24 May 2019

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

Researchers discovered a new Mirai version that uses a new set of 13 exploits that enable it to attack more routers, as well as other devices, including video recording devices, presentation systems, and various IoTs. While almost all of these exploits were previously used individually in various Mirai operations this marks the first time when all of them have been used in a single campaign together.

As per Trend Micro’s report, aside from a bundle of exploits, this new variant has typical characteristics that have been seen before, such as backdoor and distributed denial-of-service (DDoS) capabilities. The researchers spotted the new Mirai through their honeypots, so it is already in the wild.

First, the new variant scans the infected system for specific vulnerabilities in ThinkPHP, Huawei, or Linksys routers. The list of the 13 exploits also includes DVRs, NVRs, D-Link devices, and Netgear devices. According to the researchers, the use of three XOR keys to encrypt data is still preferred MO for the new Mirai, while the URLs used in the campaign served as “command and control”,“downloader”, and “dropper” links. The new version also incorporates brute-force capabilities that can be used to allow the malware to gain access to network devices as admin.

Of 13 exploits 11 had already been used together in 2018 by the Mirai variant Omni, shows the report by Unit 42. The Omni botnet targeted vulnerable Dasan GPON routers, Netgear routers, Huawei routers, and other devices. Trend Micro said that the only two exploits that were not part of that previous Mirai campaign but were used by this new variant were the Linksys and ThinkPHP RCEs. However these two exploits were spotted in a more recent attack in April 2019, which also included four others on the list: the CVE-2018-10561, CVE-2014-8361, UPnP SOAP TelnetD command execution, and CVE-2017-17215 exploits.

It is possible that the new Mirai operators could have simply copied the code from other attacks along with the exploits used in these attacks, or the choice of exploits used by the attacker could have been based on the knowledge that many of the affected devices are widely used and many of their owners have yet patched their devices against the vulnerabilities, concluded the researchers.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019