PolarEdge Expands via IoT Proxy Network

MITRE Techniques

• [T1525 ] Compromise of network infrastructure – RPX_Client and RPX_Server establish and manage an ORB/proxy network to hide source and relay traffic (“…adds the compromised device to the ORB network…”).
• [T1105 ] Ingress tool transfer – ELF file “w” and wget.tar were distributed and executed on target devices to deploy RPX_Client (“…distributed an ELF file named ‘w’… wget.tar archive contains rpx and rpx.sh”).
• [T1543 ] Create or modify system process – RPX_Client disguises process name as connect_server and uses /tmp/.msc PID file to enforce single-instance execution (“…disguises its process name as connect_server and uses the PID file /tmp/.msc…”).
• [T1112 ] Modify registry (or system configuration) / Persistence – rpx.sh is injected into /etc/init.d/rcS to achieve persistence (“echo “/bin/sh /mnt/mtd/rpx.sh &” >> /etc/init.d/rcS”).
• [T1572 ] Protocol Tunneling and Proxy – RPX_Server schedules registered proxy nodes to connect to targets and creates multi-hop proxy chains (Local proxy ←→ RPX Server ←→ RPX Client ←→ ipinfo.io) to obscure origin (“…schedules a registered proxy node to connect to the target… establishes a reverse connection back to a dynamically allocated temporary port on the gateway”).
• [T1041 ] Exfiltration over C2 channel (bidirectional C2) – RPX_Client maintains two persistent connections: one for registration/proxying (port 55555) and one for remote command execution (port 55560) to receive/execute commands (“…establishes two independent network connections to the C2 server…”).
• [T1106 ] Native API – Remote command execution and built-in commands (change_pub_ip, update_vps) enable operators to reconfigure and upgrade deployed clients (“…includes two special built-in commands: change_pub_ip – updates the C2 server address; update_vps – performs sample self-upgrade”).