Hackers are leveraging Termite and EarthWorm, packet relay tools written by an employee of Beijing-based security research firm 360Netlab, to create a botnet of Internet of Things (IoT) devices, according to a report by AT&T Cybersecurity (formerly AlienVault).
Termite is capable of functioning as a SOCKS proxy, as well as a simple backdoor for file transfer and executing shell commands. Termite is capable of running on a wide variety of architectures, including x86, x86-64, ARM, MIPS(EL), SH-4, PowerPC, SPARC, and M68k, making it a particularly versatile tool for attackers to deploy on low-power IoT devices. Likewise, the small size (200-600 KB) makes it ideal for deployment on these devices, which often have meager internal storage.
Weaponization of these, which were intended as networking and penetration testing utilities, is a recent phenomenon. Kaspersky Lab noted briefly last year that Earthworm, the predecessor to Termite, was used as part of an attack involving the theft of a driver signing certificate of a Chinese IT company.
SEE: IoT security: A guide for IT leaders (Tech Pro Research)
In the sample found by AT&T Cybersecurity, EarthWorm was embedded in an image file on an Android app, which communicates with a server in Taiwan previously known to host Xsser malware. That server is associated with the cyber espionage group BlackTech, which has targeted organizations in East Asia since at least 2010.
BlackTech is known to extensively utilize vulnerabilities found by third parties, including those from the uncreatively-named Italian firm “Hacking Team,” which itself was hacked, leading to their toolkit being disseminated across the internet.
Similarly, a cyber espionage group identified as “Whitefly” by Symantec is responsible for the SingHealth attack compromising patient records of 1.5 million people in Singapore. ZDNet’s Eileen Yu reported that “Whitefly usually aimed to remain undetected, often for months, within a targeted network with the purpose of stealing large volumes of data. It would do so by deploying several tools, such as open source hacking tool Termite.”
This weaponization appears to have been unexpected in cybersecurity circles. Yu quotes Symantec researcher Dick O’Brien: “If they’re using previously unseen tools, any incursions may not be detected until those tools are identified and flagged.”