24 May 2019

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices


New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

Researchers discovered a new Mirai version that uses a new set of 13 exploits that enable it to attack more routers, as well as other devices, including video recording devices, presentation systems, and various IoTs. While almost all of these exploits were previously used individually in various Mirai operations this marks the first time when all of them have been used in a single campaign together.

As per Trend Micro’s report, aside from a bundle of exploits, this new variant has typical characteristics that have been seen before, such as backdoor and distributed denial-of-service (DDoS) capabilities. The researchers spotted the new Mirai through their honeypots, so it is already in the wild.

First, the new variant scans the infected system for specific vulnerabilities in ThinkPHP, Huawei, or Linksys routers. The list of the 13 exploits also includes DVRs, NVRs, D-Link devices, and Netgear devices. According to the researchers, the use of three XOR keys to encrypt data is still preferred MO for the new Mirai, while the URLs used in the campaign served as “command and control”,“downloader”, and “dropper” links. The new version also incorporates brute-force capabilities that can be used to allow the malware to gain access to network devices as admin.

Of 13 exploits 11 had already been used together in 2018 by the Mirai variant Omni, shows the report by Unit 42. The Omni botnet targeted vulnerable Dasan GPON routers, Netgear routers, Huawei routers, and other devices. Trend Micro said that the only two exploits that were not part of that previous Mirai campaign but were used by this new variant were the Linksys and ThinkPHP RCEs. However these two exploits were spotted in a more recent attack in April 2019, which also included four others on the list: the CVE-2018-10561, CVE-2014-8361, UPnP SOAP TelnetD command execution, and CVE-2017-17215 exploits.

It is possible that the new Mirai operators could have simply copied the code from other attacks along with the exploits used in these attacks, or the choice of exploits used by the attacker could have been based on the knowledge that many of the affected devices are widely used and many of their owners have yet patched their devices against the vulnerabilities, concluded the researchers.

Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024