infected batches of firmware.

If your virus scanner didn't catch it before, there is no reason to believe it will catch it now. You need to boot off a rescue disc with multiple engines and scan, and even then it is no guarantee. I cleaned one a while back that nothing would detect, had to look at running processes and task scheduler to track it down and remove it.

 

[drinkingbird]

It's almost impossible to do here. Because some of users here always say it doesn't exist and can't be happened. They don't even know about the exploit which made you compromised. They only know the definition of Malware and Exploit on internet.

As opposed to not knowing the definitions at all.....

 

[maxbraketorque]

Pretty fascinating that there still isn't an obvious entry point for this exploit. Swistheater seems to have the common entry points disabled.

 

[drinkingbird]

Pretty fascinating that there still isn't an obvious entry point for this exploit. Swistheater seems to have the common entry points disabled.

My guess is either the previous VPN they were running or a machine on their network with something like Agent Tesla (screen capture, keylogger, remote control, etc) on it which is virtually immune to all malware scanning in modern variants.

 

[Swistheater]

If your virus scanner didn't catch it before, there is no reason to believe it will catch it now. You need to boot off a rescue disc with multiple engines and scan, and even then it is no guarantee. I cleaned one a while back that nothing would detect, had to look at running processes and task scheduler to track it down and remove it.

Well so far I am good. Nothing anomalous has taken place since I did the hard reset, I will just keep an eye out.

 

[Swistheater]

I don't think so. That code would only affect a terminal session. It hides the updater, updateservice and .profile output from ls, ps and cat.

If you still have a copy of the /jffs/asd.log file you might see something like this, if the malware even made it that far.

1685259650[remove_file]Delete harmful file,/tmp/updateservice
1685259650[blockfile] /tmp/updateservice is binary.

Looking at the nvram variables it modifies a bit closer, some of them were removed from asuswrt firmware versions after 380.x. So my guess is that this is a modified version of some old malware that's been repurposed to monetize the theft of your bandwidth.

Here is the asd.log from jffs and yes the asd.log was one of the things I copied. It looks like jibberish to me.

 

[ColinTaylor]

Here is the asd.log from jffs and yes the asd.log was one of the things I copied. It looks like jibberish to me.

Ah, OK. Looks like with asd 2.0 the contents that file are now encrypted. Thanks Asus .

 

[Swistheater]

Ah, OK. Looks like with asd 2.0 the contents that file are now encrypted. Thanks Asus .

Hey if you know how to decrypt, (or if @RMerlin knows cough, cough....) feel free to take a stab at it.

 

[commodoro]

Do you think it may be related to the wrong ASD update?
Perhaps at this juncture it gave the possibility to some attacker to exploit an unwanted opening?
Or am I just saying something stupid....

 

[ColinTaylor]

Do you think it may be related to the wrong ASD update?

Probably not. There was a report of this malware prior to that asd update.

 

[Yota]

@ColinTaylor

Would it be safe to block these on the firewall?

download.iproyal.com
proton.me

they are in the malware script above.

IProyal is a third-party proxy service, the service itself does not do bad things, it is just a tool, but if someone using this service on your network without your knowledge can transmit data over your Internet, use your network as a proxy for hackers, use your network to attack other websites, etc.

In this case: the download.iproyal.com does nothing bad, it just downloads prebuilt binaries suitable for arm from this 3rd party platform.

proton.me is a widely used anonymous mailbox. And webupdate@proton.me is the login account of this malware author in IPRoyal
My suggestion is to contact IPRoyal and tell them that someone is abusing their service.

Email them at hello@pawns.app . in addition, IPRoyal is currently renamed as Pawns.app.

Read more about how to use IPRoyal here: https://peppe8o.com/pawns-raspberry-pi-passive-income/

 

[Yota]

OMG. It's not a crypto miner. Jesus...............
It's just command line interface version of the 'IPRoyal Pawns app'. You don't know what pawns.app don't you? The attacker is just using
command line interface version of the 'IPRoyal Pawns app' for illegal Proxy Service for the money. Crypto miner? lol.
Go to here and read. I already linked about it with one of my posts. How many times do I have to talk about Proxyjacking? If you don't know about this area please just stay away.

Proxyjacking has Entered the Chat

Did you know that you can effortlessly make a small passive income by simply letting an application run on your...

sysdig.com

Update download page link · IPRoyal/pawns-cli@2fd756a

Contribute to IPRoyal/pawns-cli development by creating an account on GitHub.

github.com

Pawns.app with Raspberry PI: passive income by sharing internet bandwidth

Passive earnings with Pawns.app and Raspberry PI by sharing your internet bandwidth. How to configure it and make your privacy assured

peppe8o.com

I linked the evidence two times. Nobody understands the link for sure. OMG. I'll quit.

basically correct.

IPRoyal (pawns.app) is a company based in the UAE that provides a global shared network. Its products aim to build a global sharing network, users join the sharing network, share their idle bandwidth, and then earn income, while IPRoyal makes money by selling these bandwidths to third parties

At least they promise not to use the bandwidth for illegal purposes, but I can't verify this. But according to their website, most of the traffic is sold to small CDN companies

It's also worth mentioning that IPRoyal requires their clients to verify their real identities, which means it's possible that the authors of this malware provided their identities, or fake ones.

Assuming IPRoyal's traffic isn't doing bad things, I think hackers are stupid, they found a bug that could run any program for the router, but they chose this platform and only earn $3 per month, they could have sold the infected routers to more professional hacker networks or the black market for more money.

For most people, I think the most important thing is to find the loopholes for hackers to enter.

Because IPRoyal is legitimate software, it won't automatically install to your router, and if a hacker can run a legitimate tool, they can run any software they want.

And the OP said they didn't have any external services turned on (SSH/web access/openvpn server) which makes investigating this case even more tricky because it shows that there is already a very obvious vulnerability in the firmware and can be exploited by such a rudimentary hacker.

I suggest the OP (@Swistheater ) provide a list of installed 3rd party scripts for investigation and provide more information about the devices on their network (phone/computer/system version/antimalware version).

Lastly, the OP doesn't seem to be telling us in this thread what firmware version they are using.