A new Mirai-based malware named 'InfectedSlurs' is exploiting two remote code execution zero-day vulnerabilities to ensnare routers and video recorder (NVR) devices into a distributed denial-of-service (DDoS) botnet.
The new campaign was discovered by Akamai researchers who are keeping the technical details of two zero-days under wraps until vendors release security patches sometime in December 2023. Akamai also withheld information on affected brands and models.
The attacks were first spotted against Akamai’s honeypots in late October 2023.
“The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful,” the company said.
The InfectedSlurs botnet primarily uses the older JenX Mirai malware variant discovered in January 2018. The researchers said they identified additional malware linked to the hailBot Mirai variant developed based on the Mirai source code.
“While JenX primarily contained the filename of "jkxl", the assumed hailBot file names included the string "skid". Additionally, one of the unique identifiers for hailBot is the console string "hail china mainland" that is printed upon successful compromise of a system,” Akamai said.
The researchers said they found mentions of some of the command-and-control infrastructure in a now-deleted Telegram account in a DDoS marketplace channel, DStatCC.
Akamai has shared Snort and YARA rules along with Indicators of Compromise to help defenders identify exploit attempts and possible infections in their environments.