This analysis examines the infrastructure associated with PolarEdge, an IoT botnet that exploits CVE-2023-20118. The investigation reveals connections between various certificates and services, including a WebRTC e-book certificate and suspicious PolarSSL certificates. A key discovery is the RPX server, a reverse-connect proxy gateway system found on a host with multiple suspicious certificates. The RPX server manages proxy nodes and provides SOCKS5 and Trojan-protocol services. Technical analysis of the RPX binary reveals its functionality in handling client connections, proxy node registration, and traffic obfuscation. The investigation highlights the potential relationship between the RPX system and the PolarEdge botnet, showcasing the complexity of IoT botnet infrastructure. Author: AlienVault
Related Tags:
cve-2023-20118
iot botnet
reverse-connect
trojan-protocol
proxy management
certificate analysis
PolarEdge
T1205
Singapore
Associated Indicators:
119.8.186.227
190.92.202.218
159.138.83.57