TrendMicro specialists discovered in the “wild nature” unknown before variant of Mirai malware that used 13 exploits at once for attacks on targeted devices.IoT-bot is equipped with components for the attack on routers of different producers, IP-cameras and other devices.
All useful load researchers already met in campaigns by older Mirai versions, but together all 13 exploits are used for the first time.
As in the majority of earlier bot’s variants, authors of new version use XOR-coding to complicate malware’s identification. In the program’s text is integrated address of control center, and storages with necessary for attacks modules. File servers are hidden behind the dynamic DNS service.
“With these 13 exploits, this “Backdoor.Linux.MIRAI.VWIPT” variant is capable of targeting Vacron network video recorders, Dasan GPON routers, D-Link devices, various CCTV-DVR vendors, devices using Realtek SDK with the miniigd daemon, EirD1000 wireless routers, Netgear DGN1000 devices, Netgear R7000 and R6400 devices, MVPower DVRs, Huawei HG532 routers, Linsys E-series routers and ThinkPHP 5.0.23/5.1.31”, — wrote TrendMicro experts.
Experts note that 11 of 13 exploits for the set were earlier met in Omni malware attacks that was identified as Mirai. One of such malware modules was a script for Huawei HG532 router hacking through the CVE-2017-17215 vulnerability. Bug was discovered in November 2017, and by the end of December attackers started using it.
One more often used by cybercriminals exploit is linked to vulnerabilities of authentification bypass in Dasan GPON-routers. Common exploitation of CVE-2018-10561 and CVE-2018-10562 bugs gives a chance attacker to get access to device settings and execute it in the environment with root-privileges.
Except modules developed by Omni authors, cybercriminals change in the composition of the new Mirai version old script for routers hacking Linksys, earlier noticed in TheMoon malware campaigns. One more exploit targets Linux-machines with ThinkPHP framework and enables remote code execution in vulnerable environment.
Most often botnet uses infected IoT-equipment for organization of DDoS-attacks. As note Internet-security specialists, most likable that creators of new Mirai version copied code from several variants of malware, trying to increase number of devices that will be infected in the frames of one company.