Researchers discovered a new Mirai version that uses a new set of 13 exploits that enable it to attack more routers, as well as other devices, including video recording devices, presentation systems, and various IoTs. While almost all of these exploits were previously used individually in various Mirai operations this marks the first time when all of them have been used in a single campaign together.
As per Trend Micro’s report, aside from a bundle of exploits, this new variant has typical characteristics that have been seen before, such as backdoor and distributed denial-of-service (DDoS) capabilities. The researchers spotted the new Mirai through their honeypots, so it is already in the wild.
First, the new variant scans the infected system for specific vulnerabilities in ThinkPHP, Huawei, or Linksys routers. The list of the 13 exploits also includes DVRs, NVRs, D-Link devices, and Netgear devices. According to the researchers, the use of three XOR keys to encrypt data is still preferred MO for the new Mirai, while the URLs used in the campaign served as “command and control”,“downloader”, and “dropper” links. The new version also incorporates brute-force capabilities that can be used to allow the malware to gain access to network devices as admin.
Of 13 exploits 11 had already been used together in 2018 by the Mirai variant Omni, shows the report by Unit 42. The Omni botnet targeted vulnerable Dasan GPON routers, Netgear routers, Huawei routers, and other devices. Trend Micro said that the only two exploits that were not part of that previous Mirai campaign but were used by this new variant were the Linksys and ThinkPHP RCEs. However these two exploits were spotted in a more recent attack in April 2019, which also included four others on the list: the CVE-2018-10561, CVE-2014-8361, UPnP SOAP TelnetD command execution, and CVE-2017-17215 exploits.
It is possible that the new Mirai operators could have simply copied the code from other attacks along with the exploits used in these attacks, or the choice of exploits used by the attacker could have been based on the knowledge that many of the affected devices are widely used and many of their owners have yet patched their devices against the vulnerabilities, concluded the researchers.