The majority of the following essay was written in early 2020, while the vendor was attempting to recover a significant number of infected devices. We discussed our results with the vendor, as well as CNCERT, and opted not to publish the blog while the vendor’s efforts were ongoing. CNCERT eventually revealed this botnet last week, and we’ve discovered that the infected devices have been “largely” dealt with, so here we are.
Pink is used in architecture.
Pink is a botnet with a hybrid architecture that employs both “P2P” and “C2” to connect with its bots. P2P is used to provide less time-sensitive commands (such as management configuration information), while C2s is used to distribute more time-sensitive commands (e.g. launching ddos attacks, inserting advertisements into HTTP websites visited by users).
Information about the configuration
Finding the controller is an important step for any Bot. The “configuration” contains the controller information, and the following is the most recent configuration we intercepted.
The verify column contains the timestamp of when the command was issued, and the Bot will use this to retrieve the most recent valid commands.
The botnet’s newest C2 address is specified in the cncip and cncport fields, and the attacker can change this control address at any moment.
The following “dlc/dl” and “dlc1/dl1” field groups are the most recent Bot update addresses, where dlc and dl1 are the content Hash check fields, and the algorithm pseudo-code is MD5(MD5( dlist content)+SHA256(dlist content)).
The secure DNS server IP is specified in the “sd0/sdp0” parameter. When a DNS resolution record has to be searched, each Bot will use DNS-Over-HTTPS to check the DNS service given below.
The srvk field contains the server’s public key content (base64 encoding). The communication between each bot and CNC is encrypted. Before the actual communication, a unique private key must be obtained through ECDH key negotiation. By the way, specifying the public key on the CNC side here also completes the Bot’s identification verification to the CNC. This is a development of the original ECDH protocol.
The pxy parameter is most likely a proxy usage option. There is no evidence that it has been employed, and the logic is unclear.
Configuration information security
After reading the previous part, it should be clear that the “configuration information” is actually the botnet’s core, ensuring the attacker’s complete control.
The configuration is encrypted to prevent outsiders from discovering the configuration information. The decryption algorithm is symmetric
To ensure that no one can tamper with the message, the bot master additionally used ecdsa to sign the configuration information, with the following signature details.
Mbedtls is the cryptographic library used for signature verification.
ECDSA is the signature algorithm.
MBEDTLS ECP DP SECP192R1 is the signature curve utilised.
04 8D 54 71 71 44 A0 61 DA 5A B4 EA 40 55 2F 21 B1 9B 6C A5 17 92 0F 10 B5 11 56 ED 14 DB 54 47 1A 94 48 06 06 06 3C 7A B4 3B 25 D1 AC 9F 85 AF 33 9E 04 8D 54 71 71 44 A0 61 DA 5A B4 EA 40 55 2F 21 B1 9B 6C A
Dissemination of Configuration Data
The bot master employs multiple methods to share the configuration information in order to assure its availability, in addition to ensuring its confidentiality and integrity.
a) Use of third-party services to distribute configuration data
- BTC+GITHUB distribution of setup information
The heart of this distribution channel is a project hidden on GITHUB, the most recent of which is (mypolo111/vfg), which contains two lines in the README.
- Configuration information is distributed via a Chinese website.
The bot master also released configuration information via a Chinese website in a few samples, following a similar logic to GITHUB distribution.
b) P2P configuration information distribution
There are two ways that can be used here:
Distribution of P2P-over-UDP123
When the bot starts using this technique, it will listen to the UDP-123 port, which is the default port for the NTP service. Doing so may fool some users into thinking this is just a regular NTP service with nothing to look at. Then it will send four B-segment addresses on the public network a Peer probing request.
If the destination is a true NTP server, it will answer with NTP time, but if it is a bot node, there are two possible responses.
The target Bot will react with 1D 00 00 00 if it does not have the c2 information.
When the target Bot has already received the C2 information, it replies with the C2 information’s signature and the appropriate cypher text, and 0xE3 is added to the message header before sending.
c) Transmission of configuration data through C2
In some of the instances, the attacker has included the domain name cnc.pinklander.com. When you enable the domain name, a web page with the same content as the GITHUB project appears. It also contains the base64-encoded configuration data.
Command Format for PinkBot
Each command is at least 7 bytes long and has the following meaning:
The server specifies the value of this field, which is 4 bytes long and will be used forever after it is specified. When the server accepts it, the Bot will be given a Token value, indicating that it was successful.
Bot should return the execution result with the same command code when C2 sends out the command in the command field, which is 1 byte long.
The content length field is 2 bytes long. It is set to zero if the instruction has no specified content; otherwise, it is filled with the number of bytes of content length and appended with the cypher content.
Instruction. This field is populated with the cipher’s instruction content when the instruction has content.
a) Encryption of instruction transmissions
The attacker’s actual C2 nodes are cncip1 and cncport1 in the given configuration information. The following are the communication information.
The cryptographic library used is mbedtls; the key exchange algorithm is ecdh, and the loading curve is MBEDTLS ECP DP CURVE25519; and the key exchange algorithm is ecdh.
In the early stages of development, the server-side ECDH public key is hard-coded in the samples, but it is later changed to be supplied in the configuration information. The content, on the other hand, has not changed: 14 90 33 DF B5 E2 2A 09 D3 2E D5 69 9A 18 F1 65 C6 AF 4C 95 14 E6 BE 17 37 75 A5 E6 78 53 A6 0D 14 90 33 DF B5 E2 2A 09 D3 2E D5 69 9A 18 F1 65 C6 AF 4C 95 14 E6 BE 17 37 75 A5 E6 78 53 A6 0D
The AES algorithm is used in the message encryption/decryption phase, the key is the secret after key exchange, and the loading parameters are MBEDTLS AES ENCRYPT and MBEDTLS AES DECRYPT; for ECDH, both parties’ public and private keys are normally regenerated every time. Only the Bot side must be distinct each time in Pink, whereas the server side specifies a fixed pair of public-private keys. This built-in server-side public key is akin to allowing the Bot to authenticate the CNC, effectively preventing man-in-the-middle attacks.
a) Content of Instructions
The transmitted content is transformed by the open source library nanopb, which can abstract the serialisation and deserialization process by agreeing on a template, thereby ignoring the interference of big/little endian memory, in order to adapt to the different distribution of byte sequences in mipsb/mipsl models at the same time.
The guidelines
The Pink instruction comes with a lot of options.
Download the file
Execution of system commands
DDoS (denial-of-service) attacks (HTTP attacks and UDP attacks)
Examine (the specifics of the scan can be set by the command)
Device information (CPU / system type / memory information / system version / hardware information) should be reported.
Update yourself (save the updated version to /tmp/client and then execute)
Synchronization of P2P node lists (push a set of P2P nodes directly to the Bot)
Injection of HTTP messages (on the victim device, advertising js scripts will be injected when traffic type is http)
Proxy service for Sock5 (set up Socks5 proxy service on Bot side, account password set by command)
Download and run the file.
Put an end to the assault.
Restart the watchdog
PinkBot’s strategy of persistence
Pink, unlike other botnets we’ve seen, would flash the fibre router’s original firmware after infecting it in order to keep complete control. PinkBot’s downloader c2 and the supporting bootloader are included in the rebuilt firmware.