Hello, welcome to the Thursday, September 17th, 2020 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

This week we actually came across a somewhat different sample of Mariah. I forgot where we actually got it from, I think was one

of our honeypots or a reader I think may have sent it from a honeypot. But essentially at first,

it looks like any other Marai sample scans very aggressively for 423 telnet and then tries the standard brute forcing that Mirai is kind of

known for.

What surprised me was that it included a string in the binary that pointed to Amanda backup.

Amanda short for the Advanced Maryland Automatic Network Disc Archiver, is a fairly popular

multi-platform backup open source product, usually seen more in the Unix world than the Windows

world, but there is a Windows client available.

And while it has been around for a while.

Actually, at first I thought the string referred Manda 2.3.

That version was released, I believe, in 1998.

But this is sort of a very generic string that's really just checking what version the Amanda

Klein is running that the scanner would connect to.

Now this looks still like it's sort of work in progress for this particular Mariah variant.

I haven't been able to trigger this particular

activity. And now what's also a little bit different from the classic Mirai is there is a little

command control channel going on here. Didn't receive any meaningful content while I was

running it in my lab, but potentially this could be remote-activated,

have to take a closer look at the binary. Backup software, of course, is a gold mine for an attacker

and, well, weak passwords. If they work against Telnet, why not try them out against the backup system as well?

...