New Mirai botnet targets tens of flaws in popular IoT devices

1 year ago 86
BOOK THIS SPACE FOR AD
ARTICLE AD

Since March 2023, Unit 42 researchers have observed a variant of the Mirai botnet spreading by targeting tens of flaws in D-Link, Zyxel, and Netgear devices.

Since March 2023, researchers at Palo Alto Networks Unit 42 have observed a new variant of the Mirai botnet targeting multiple vulnerabilities in popular IoT devices. Below is the list of the targeted vulnerabilities:

The botnet aims at taking control of D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek devices and uses them to carry out distributed denial-of-service (DDoS) attacks. The list of targeted devices includes routers, DVRs, access control systems, and Solar power generation monitoring systems.

The researchers observed two campaigns, respectively in March and June.

Mirai botnet

Since the beginning of the attacks observed in October 2022, threat actors have enhanced the botnet by integrating exploits for new vulnerabilities.

The attack chain commences with the exploitation of one of the above issues, then the threat actor tries to download a shell script downloader from a remote server.

Upon executing the script, it would download and execute the proper bot clients for the specific Linux architectures:

hxxp://185.225.74[.]251/armv4l hxxp://185.225.74[.]251/armv5l hxxp://185.225.74[.]251/armv6l hxxp://185.225.74[.]251/armv7l hxxp://185.225.74[.]251/mips hxxp://185.225.74[.]251/mipsel hxxp://185.225.74[.]251/sh4 hxxp://185.225.74[.]251/x86_64 hxxp://185.225.74[.]251/i686 hxxp://185.225.74[.]251/i586 hxxp://185.225.74[.]251/arc hxxp://185.225.74[.]251/m68k hxxp://185.225.74[.]251/sparc

Once executed the bot client, the shell script downloader will delete the client executable file to avoid detection.

“Based on behavior and patterns Unit 42 researchers observed while analyzing the downloaded botnet client samples, we believe the sample is a variant of the Mirai botnet.” reads the report published by Unit42. “Upon execution, the botnet client prints listening tun0 to the console. The malware also contains a function that ensures only one instance of this malware runs on the same device. If a botnet process already exists, the botnet client will terminate the current running process and start a new one.”

The researchers pointed out that the Mirai variant like IZ1H9 and V3G4 will first initialize an encrypted string table and then retrieve the strings through an index. However, this Mirai variant will directly access the encrypted strings in the .rodata section via an index

The approach allows the malware to remain under the radar and be faster.

This Mirai variant lack of brute forcing login credentials capability, which means that operators have to manually deploy it by exploiting the above vulnerabilities.

“The widespread adoption of IoT devices has become a ubiquitous trend. However, the persistent security concerns surrounding these devices cannot be ignored. The Mirai botnet, discovered back in 2016, is still active today. A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.” concludes the report. “These remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats becomes an urgent task.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PoC exploit)




Read Entire Article