A new variant of Mirai — the botnet malware used to launch massive DDoS attacks —has been targeting 13 vulnerabilities in IoT devices connected to Linux servers, according to researchers at Palo Alto Network’s Unit 42 cybersecurity team.
Once the vulnerable devices are compromised by the variant, dubbed V3G4, they can fully controlled by attackers and become part of a botnet, capable of being used to conduct further campaigns, including DDoS attacks.
“The vulnerabilities have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution,” Unit 42 said in its report on the new variant.
V3G4 activity was observed between July and December last year, in three campaigns, Unit 42 said.
All three campaigns appeared to be linked to the same variant and Mirai botnet for several reasons, according to the researchers.
They noted that domains with the hard-coded command and control (C2) infrastructure — used to maintain communications with infected devices — contained the same character string format.
In addition, the shell script downloads are similar, and the botnet used in all attacks features identical functions.
The threat actor deploying V3G4 exploited vulnerabilities that could lead to remote code execution, Code 42 said.
Once executed, the malware has a function to check if the host device has already been infected. If it has been already infected it will exit the device. It also attempts to disable a set of processes from a hardcoded list, which includes other competing botnet malware families.
How the V2G4 Mirai variant works
While most Mirai variants use the same key for string encryption, the V3G4 variant uses different XOR encryption keys for different scenarios, the researcher noted (XOR is a Boolean logic operation frequently used in encryption).
V3G4 packs a set of default or weak login credentials that it uses to carry out brute-force attacks through Telnet and SSH network protocols and spread to other machines. After this, it establishes contact with the C2 server and waits to receive commands for launching DDoS attacks against targets, Unit 42 said.
V3G4 has exploited vulnerabilities, including those in the FreePBX management tool for Asterisk communication servers (vulnerability CVE-2012-4869); Atlassian Confluence (CVE-2022-26134); the Webmin system administration tool (CVE-2019-15107); DrayTek Vigor ruters (CVE-2020-8515: and CVE-2020-15415); and the C-Data Web Management System (CVE-2022-4257).
For a complete list of the exploited vulnerabilities that have been observed so far, suggestions for cybersecurity software that can detect and prevent infection, and code snippets that serve as indications of compromise, see Palo Alto's advisory. The Unit 42 team also recommends applying patches and updates to remediate the vulnerabilities, when possible.
How the Mirai botnet developed
Over the past few years, Mirai has tried to wrap its tentacles around SD-WAN, targeted enterprise videoconferencing systems, and leveraged Aboriginal Linux to infect multiple platforms.
The Mirai botnet was an iteration of a series of malware packages developed by Paras Jha, an undergraduate at Rutgers University. Jha posted it online under the name "Anna-Senpai," naming it Mirai (Japanese for "the future"). The botnet encapsulated some clever techniques, including a list of hardcoded passwords.
In December 2016, Jha and his associates pled guilty to crimes related to Mirai attacks. But by then the code was in the wild and being used as building blocks for further botnet controllers.
This meant that anyone could use it to try infecting IoT devices and launching DDoS attacks, or sell that ability to the highest bidder. Many cybercriminals have done just that, or are tweaking and improving the code to make it even harder to fight against.
Mirai's first big wave of attacks came on September 19, 2016, and was used against the French host OVH. Mirai was also responsible for a 2016 DDoS attack on DNS provider Dyn, which involved about 100,000 infected devices. As a result, major internet platforms and services were unavailable to users in Europe and North America.