Starting in mid-July new variants of Mirai, Bashlite and Neko began appearing in honeypots, all of which are designed to assemble botnets capable of launching DDoS attacks.
Trend Micro came across the first variant, based on Neko, on July 22 capable of brute forcing weak credentials and then unleashing a very capable set of malware weapons. These include executing shell commands and launching user datagram protocol and UPD-HEX flood attacks, which can inundate a router’s ability to properly process and respond to information, the security company said.
Other tricks include several kill functions and has a list of other malware it can stop and the ability to search out other vulnerable devices on the network via built-in scanners.
Just one week later Trend Micro discovered updated version of this Neko variant that has UPX-packed with its magic number (UPX!) tampered, which is believed to be an attempt to prevent the botnet from being unpacked. Additionally, its list of vulnerabilities and hardware devices to exploit has been increased.
Then on July 30 the Mirai variant dubbed Asher was first seen. In a similar manner to its parent malware Asher’s first move is to check if the device has BusyBox, a software suite for devices with limited resources, already installed and if not then the malware goes about injecting it. Asher also uses brute force as its attack method using an extensive list of telnet login credentials that can be found in the report.
Asher propagates itself by exploiting the known vulnerabilities CVE-2018-10561, CVE-2018-10562 and CVE-2014-8361.
Bashlite’s variant, Ayedz, was the last to pop up appearing on Aug. 6. Like Neko and Asher, Ayedz also goes after routers. The malware has the ability to run several backdoor commands launching DDoS attacks, as well as, features several attack/flood options.