The author of an IoT botnet is now distributing a backdoor script for ZTE routers that also includes his own backdoor to hack skids.
A weaponized IoT exploit script is being used by script kiddies as of late.
It’s making use of a vendor backdoor account to hack the ZTE routers. Ironically, this is not the only backdoor in the script. Scarface, the propagator of this code has also deployed his custom backdoor to hack any skid (script kiddie) who will be using the script.
With top names in IOT (Wicked/Paras/Nexus) being inactive, Scarface/Faraday is presently a go to name for script kiddies for buying IoT botnet code as well as weaponized exploits.
While Scarface mostly has good credibility, we observed that they released a weaponized ZTE ZXV10 H108L Router known vulnerability with a backdoor which compromises the system of the script kiddie when they run it.
The vulnerability is a known one and involves the usage of a backdoor account in ZTE Router for login followed a command injection in manager_dev_ping_t.gch. The code by Scarface targets devices on a different port, 8083 though. It is, however, not the only difference.
In the leaked code snippet, we see login_payload for the backdoor usage and command_payload for the command injection.
However, there is one more variable, auth_payload, which contains Scarface’s backdoor, encoded in base64.
This backdoor code is executed sneakily via exec, separately from the three steps of the actual vulnerability (using the vendor backdoor, command injection and log out) which are shown in the image below:
The backdoor code after decoding connects to another site which has code to connect to a paste(.)ee URL and execute further code:
We can see that a set of backdoor user credentials are added, followed by trace deletion by clearing logs and history.
Another URL is connected to via wget which doesn’t do much as it hosts a meme video (probably an indicator that by this time Scarface has pwned your device).