24 May 2019

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

Researchers discovered a new Mirai version that uses a new set of 13 exploits that enable it to attack more routers, as well as other devices, including video recording devices, presentation systems, and various IoTs. While almost all of these exploits were previously used individually in various Mirai operations this marks the first time when all of them have been used in a single campaign together.

As per Trend Micro’s report, aside from a bundle of exploits, this new variant has typical characteristics that have been seen before, such as backdoor and distributed denial-of-service (DDoS) capabilities. The researchers spotted the new Mirai through their honeypots, so it is already in the wild.

First, the new variant scans the infected system for specific vulnerabilities in ThinkPHP, Huawei, or Linksys routers. The list of the 13 exploits also includes DVRs, NVRs, D-Link devices, and Netgear devices. According to the researchers, the use of three XOR keys to encrypt data is still preferred MO for the new Mirai, while the URLs used in the campaign served as “command and control”,“downloader”, and “dropper” links. The new version also incorporates brute-force capabilities that can be used to allow the malware to gain access to network devices as admin.

Of 13 exploits 11 had already been used together in 2018 by the Mirai variant Omni, shows the report by Unit 42. The Omni botnet targeted vulnerable Dasan GPON routers, Netgear routers, Huawei routers, and other devices. Trend Micro said that the only two exploits that were not part of that previous Mirai campaign but were used by this new variant were the Linksys and ThinkPHP RCEs. However these two exploits were spotted in a more recent attack in April 2019, which also included four others on the list: the CVE-2018-10561, CVE-2014-8361, UPnP SOAP TelnetD command execution, and CVE-2017-17215 exploits.

It is possible that the new Mirai operators could have simply copied the code from other attacks along with the exploits used in these attacks, or the choice of exploits used by the attacker could have been based on the knowledge that many of the affected devices are widely used and many of their owners have yet patched their devices against the vulnerabilities, concluded the researchers.

Back to the list

Latest Posts

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

The command and control server and IP address used in the new phishing campaign were previously observed in the Kimsuky campaign ties to North Korea.
23 August 2019
New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Featured vulnerabilities
Multiple vulnerabilities in OpenPGP.js
Medium Patched | 23 Aug, 2019
Multiple vulnerabilities in Apache HTTP Server
Medium Patched | 23 Aug, 2019
Improper access control in Smart TV Box
Medium Patched | 23 Aug, 2019