On October 27, 2021, Botmon system detected an attacker using CVE-2017-6079 to attack Edgewater Networks’ devices with a relatively unique mount file system command in its payload, which drew their attention.
After further investigation, it was confirmed that this was a brand new botnet, which was named EwDoor because of its Edgewater producers’ targeting and Backdoor feature.
After a registration the second C2 domain, iunno.se, to estimate the size of the initial version of Door, which used a multi-C2 redundancy technique.
Unfortunately, after having troubles with the main C2 network, InDoor altered its communication paradigm, employing BT tracker to downlink C2s, and then sight of Door was lost.
However, throughout this brief observation, it was confirmed that the attacked devices were AT&T’s EdgeMarc Enterprise Session Border Controllers, and that all 5.7k active victims seen during the brief observation were AT&T’s EdgeMarc Enterprise Session Border Controllers.
Basically, the Door has gone through three versions of updates so far, and its major functions may be divided into two categories: DDoS attacks and Backdoor.
It is assumed that the main goal of the attack is DDoS attacks and the collection of sensitive information, such as call records, because the attacked equipment is telephone communication related.