Researchers discovered a new wave of Mirai Variant that used 13 different exploits to attack various router models and other network devices.
Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.
Mirai targets several different routers including D-Link, Linksys, GPON, Netgear, Huawei and other network devices such as ThinkPHP, multiple CCTV-DVR vendors, UPnP, MVPower digital video recorders, and Vacron network video recorder.
This is the first time to have used all 13 exploits together in a single campaign including some of the exploits that used in the previous attack.
Initially, the new variant of Mirai found in the honeypot system that deployed by Trend Micro and it looking for the IoT devices to exploit several vulnerabilities that include remote code execution (RCE
According to Trend Micro ” It showed that this malware used different means of spreading, and also revealed its use of three XOR keys to encrypt data. Decrypting the malware’s strings using XOR revealed one of the first relevant indicators of the malware’s being a Mirai variant.”
Mirai variant Exploits
Researchers found different URL’s that is associated with Mirai variant including the command-and-control (C&C) link and download and dropper links.
New Mirai variant code reveals more information about infection process, especially, first 3 exploits scanning the specific vulnerabilities in ThinkPHP, certain Huawei
It also performs a Brute force attack using capabilities using several common credentials.
Mirai Variant associated exploits taking advantage of the different vulnerabilities that found in the routers, surveillance products, and other devices
Among all 13 vulnerabilities, 11 had been already used in the previous Mirai variant campaign in 2018 and other 2 exploits are completely new that can be used against Linksys and ThinkPHP RCEs.
The attacker behind this new variant could have simply copied the code from other attacks, and with it the exploits these previous cases had used.
Users are recommended to change the default credentials in the router to prevent the credential based attacks.
Indicators of Compromise (IoCs)
Related SHA-256 hash detected as Backdoor.Linux.MIRAI.VWIPT:
Related malicious URLs:
C&C : hxxp://32[.]235[.]102[.]123:1337
Download Link and Droppers
Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.