Description
A variant of the Mirai botnet was observed targeting at least 22 vulnerabilities residing in IoT devices belonging to D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear and MediaTek devices.
Details
This malware campaign was identified by the Unit 42 researchers at Palo Alto Networks in two ongoing campaigns that started in March and has seen a rise in activity in April and June of 2023. This Mirai variant was configured to target 22 different security vulnerabilities in various products, including routers, DVRs, NVRs, Wi-Fi communication dongles, access control systems and more. The list of vulnerabilities exploited and affected devices can be viewed in this link: Vulnerabilities
All of the vulnerabilities exploited grants remote code execution, and the malware relies on this exploit to execute a shell script retrieved from the external host hxxp://zvub[.]us/. If successful, the script will download the botnet client that matches the architecture of the compromised device. The architectures targeted are armv4l, arm5l, arm6l, arm7l, mips, mipsel, sh4, x86_64, i686, i586, arc, m68k, and sparc. Once the botnet client is downloaded and executed, the shell script will delete the client executable file to cover its tracks and reduce detection.
Upon execution, the botnet client allows threat actors to configure the compromised device as a botnet, where it can be used in denial-of-service (DoS) attacks. This botnet client is the only Mirai variant that can directly access the encrypted strings in the .rodata section through an index instead of setting up a string table to get the botnet clients configuration. The botnet prints listening tun0 to the console, indicating that it listens for requests through the tun0 network interface. Unit 42 also mentioned that this Mirai variant does not have the ability to brute force SSH/Telnet login credentials and relies on the threat actors to manually exploit the mentioned vulnerabilities.
Indicators of Compromise
Review the list of IOCs including sample hashes and IP addresses associated with this Mirai variant below:
Shell Script Downloader Samples
> 888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8
Mirai Samples
> b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c
> b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3
> 366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6
> 413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2
> 2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599
> 4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0
> 461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d
> aed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777
> 0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915
> eca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19
> 3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d
> aaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089
> 4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b
Infrastructure
> zvub[.]us
> 185.225.74[.]251
> 185.44.81[.]114
> 193.32.162[.]189
Remediation
We recommend the following tips and recommendations to lower the risk of infection from this malware campaign:
Review the list of affected devices and if you are using a device that may be vulnerable to this malware, apply the latest firmware updates/patches available from the device vendor.
Change default access credentials of your device to something unique and strong and change passwords often.
Disable remote administrative access to these devices if it is not required or in use.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Mirai botnet variant targets multiple IoT devices.pdf
References
Toulas, B (2023, June 22). Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/mirai-botnet-targets-22-flaws-in-d-link-zyxel-netgear-devices/
Lei, C., Zhang, Z., An, Y., & Hu, C. (2023, June 22). IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits. Retrieved from Unit 42. https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/