How a Simple POST Request Leads to Persistent Whisper Botnet Access
Executive Summary
Between June 21st and 23rd, malicious activity originating from IP address 31.170.22[.]205, registered in Latvia, was detected targeting a vulnerable CGI interface on an IoT device. The attacker attempted to exploit this interface through a crafted HTTP POST request to Factory.cgi, aiming to execute a remote code execution (RCE) payload. The malicious binary whisper.armv5, retrieved during the attack, is part of a broader botnet infrastructure communicating with a command-and-control (C2) server.
The analysis revealed the use of various shell scripts and binaries tailored for multiple architectures, indicating a systematic and automated infection strategy. Passive and active intelligence confirmed the reputation of the attacker’s infrastructure, with over 1000 abuse reports and signatures flagged by VirusTotal. Deeper static analysis showed how the malware gathers system details and maintains persistent contact with the C2 server.
Key Findings
- Malicious IP (31.170.22.205) hosted in Latvia is part of a known malicious infrastructure with over 1000 abuse reports.
- RCE Exploit was delivered via a crafted POST request targeting vulnerable CGI scripts on an IP camera.
- Payload (
whisper.armv5) establishes outbound communication to a C2 server and exfiltrates system data. - FTP server at the attacker’s host allows anonymous login and serves binaries and shell scripts for various architectures.
- Scripts (e.g.,
dl1,dl200,dl203) automate malware installation using tools likewget,curl, andftpget. - Binaries compiled with GCC show classic C code behavior, including socket operations and HTTP beaconing.
Background and Threat Landscape
Internet-connected devices are often vulnerable due to exposed CGI endpoints and lack of proper patch management. These endpoints serve as attractive RCE vectors for attackers deploying botnet malware. The analyzed activity falls in line with this trend, using common infection vectors and remote code execution techniques to deploy and manage malware.
Technical Analysis
Indicators of Compromise (IoCs)
| Type | Value |
| IP Address | 31.170.22[.]205 |
| Malware file | whisper.x64.elf |
| File Size | 87,824 bytes |
| MD5 | b1643c79e90046208e764caefcfce01b |
| SHA256 | 11742623bba0e1ca221814a36cd8239be94898c59fcc61c1328a6230a9981219 |
Alert Breakdown: Exploiting CVE-2024-7029 for Remote Code Execution
The attacker attempted to exploit a known vulnerability in the CGI interface of IoT device, specifically CVE-2024-7029, a command injection flaw in the Factory.cgi endpoint commonly found in embedded devices. This CVE allows unauthenticated remote attackers to execute arbitrary commands with elevated privileges.
Captured request:
Passive Analysis
AbuseIPDB
The IP address 31.170.22[.]205 has been flagged over 1,000 times in AbuseIPDB, indicating a long-standing association with malicious behavior. According to user-submitted reports, this address has been involved in activities such as:
- Brute-force attempts
- Malware hosting
- Suspicious scans and remote access probes
The geolocation data confirms the server is hosted in Latvia, consistent with the origin observed in the live alerts.
31.170.22.205VirusTotal
VirusTotal analysis corroborates the malicious nature of this IP. In the Relations tab, multiple binaries (including whisper.armv5) are shown to either communicate with or be downloaded from this server. Furthermore:
- File detections: Associated binaries are flagged by several AV engines as trojans or botnet droppers.
- Network indicators: The IP is involved in outbound HTTP connections to paths such as
/ping.phpand/add.php. - Historical context: Files tied to the IP appear in previously known campaigns, reinforcing its role in a broader botnet infrastructure.
31.170.22.205 showing connection to whisper malwareMalware Distribution via Public FTP
During the course of the investigation, a publicly accessible FTP directory was discovered on the same IP address observed in the attack telemetry. The contents of the directory indicate a well-prepared infrastructure designed for multi-architecture malware distribution.
The FTP server hosts several shell scripts, each accompanied by corresponding binary files for different CPU architectures. These components are responsible for downloading, setting execution permissions, and launching malware on compromised devices, a common tactic in botnet propagation campaigns.
A key indicator of the campaign’s scope is the number of binaries prepared for different CPU architectures. The FTP server hosted multiple versions of the whisper malware, compiled for a wide range of devices including embedded, IoT, and legacy platforms. This diversity supports the malware’s deployment across heterogeneous environments.
| Architecture | File |
|---|---|
| ARM v4 | whisper.armv4 |
| ARM v5 | whisper.armv5 |
| ARM v6 | whisper.armv6 |
| ARM v7 | whisper.armv7 |
| AArch64 | whisper.aarch64 |
| AArch64 (BE) | whisper.aarch64be |
| MIPS | whisper.mips |
| MIPS LE | whisper.mipsle |
| MIPS64 | whisper.mips64 |
| MIPS64LE | whisper.mips64le |
| MIPS64 n32 | whisper.mips64n32 |
| MIPS64LE n32 | whisper.mips64len32 |
| x86 (i686) | whisper.i686 |
| x86_64 | whisper.x64 |
| RISC-V 32 | whisper.riscv32 |
| RISC-V 64 | whisper.riscv64 |
| PowerPC 440FP | whisper.powerpc440fp |
| PowerPC64 e5500 | whisper.powerpc64e5500 |
| PowerPC64 e6500 | whisper.powerpc64e6500 |
| PowerPC64 power8 | whisper.powerpc64power8 |
| PowerPC64LE power8 | whisper.powerpc64lepower8 |
| PowerPC e300c3 | whisper.powerpce300c3 |
| PowerPC e500mc | whisper.powerpce500mc |
| SPARC | whisper.sparc |
| SPARC64 | whisper.sparc64 |
| ARC LE750D | whisper.arcle750d |
| ARC LEHS38 | whisper.arclehs38 |
| M68k | whisper.m68k |
| SH4 | whisper.sh4 |
Shell Script Analysis
Multiple shell scripts were identified as part of the malware distribution pipeline, each designed to automate the retrieval and execution of malicious binaries for various system architectures. The scripts were named using a numerical scheme (dl1, dl15, dl200, dl202, dl203), and although structurally similar, they differ in download methods and arguments passed to the binary.
Common Characteristics
- All scripts operate in the
/tmpdirectory — a common tactic to evade write restrictions on embedded systems. - They attempt to fetch the
whisper.armv5binary using multiple utilities to ensure compatibility:wgetcurlftpgetbusybox ftp
- After download, the binary is made executable via
chmod 777and launched with a numeric argument (e.g.,./whisper.armv5 15).
Variant Differences
| Script Name | Download Method | Binary Argument | Notable Behavior |
|---|---|---|---|
dl1, dl15, dl200 | wget, curl, busybox, ftpget | 1, 15, 200 | Classic downloader, multi-tool fallback |
dl202 | scripted busybox FTP | 202 | Uses custom download() wrapper |
dl203 | minimal setup | 203 | Stripped-down variant, no cleanup |
These variations indicate a modular deployment strategy, where the numeric argument likely configures behavior on the infected host — possibly to identify distribution channels, perform A/B testing, or encode infection wave identifiers.
Binary Analysis
The core payload is a 64-bit ELF binary compiled for Linux systems. Static and behavioral analysis reveals a compact yet capable bot component designed to communicate with a hardcoded command-and-control (C2) server and send system information upon execution.
Strings & Indicators
A string dump of the binary reveals:
- Hardcoded IP address:
31.170.22[.]205 - URLs:
/ping.php,/add.php - Network and socket-related error messages from the standard C library
- Evidence of GCC compilation (
__libc_start_main,GLIBC_2.2.5)
These artifacts point to a lightweight backdoor written in C, likely serving as an implant within a larger botnet.
Reverse Engineering
start function acts as the entry point and calls the main logic without returning, suggesting either an infinite loop or one-shot execution model. sub_401020 handles command-line argument parsing. This argument (e.g., 200, 15, 1) aligns with the values passed from the shell scripts.
Further inspection of sub_401020 shows that the program first checks whether an argument has been passed. This argument is then processed by sub_4018A3, a function equivalent to scanf(), which parses the value into an unsigned integer for further use.
The core of the program resides in sub_401456, which executes exactly 576 times. At the beginning of this function, sub_403643 is called to create a TCP socket for IPv4 addresses. If the socket creation fails, the function returns -1.
After successful socket creation, parameters for the server address are initialized using values v13[1] and v13[0]. When the value 1342177282 is converted into hexadecimal format, it results in 0x50000002, which combines:
0x5000: representing Port 800x0002: the AF_INET flag, indicating IPv4 socket use
Following this, an HTTP request is generated with the following parameters:
v– a fixed value (likely a version or request type)a– system architecturee– the input argument (e.g.,200,1,15,202,203)c– the current iteration number (from1to576)
This request is sent using function sub_401288, and a response is received through sub_4012CE.
After the completion of sub_401456 — which is presumed to be responsible for sending data to the C2 server and receiving commands — the program pauses for 300 milliseconds before the next iteration.
Once all 576 iterations are completed, the socket is closed and the program terminates.
Conclusion
The analyzed attack represents a textbook case of successfully exploiting vulnerable network-connected devices, such as IP cameras with exposed and unsecured CGI interfaces. The attacker leveraged a known remote code execution (RCE) technique to deploy malicious binaries on target devices. Once executed, these binaries established communication with a command-and-control (C2) server, enabling persistent remote access and control.
The presence of a publicly accessible FTP server with anonymous login and multiple shell scripts designed for various architectures points to a well-structured and scalable malware distribution infrastructure. This level of automation and adaptability allows threat actors to compromise a wide range of systems efficiently.
Such attacks underscore the critical importance of:
- Regularly updating and patching embedded devices
- Disabling unused or unsecured services
- Applying the principle of least privilege across networked environments
In today’s threat landscape, even simple misconfigurations can serve as entry points for global botnet operations.
